This post sets out a brief guide regarding the Data Protection laws and how they will affect you & your property letting business if you self manage some/all of your property portfolio.
All Landlords should register with the Information Commissioner’s Office if you receive data about your tenants to enable you to self manage the properties. There is a modest fee to pay , currently, of £35 pa.
Basically, you will need to register if all of the following applies:
- you collect, record, store or delete personal information (such as names, addresses, telephone numbers and email addresses)
- the information is processed (including collected or stored) by automated means (such as a mobile phone, computer, tablet etc.)
- the processing is for the purpose of “Property management, including the selling and/or letting of property”
If your processing (collecting or storing etc.) is entirely on paper, you must still comply with the GDPR but registration won’t be necessary. Have in mind, if you are even texting a tenant (perhaps to arrange an inspection or for a reminder about the next rent payment) or sharing a tenant’s phone number with a Contractor you are storing information by automated means and require registration with the ICO.
The General Data Protection Regulation (GDPR) and a new (as yet to be finalised) Data Protection Act will replace the current data protection rules from 25 May 2018.
Under the GDPR, you will need to audit the information you collect and hold, decide under what lawful basis the information is being processed, document the audit and have privacy notices available for persons to view which will usually be provided at the time of collecting any personal information.
Under the GDPR there are several key definitions as follows :-
A ‘controller’ is the person who determines the purposes and means of processing personal data.
‘Personal data’ means any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
‘Processing’ means any operation or set of operations that is performed on personal data or on sets of personal data (whether or not by automated means), such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.
In most cases a landlord will be both the controller and the processor of data they hold.
Every Landlord should issue a privacy notice which is how you explain at the point of data collection what users can expect will happen to their data.
Data Protection is a complicated subject and the new GDPR coming into effect on 25 May 2018 need to be fully understood.
If you get it wrong then the ICO can impose a fine of €20 million or 4% of annual turnover will be a significant amount for any business to have to pay. It is important to note that these figures are the maximum figures. Supervisory authorities will have the scope to impose fines of a lower amount, or take a range of actions such as:
- Issue warnings
- Issue reprimands
- Order compliance with Data Subject requests
- Communicate the Personal Data breach directly to the Data Subject
The following links provide valuable further information regarding the extent of the Landlords’s Data Protection responsibilities
For Landlords who take advantage of our fully managed service for their properties we ensure everything complies with Data Protection laws and as a business we will fully comply with the GDPR when they come into force in May 2018.
If you require any further advice or assistance on this or any other property matter then please contact me.