Over the past year three Directors of unconnected Resident Management Companies (RMC) have experienced GDPR personal data breaches. Data harvesting and identity fraud is becoming more widespread and sophisticated. We need to reiterate the importance of making sure Alexandre Boyes block and estate management clients, and the Directors of Resident Management Companies understand the risks and are taking the correct steps to ensure that they are GDPR compliant. The nature of the three incidents were:
1, hacking a personal laptop containing the RMC company information and personal data of fellow Directors and Leaseholders
2, a deliberate data breach attack by someone pretending to be British Telecoms, cold calling regarding their Wi-Fi.
3, a CCTV issue with the theft of personal property
Under Data Protection law (DPA2018) all businesses, who collect any form of personal data, however big or small (Limited companies, sole traders & partnerships) must comply with General Data Protection Regulations (GDPR), this includes Residents’ Management Companies (RMCs) or Right to Manage Companies (RTMs).
IN SIMPLE TERMS THIS MEANS…
Personal Data – Any information that identifies an individual such as, name, address, landline, mobile number, email, IP address and bank account details. This includes directors, employees, suppliers, and clients.
THINGS YOU NEED TO HAVE IN PLACE AS A MINIMUM:
1. You must be registered with the Information Commissioners Office (ICO). You can arrange this online at Data protection fee | ICO or Alexandre Boyes can administer this on your behalf for a small fee should you not be already registered.
2. You must have undertaken a Data Audit. This can be a simple document to evidence the flow of your data, where it comes from, where it is stored and with whom it is shared.
3. You must conduct due diligence on any third parties you share data with. This is to evidence that you are only sharing information with other businesses that are GDPR compliant and the data you share is safe.
4. You must have processes and procedures in place for the following scenarios…
- A data breach or hack
- A subject access request (the right for information)
- The right to portability
- The right for erasure (the right to be forgotten)
- The right to objection
- The right to rectification
- The right to restriction
- The rights relating to auto decision making
5. You must have the following policies in place
- A Privacy Notice
- A Data Protection Policy
- A Retention policy
- A CCTV policy if applicable
6. If you have CCTV in and around your premises, you should also have signs up explaining who the data controller of the footage is and who to contact if required.
7. Depending on the nature of some of the third parties you share information with, it may also be relevant to have a Data Sharing agreement in place.
WE ARE HERE TO HELP
We have secured the services of an independent GDPR consultant JXG Management Solutions who have agreed to ensure our Block & Estate Management Clients are GDPR compliant for a one off inclusive price of £150. If you prefer Alexandre Boyes can consult with JXG Management Solutions on your behalf for an additional fee of £90.00 + VAT.
It is worth noting that should your RMC / RTM or Limited company experience a GDPR issue and has not undertaken the above points, it could be reportable to the ICO. You could be liable for a fine which so far this year have varied between £2k – £110k.
This is an important piece of legislation, and we urge you to comply. For further information, please contact Julianne Green directly.
Or contact your property managers keren@alexandreboyes.co.uk, kevin@alexandre-boyes.co.uk or kirsty@alexandre-boyes.co.uk should you wish Alexandre Boyes to arrange the necessary.