Are You Ready For GDPR?
As you will no doubt be aware by now, the UK Data Protection Act 1998 will be superseded by the new European General Data Protection Regulation (GDPR) which comes into force on 25th May 2018. The objective of GDPR is to give individual data subjects more control over what data is held on them by organisations and to make it easier for them to give and withdraw consent for that data to be stored. It also means that changes need to be made to the way organisations market their products and services to consumers.
Estates IT are implementing changes to the way PCHomes and Estates IT-built websites will work regarding obtaining, recording and storing your clients consent. However, there are some actions you need to take to ensure your business will be compliant with the new regulation. It is important to note that the new regulation only applies to "Personal" data, not business to business yet.
Your first step should be to undertake a full audit of the personal data you hold. Treat this audit like a map. Follow the trail of a customer who first registers with your business. At this stage It is likely to be a name, telephone number, email address, their property requirements and budget. Once you know what data you have, you can work on cleansing if necessary. With this information you will want to send them details of available properties that suit their requirements.
Now any one of these pieces of information on their own would likely not identify that person. But together, they make it easy for the individual to be identified. So, you now need to obtain and record their consent to market to them and store their data, as well as providing a copy of your security policy and data protection statement whilst recording which version you have provided. At this stage, the lawful basis for processing the data will be consensual.
Think about what information you take at each stage of the process. You won't need bank details for an applicant now, but you will need this information when the person becomes a tenant. What about when the individual has made an offer? Once a Let or Sale proceeds, you will most likely have to share the individual's data with third parties such a referencing agency or solicitors. Once the applicant changes to a tenant or purchaser, you should provide a copy of your data security policy when the lawful basis for processing the data is contractual, again recording which version you have provided.
You should also note that if at any stage the personal data changes (if the subject gets married and changes their name for example) you will need to send the new data to the third parties you have shared the data with again so that they can update their records!
Your security and data protection policies and statements need to reflect at which stage the individual provides the information, how you store the data, how long you retain the data for, who you share it with and which version it is. Our advice is to write your policies, once - but very well - so that you won't need to update them again unless there are changes to the law or the way your business operates.
Remember that the purpose of GDPR is to make it just as easy for individuals to withdraw consent for their personal data to be held as it should be to permit it. Under GDPR storing of names and telephone number from 8 years ago is not permitted. And to be honest, why would you want to? Surely if someone registered with you in 2010 for a property mailshot, it's a safe bet that they have found somewhere to live by now. Delete them from your database; you don't need them, you don't want them, and it will be against the law to keep them!
If a person submits a Subject Access Request (SAR) you will have one month to comply with the request. You must provide a copy of the information free of charge. If the request is excessive you may charge a "reasonable" fee - this also applies to supplicate requests. When a person requests that you delete any data you hold on them, your compliance will depend of the lawful basis you are using for holding the data. For an applicant who received a couple of match emails, your lawful basis for storing this data would be consensual and yes you should delete the data. A current tenant who has been paying rent for the last 5 years cannot expect their data to be deleted, and your lawful basis for storing and processing their data would be contractual fulfilment. An ex landlord who you are taking to court would have the lawful basis for holding the data as legal work, whilst storing data for a current landlord whose details need to be added to the prescribed information has the lawful basis as legal obligation.
Your business security procedures will need to be reviewed and tightened up if necessary. Staff access to certain data should be on a "need to know" basis. Diaries and day books that contain names and numbers should not be left lying around. System account and password protocols should be reviewed. Sharing of computer accounts should be restricted. Mobile devices that contain personal client details should be password protected, and no data should ever be copied to memory sticks or laptops that can be left on the bus!
Finally, it's worth remembering that whilst the media is making much of the highly inflated fines of up to 20 million Euros or 4% of global turnover that GDPR will carry for breaches of data, the fines will be proportional to the crime and if you do have a data breach, it won't necessarily need to be reported unless there is a risk that the rights or freedoms of an individual will be compromised.
That should be enough to keep you busy for the next few months, but if you need further information the Information Commissioner's Office website has a wealth of material to help you on your way.
Written by Jacqueline Stow
Source Estates IT Ltd