Posted by Emma Banister Dean, Partner
It’s not too late…
Whilst the GDPR and the new Data Protection Act are now in force it is not too late to look at your compliance. If the Information Commissioner’s Office does receive a complaint about your data procedures or a breach occurs you will be in a far better position if you are working towards compliance than you would be if you had not put any measures in place.
Those in the real estate sector have particular factors to take into account. One of the first sticking points is the lawful basis on which you are processing the personal data of certain types of data subject.
Prospective purchasers are not going to sign up to your terms and conditions. Your contract is with the vendor. You will however be processing their data when they book a viewing and if they correspond with you regarding an offer. You will need to document a lawful basis for that processing and also provide them with a privacy notice covering the basis on which you are processing their personal data. The same is true of prospective tenants.
In most cases where you value a property for sale or rent you will not yet have a contract in place with the owners and yet you will be processing their data. You need both to document the lawful basis for that processing and to provide the owners with a privacy notice explaining what measures are in place to protect their data.
Sharing personal data with service providers
Lettings agents will deal with many small businesses that routinely provide services to rental properties: from plumbers to pest controllers. Whilst agents may have data processing agreements ready with their main suppliers, with whom they will also need to have engaged to ensure that sufficient safeguards are in place, this may not be practicable for engagement with some sole traders. In those cases you may wish to consider not passing on the personal data of the tenants to the sole traders, instead asking the tenants to get in touch with the contractor direct. In that way you are not passing on personal data without first having checked the safeguards that will be applied to it by that third party.
How long can you keep personal data for?
Retention periods are another factor to take into account. How long can you justify keeping personal data for? Where you carry out the right to rent checks for example the legislation requires you to keep the ID information obtained for a period of a year after the tenant has left the property. There are also tax legislation reasons for holding on to some information beyond the period for which your business requires it. Your Auditors will be able to oblige with that information. Once you have established the basis for processing data you need to consider how that basis will change over time.
Whilst a contract is in place that contract will probably form your lawful basis for processing the data. After that contract is over you may then need to retain some of that data to protect your business in the event of a claim for breach of contract. The lawful basis for that secondary basis will then change to being a legitimate interest. These changes over time will need to be documented. The data will also need to be checked at each stage to determine whether all of it needs to be retained for the subsequent purpose.
Get legal advice to stay compliant
There are fixed fees available for drafting the most common documents required for compliance with the new data legislation. Meetings at which you discuss how to establish what data you have, how long you can keep it for and on what lawful basis are also invaluable in helping to move you forward towards compliance. Once your business has understood and implemented the necessary protection it will be far easier to maintain over time and a significant risk will have been addressed and minimised.
For more assistance with data legislation compliance please contact Emma Banister Dean
01865 268 370 Email us
Residential Property Farms & Estates
Buying or selling a property? Choose a conveyancing expert