We asked Tunbridge Wells GDPR expert JXG Management Solutions what is GDPR, compliance and how this relates to lettings landlords, residential management companies.
I have heard of GDPR, but I do not know what it is?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. GDPR came into effect across the EU on 25th May 2018.
So, this is an EU rule – now Brexit has happened surely we do not need to comply?
Unfortunately, this is not the case. The UK government agreed to GDPR principles back in April 2016. GDPR was adopted before Brexit happened and replaced the outdated Data Protection Act of 1998. This was officially brought under UK law as ‘UK GDPR’ on 31st January 2020. Brexit basically means you have to be extra careful if you send or receive personal data from abroad – this can also include the storage of data in the cloud! Data Reform was featured in the 2022 Queens Speech at the opening of parliament in May. The Government indicated some time ago that they wanted to re-write ‘UK GDPR’ with consultations for this closing in November 2021 – it will come to debate during the next parliamentary session.
So, how does it apply to Block/Residential/Estate Management?
There are very few companies out there without data – you may not have staff or customers but you do have details of residents, past and present, and the suppliers you use to help maintain your property. The long and short of it is you need to be GDPR compliant. This is all about personal data and what happens to it, how safely it is kept and making sure you have the consent to hold it in the first place. There are 7 main steps to take to ensure you are compliant.
- Undertake an Information Audit and compile an information register
- Following the audit conduct a Risk Assessment/Gap analysis and write an action plan
- Reassess your Policies & Processes framework
- Make sure you have everyone’s consent to hold their data in the first place.
- Make sure everyone involved understands GDPR and what role they play.
- On-going testing/Data Protection Officer role
- Making sure you are registered with the Information Commissioners Office (this costs £40)
This all sounds very worrying – what happens if I/we do not comply?
The Information Commissioners Office (ICO) are the governing body who implement the GDPR. The 25th of May 2018 was a hard line. Companies were expected to be compliant or at the very least be able to prove they knew what they needed to do and were working towards compliance. The ICO can conduct random audits on companies and if a complaint is made against a company or business for the misuse of data they will investigate, and fines could follow.
What does ‘being GDPR compliant’ mean to a small business owner, or a Resident Management Company?
GDPR compliance is a requirement of all companies, whatever size, or sector you might be in. Even Sole Traders need to make sure they comply. I often liken it to an insurance policy, it is one of those things that is a pain to sort out but if you have not got it in place and something goes wrong, it could be a very costly mistake! GDPR is all about accountability, evidence and processes, there is a lot of thinking “what if” much like the insurance scenario.
What about Lettings landlords – anything we need to know?
Yes, landlords tend to hold a lot of information about their tenants, past and present, especially if your receive this electronically for example references, ID checks, tenancy agreements. All of this data needs to be protected, kept in a password protected file with restricted access. Money Laundering info should only be kept for a minimum of 7 years so you need to ensure you have a strict retention policy in place to ensure you delete everything when you should. Tenancy Agreements should have a Data Protection clause in them, but this should not be the only piece of GDPR policy you have, if you are set up as a company (either Partnership, Limited or sole trader) you should also have other GDPR policies in place for your clients to view such as a Privacy Notice and Data Protection Policy.
Am I covered by an agents policies and ICO registration?
The simple answer is no. Their policies, procedures and ICO registration covers how they collect, hold, store and process personal data and does not extend to any third party.
What are the chances of being audited by the ICO?
Honestly at the moment, I would say fairly unlikely due to high volumes of Individual Rights complaints the ICO are currently dealing with. This was not helped by the Covid-19 pandemic. However, this should not be an excuse to not do anything! If the ICO receive a complaint they could well turn up on your doorstep unannounced – this does happen! The average fine the ICO is currently handing out is £70,000!! The ICO are required to consider all complaints, and like so many other industries complaints continue to rise.
We only hold a very small amount of data surely this is over-engineering things?
Data is stolen all the time and hacking is becoming so sophisticated with phishing techniques and ransomware data theft will only get worse, especially with the Russian Ukrainian conflict. The simplest way to make sure you are protected is to follow the GDPR guidelines as mentioned above (use a consultant if you do not fully understand or do not have the time). Password protect any personal data you hold about other people that is not classed as a ‘personal household activity.’ If you do hold, store and / or process information on other individuals you need to make sure you have consent to do so.
Final Word
None of this needs to take a lot of time or cost a lot of money, once it is done, you will just need to check it is still current once a year or upon any major changes to personnel and make sure everyone has copies of what they need. It is better to spend some time and money getting it right now than face a fine and legal fees later on.
All content is courtesy of Julianne Green JXG Management Solutions Ltd based in Tunbridge Wells. You can find Alexandre Boyes Privacy Policy here and read our Data Protection blog here
posted 13/5/2022