What to communicate in your GDPR compliant privacy notice
Legal Document providers, Net Lawman have provided a free GDPR compliant privacy notice template for letting agents and estate agents – see below.
Despite all the recent publicity around the General Data Protection Regulation, the requirements of this new law are largely the same as existing law.
There are also more severe implications for non-compliance if your business is investigated by the Information Commissioner’s Office (the ICO) following a complaint. The GDPR gives the ICO the power to fine your business up to 4% of your turnover.
If someone does complain about your business, we think that the ICO will first look at your privacy notice. It you have shown effort to comply with the law, that should generate enough goodwill with the ICO to avoid a fine in the first instance.
A good notice should comprise a combination of statements intended to reassure and statements required by law.
The information your notice should communicate include:
- the name of your business and the head office address. This is required so that people know who is handling their data, and also so that they know where to address requests. You might also provide a telephone number or e-mail address if these are not clearly displayed elsewhere on your website.
- the rights that data subjects have. Rather than clutter a policy with a detailed explanation of the law, we prefer to refer to a third party website that provides this information.
- types of personal information you handle. You don’t have to list every piece of information you use, but rather communicate what types of information for different categories of individual. The majority of personal information that your business uses is likely to relate to clients, potential clients and people searching to buy or let.
- the grounds under which you use data. There are six legal bases. You are likely to use four. You must disclose which basis you use for each type of information. You don’t have to be specific – you can say that you use data given to you in order to carry out your contract with your client under the basis of Contract. However, it can be advantageous for reassurance purposes to list some specific uses, particularly those most likely to concern clients (such as marketing).
- whether data is processed outside the EU and how it is protected. GDPR can only be enforced on businesses who exist within the EU. If data is transferred outside the EU, then it no longer is protected by the GDPR. Most estate agents and lettings agents are unlikely to transfer data beyond a local office network, let alone outside the EU. However, a possibility to consider is whether you use a cloud-based software system operated by a business outside the EU (such as in the US).
- how individuals can exercise their rights to see what information you hold, and request corrections and removal.
Included with the document are additional notes that explain your