Everyone has been getting excited about the advent of the new GDPR data protection regime, and the scary sounding fines that this could impose on any business in breach.
In actual fact, for most people and businesses, landlords and agents included, not that much has changed. If you complied with the data protection principles before the GDPR, then you are 90 per cent there.
After four years in the preparation and debate, the GDPR was finally approved by the EU Parliament on 14 April 2016 and enforcement commenced 25th of May 2018.
The EU’s General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It was designed to harmonize data privacy laws across Europe, including the UK’s Data Protection Act 1998 as amended by the 2018 Act, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The EU rules will continue to apply in the UK even though we are leaving the EU.
In the case of the private rented sector both landlords and letting agents hold data on people, mainly tenants, and this is often shared with other organisations, so it is important that the GDPR is taken into account.
In reality though, for landlords and agents, not much has changed from before as they have always been under an obligation to protect personal data when acting as “data controllers” under the Data Protection Act 1998.
Any private landlord letting a property without an agent will need to register with the Information Commissioner’s Office (ICO) as a “Data Controller” and pay their annual fee, currently £40. Those landlords who use an agent will be relying on the agent to handle the private data around the tenancy and therefore will not need to register.
Under the GDPR landlords and agents need to identify the correct legal basis they rely on to collect, hold and use personal data, including information about their tenants, and in accordance with the eight data protection principles (Data Protection Act 1998):
Landlords and agents need a valid lawful basis in order to process personal data.
There are six available lawful bases for processing. ICO say no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
The Lawful Basis for Processing
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
If you have a website your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
The Data Protection Principles (Data Protection Act 1998)
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
- at least one of the conditions in Schedule 2 is met, and
- in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The heavy fines myth.
Although the new fine figures being bandied about for GDPR are really scary, there has always been a heavy fine regime in place under the Data Protection Act 1998, in the region of £500,000. But no fine has ever been imposed anywhere near that figure.
The ICO have no intention of hounding small and medium sized businesses with heavy fines, and any minor breaches of the rules would no doubt start off with a warning.
Nevertheless, it is very important to make sure you are complying fully with the GDPR and the main principles applying to the processing of personal data.