Four steps to get ready for GDPR.
Jacquie Edwards explains how the new General Data Protection Regulation (GDPR) will affect anyone who handles the personal details of third parties.
The GDPR is EU legislation that is coming into effect in May 2018. Although the UK is leaving the EU eventually, the UK Government has made it clear that the UK will be adopting these regulations so that they will remain in force even after we leave the EU.
While much of the legislation is for larger businesses, there is still an impact on all small business owners, including private landlords and anyone that collects personal data. So let’s go over what this all means for you and your systems, what you need to do and where you can go for more information.
First, let’s talk about what personal data is, so that you know if this applies to you (which most likely it does, even if you don’t manage your own properties). Personal data is data related to people that can cause them to be identifiable, such as:
- names
- addresses
- telephone numbers
- job titles
- date of birth
- utility bills
- bank statements
- national insurance number
- and many, many more.
So you can see how, even if you aren’t managing your properties yourself, if you have a list of the names of the tenants from your letting agent, or a copy of their tenancy agreements, you are holding personal data on your tenants.
Of course, if you are managing your properties yourself, you will likely hold much more information as a part of your referencing of the tenants.
For those of you not managing tenants but maybe working with investors or sourcing properties, data protection also applies to you if you have lists of landlord contacts, a database of investors, etc. So, I believe that GDPR impacts pretty much everyone with a property business.
Now then, what do you need to do? Here are the four things that I think you should be looking at right now to help you ensure you are properly protecting personal data:
- Understand what personal data you hold on people and document it. I would suggest that you document the following information:
- what data you hold (name, address, etc.)
- why you hold that data, what is the purpose (referencing, marketing, etc.)
- where the data comes from (directly from the individual, a marketing list, etc.)
- who you share the data with (a third party referencing company, utility suppliers, the council, etc.)
- where you are holding the data (cloud storage, how many laptops, email services, paper copies in offices, etc.)
- what your processes are for ensuring the data is secure and how individuals can access and change the personal data you hold on them.
- Review your current privacy notices that tell the individuals how you use their data. What if you don’t currently have a privacy notice? This is something that is already required under current UK data protection regulations. You can check with the Information Commissioner’s Office (ICO) for more information.
There are some changes required under GDPR but best to start with what you have and what works with current legislation and then we can improve from there.
- Review the consent you get from individuals whose data you hold. There are many different ways of doing this and you likely see them every time you sign up for a mailing list or fill out a form that has the tick boxes at the bottom asking you to opt-in or opt-out of receiving marketing materials. You should have similar processes (although maybe on a smaller level) in your business to gain the consent of your tenants, investors, landlords, etc. for you to use and store their data.
- Review the systems that you use for storing and communicating personal data and ensure that those third parties will be ready for GDPR and that they will store the data you share with them properly. This includes your email service providers, any CRM systems, cloud-based storage, electric signature software, etc. that you use in your business. Most large international companies (such as Google, Dropbox, etc.) will have processes in place to ensure that their clients won’t fall foul of these regulations (they will have EU data storage centres and specific guidance in place to help you and keep you notified).
That should help get you started and ready for the GDPR. This might be a big systems review and may require a big overhaul for some of you, especially if you are storing documents in hard copies at your home or on personal computers.
There are fines of up to 20million euros or 4 per cent of worldwide annual revenue (whichever is larger), so it should be taken seriously.