Guide to GDPR

7th June 2018

1. Introduction to GDPR

In the UK and internationally, our Ministry of Justice is responsible for data sharing and data protection. The DPA (Data Protection Act) decides how organisations may hold, share, store, acquire and dispose of personal information they have.

The GDPR is a new regulation brought in by the EU which improves individual’s rights to control their data. The GDPR has values like those of the DPA but strengthens responsibilities of parties associated, including Landlords when handling data and personal information.

Balancing is required between upholding precautions and privacy for the individual and public organisations sharing data. Both the GDPR and the DPA allows data individuals to control what data is being held regarding them and a degree of control on its use.

Anyone has the right to request data held by public sector bodies on any subject through freedom of information. Unless there is a valid reason not to, the data must be provided. The FOI governs this and regulates how it is done.

Everyone also has the right to request information held by public sector organisations on any subject. Unless there is a good reason not to, the organisation must provide it. The FOI ensures this and determines how it is done.

2. Background of GDPR

Data protection is, quite simply, the system of legal control exercised over the processing of and access to personal information stored electronically. In the UK it has been mostly overseen by the Data Protection Act 1998 (DPA).

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to reinforce and unify data protection for all citizens within the European Union (EU).

The GDPR aims to give control back to individuals and residents over their personal data and to simplify the regulatory environment by unifying the regulation within the EU.

The GDPR replaces the 1995 Data Protection Directive, transposed into UK law by the DPA.

The regulation was implemented on 27 April 2016 and is enforceable from 25 May 2018 after two years of transition period and it does not require national governments to pass any enabling legislation and is directly binding and applicable.

3. Differences between DPA and GDPR

The ethics which support the GDPR are largely the same as the DPA. If you are complying with existing regulations, you are unlikely to have to made ultimate changes to your procedures.

Nevertheless, the GDPR requires organizations to validate certain procedures and pay more consideration to the policies of third-parties hired as part of their lettings business including referencing agencies, contractors and agents

For most landlords, the main visible differences will be a tightening of rules regarding the way they operate as data controllers, and a greater responsibility for the actions and policies of data processors employed on their behalf.

There is also likely to be changes to the levels of enforcement activity and sanctions applied should there be a breach of regulations.

Despite Brexit, the Government has confirmed that the GDPR will remain under UK law.

4. Your Responsibilities with Personal Data as a Landlord

As a Landlord, if you collect any personal information from your tenants, you will probably have to register yourself as a “data controller” with the ICO (Information Commissioner’s Office).

When signing up a new tenant you need to request to see their ID and any “reasonable amount” of personal information. It is ok to store copies of this information as long as you keep it locked away somewhere, such as in a filing cabinet.

If you collect and hold personal data, which can be stored as a hard-copy or on a computer electronically, this means that you are a data controller. This then means that you are responsible for how that information is processed and secured, and you must have a lawful reason for processing that data.

5. Data Controller, what is it?

Any person, either acting alone or jointly with other people who decides the processes for which any personal information to be processed, is known as a data controller.

The role of data controller is a very important one and means that they are largely responsible for making sure that an organization or business meets its duties in respect of data protection law.

If you are a private landlord, then you are responsible for making sure that all the data you hold about your tenants’ is secure and safe, and that the data you hold is only used and held for reasons for which you have a legal right to process.

Under the role of data controller, you are responsible for deciding the following:

• Just what personal data you need to collect,
• How you use the data,
• How long you need, and are allowed, to keep the data,
• Your legal basis for collecting it,
• If any third-party processors have a proper data handling process in place, and
• Whether you need to pass the information on to a data processor.

As a landlord, when you choose who you are going to do business with (agents, contractors, deposit schemes etc.) you must understand how they control your tenants’ data that you provide for them to carry out work on your behalf.

It is your responsibility as a data controller to ensure that if you have a data processor working for you, that they also comply with responsibilities under the GDPR.

As a Landlord you must always ask for any contractor’s data management privacy policy before employing them for their services. If you have any existing relationships with agents or contractors, you should discuss with them their plans to safeguard compliance on your behalf.

6. Processing data, what are the Lawful Bases?

It is every landlords’ responsibility as a data controller to safeguard that a legal basis for processing a person’s data occurs and is fully documented.

When processing someone’s data, there are six lawful bases in which you need to select the most appropriate depending on the relationship between you (the data controller) and the subject (tenant).

