On 25th May this year, General Data Protection Regulation (GDPR) comes into force. It’s being introduced EU-wide and the Government has confirmed it will remain in force, even after we leave the EU (assuming we actually do leave…)
What is GDPR?
This new legislation requires landlords and agents to process and store tenants’ personal data more rigorously and securely than at present. Importantly, you’ll need to obtain explicit consent from tenants to hold and use their personal information (email addresses, dates of birth, phone numbers, passport scans and bank details, etc.) in certain specific circumstances.
What do I need to do under the new law?
You must provide your tenants with clear information about:
- exactly what personal information (data) of theirs you hold, and why
- where and how it’s held
- who else holds it and why
…and have your tenants sign to say they agree to that.
For example, if you’re using a credit-checking agency as part of your referencing process, you’ll need to tell your prospective tenants:
- what personal information you need from them
- which agency you’re going to pass that information on to
- that it is for the purposes of checking whether they’ve ever been bankrupt or had a CCJ.
Note #1: Be aware that the tenant can withdraw their consent at any time. In this case, you’d have to destroy the information you hold and inform the credit-checking agency so that they could delete the tenant’s personal information at their end.
Note #2: By law, copies of passports must be kept for 12 months after the tenant leaves.
You’ve also got to make sure the data you hold is secure. Here are some tips:
- Store data in as few places as possible – do you really need both hard and digital copies?
- Keep hard copies and USB in a locked cabinet or safe
- Make sure your WiFi network and all devices are password protected
- Store digital data within a cloud-based service, as that passes the responsibility of keeping it secure to the provider. (The cloud storage must be in the EU, unless otherwise agreed by the tenant.)
What do I do if there’s a breach of security?
If the security of tenants’ personal information is compromised – e.g. someone steals hard copies or hacks into where data is stored – you’ve got to let the tenants know and report it to the Information Commissioner’s Office (ICO) within 72 hours. You can do that via their website.
If the ICO decides you’ve done something wrong but consider it a minor breach, they will probably simply issue you with an ‘undertaking to improve’. If they think you’ve committed a more serious criminal offence, they can fine you up to €20m or 4% of turnover, whichever is the higher. They’re also keen to introduce prison sentences for the most serious offences.
5 steps you should take now:
- If you use a managing agent, ask them to confirm in writing to you that they are – or will be – fully compliant with GDPR.
- If you hold any data, organise an audit to check what personal data you hold, where it came from and who you share it with. If you’ve still got ex-tenants’ information, destroy it (but keep hold of passport copies for tenants who left within the last 12 months).
- If the current consents you have from tenants don’t meet the new criteria (i.e. if they haven’t been properly informed and given their explicit consent), you’ll have to go back to them and get new consents signed.
- Appoint someone (possibly yourself) as a ‘data controller’, who’ll take responsibility for the security of tenants’ information.
- Make sure everything is properly signed, dated and filed and diarise reviews.
Image credit: JD Lasica