Whichever basis is chosen for processing the data, it needs to be documented, this needs to be made clear and concise to your tenants, ideally as part of a fair processing or privacy notice. There is no ‘right’ answer for which basis you choose or rely upon as this changes with the specific circumstances. But some are more likely to be appropriate than others.

The six lawful bases are as follows:

Consent

As expected, consent means that the person you collect data from freely gives you permission to process their data.

Consent is appropriate if you offer real choice and control over how you use and process their data and want to build their trust. But, if this isn’t the case consent is unlikely to be appropriate.

If consent is asked for as a precondition of a service, i.e. you will only grant a tenancy if consent is given, then it is unlikely to be the most appropriate lawful basis to use.

Contract

Contract is an appropriate lawful basis if you have a contract with the individual and you need to process their information to comply with your obligations as part of that contract.

It’s also lawful prior to starting a contract, but where it is essential to process data to reach an agreement – for example, when referencing a tenant.

Legal obligation

Legal obligation is relatively easy to understand, this applies where data processing is required to comply with a legal requirement.

For example, a landlord in England must process certain immigration data in order to comply with the Right to Rent Act.

Public task

Public task is limited to public authorities. Where carrying out data processing as part of their duties when exercising official authority. Again, public task is unlikely to be relevant for most tenancy matters.

Vital interest

Vital interest would apply if the processing of the individual’s data is necessary to protect the interests of the individual, for example, when providing medical assistance. This is unlikely to be relevant to most landlords.

Legitimate interest

Legitimate interest is seen as a valid lawful basis for the processing of information when it is necessary for the data controller to pursue legitimate interests. It is like having a contractual basis for data processing but may possibly cover additional activity provided it is made clear from the start.

Legitimate interest involves certain ‘tests’ being met. the ICO classifies these as:

• the ‘purpose test’ – are you pursuing a legitimate business interest?
• the ‘necessity test’ – could you carry out your business without the data?
• the ‘balancing test’ – can you balance your need with the rights and freedoms of the individual?

These tests should show that a legitimate reason for processing is satisfied, is necessary and balances the needs of both the data controller and the interest of the data subject.

The ICO advises that if you have found a reason to rely on legitimate business interest, then you should also complete the checklist below:

☐ We have checked that legitimate interests is the most appropriate basis.

☐ We understand our responsibility to protect the individual’s interests.

☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.

☐ We have identified the relevant legitimate interests.

☐ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.

☐ We have done a balancing test and are confident that the individual’s interests do not override those legitimate interests.

☐ We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.

☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.

☐ If we process children’s data, we take extra care to make sure we protect their interests.

☐ We have considered safeguards to reduce the impact where possible.

☐ We have considered whether we can offer an opt out.

☐ If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.

☐ We keep our LIA under review and repeat it if circumstances change.

☐ We include information about our legitimate interests in our privacy information.

Landlords, in many cases, may have the option to rely on more than one legal base to process an individual’s data, as some data has to be collected to comply with statute, some is vital for the tenancy agreement, and they also may have a legitimate interest in processing tenant’s information which is in balance with their privacy and interests.

In the majority of cases, a landlord who is letting and managing any residential property will have a legitimate interest to process his or her tenants’ personal data.

7. Working with Data you collect

When you need to collect new personal data.

Sometimes when dealing with tenancies, it can be unavoidable that landlords will need to collect new personal data such as when dealing with new tenants, creating new tenancies or even just for updating current details. It is vital that you understand which legal basis to use and how you will collect and process their data. This validation must be explained in a clear and concise manner and must be fully documented.

When you are collecting personal data, you must provide the following information:

• Your name, company name, and name of any third-parties who may be needed to carry out relevant work for you,
• The purpose for which you need to collect their data and the legal basis,
• What it will be used for,
• How any relevant consent for it to be processed by you or any third-party processors working on your behalf, may be withdrawn

The easiest way to do this is to adopt a standard privacy policy, demonstrated by a privacy or fair processing notice.

With any existing data you hold.

The values you use in your approach to new data must also be applied to all the data you already hold on subjects.

To be compliant with the GDPR, landlords should conduct an audit all personal data they hold, with a view to determining:

• What personal data is being held,
• How accurate is it,
• Where it came from,
• When you collected it, did you determine a legal basis,
• Do you still need it; and
• How would you delete it securely?

Importantly, once you have answered the above points, it’s vital to make sure that you have an appropriate and fully documented legal basis to hold and use any personal data you have collected.

If you have established that the legal base to use is consent but do not have, or are unable to show that you have appropriate consent, then you need to obtain it from the data subject.

Once you are at this point, you need to treat the data subjects as if it was the first time dealing with them and provide them with a copy of your privacy policy, you also need to explain why you need their data, how you are going to store it and use it, and how the data subject may withdraw their consent for processing data (if it was relied upon).

8. Non-compliance sanctions and prosecution.

There are quite heavy sanctions in place for non-compliance with Data Protection under GDPR, they vary depending on the type of breach involved, but fines can reach up to €20,000,000 or 4 per cent of worldwide turnover, whichever is greater.

Most landlords are very unlikely to receive fines in the multi-millions, but a ‘proportionate’ financial sanction could be a possibility.

A more serious situation for landlords is the possibility of tenants acting against a landlord if they feel that their data has been handled incorrectly.

As well as the fines handed out by authorities, the GDPR

In addition to the administrative fines imposed by supervisory authorities, the GDPR instils citizens with added rights regarding their data. As a result, a tenant can sue their landlord for compensation if they believe that the GDPR has not been followed.

Therefore, landlords could face having to pay compensation to tenants for damages relating to a ‘data breach’ or for failing to comply with the GDPR requirements in addition to any fines imposed. The level of compensation would depend on what harm is deemed to have happened to the individual.

The GDPR requires that any data breaches are reported to the ICO (Information Commissioner’s Office). If you fail to report such a breach, then additional fines could be issued as well as any sanctions issued which are directly related to the breach.

9. The Freedom of Information Act

The Freedom of Information Act gives anyone the right to ask for all the information held on a data subject by any public body. Anyone can make a request, there are no restrictions. Unless a good reason is provided, any information requested must be provided within a month of the request. You may also ask for all personal data which is held on you, even though it can be dealt with under the GDPR or DPA, it really doesn’t make a difference to you on which act is used.

Any information can be requested but some data may be withheld to protect interests which are allowed for by either act. The public authority must explain why they are withholding information in each case.

In Scotland, they have a similar Freedom of Information Act to the one in England, Wales and Northern Ireland. If you need to request information from a public organisation in Scotland, then your request will be handled by the Scottish FOI.

Public sector bodies covered by the Act, include:

• government departments and local assemblies
• local authorities and councils
• heath trusts, hospitals and doctors’ surgeries
• schools, colleges and universities
• publicly funded museums
• the police
• lots of other non-departmental public bodies, committees and advisory bodies

In order to make a request for information, you must write to (or email) the public authority that you believe holds the information you are looking for. You need to make sure that you have included:

• your name
• an address where you can be contacted
• a description of the information that you want

You don’t need to mention the FOI, but if you wish to, there is no reason why you shouldn’t. You must try to explain what information you need in as much detail as you possibly can to help the authority find the information you are looking for.

Any public authority must hold their information in line with a publication scheme which includes describing ‘classes’ or ‘kinds’ of the information being held (such as reports or minutes). It is worth noting this when you are making a request for information. They must comply with your request promptly and within 20 days of the request, if they need more time, they must write to you explaining why they need more time and when you will get an answer.

In most cases, when you make a request for information, it’s free. You may be asked to provide a small amount to handle postage or photocopying costs

If the request for information you have made is going to cost the public authority more than £450 (or £600 for a request to central government) to obtain, then they can turn you down. They may then ask you to narrow down the amount of information you’re looking for or to be more specific.

If you request information about anything to do with the environment, the request can’t be refused by the authority because of what it would cost to obtain. This includes information about, water, landscape, soil, the air and atmosphere, energy, radiation, land, noise, waste or emissions and so on, in addition to these are any policies which affect any of these things to do with the environment.

Your right of appeal, how you receive the information you have requested and how the Information Commissioner handles your case if you are unsatisfied are all laid out for you.

10. Additional Useful Resources for GDPR

1. Data Protection Act 1998
2. Ministry of Justice Website
3. Government Website
4. Information Commisioners Office
5. GDPR Guide at ICO
6. GDPR (EU)
7. GDPR Data Audit Template Guidance
8. GDPR Data Protection Policy