The Data Protection Regime and the Property Industry
The new regulations
Some of the key points in the new regulations, which all property companies, will need to take into account and act upon, are as follows:
The data protection principles, have been condensed into six as opposed to eight principles. Personal data needs to be:
- Processed fairly, lawfully and in a transparent manner in relation to the data subject.
- Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing. As well as protecting against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Further details about the regulations can be seen here on the GDPR infographic.
Some activities of property companies that will be affected
These changes, are likely to have a big impact on how property companies handle and use personal data in the future. The activities which property companies undertake likely to be affected, and include:
(a) The use of personal data obtained from various sources to market property services to individuals.
(b) The use of references in relation to the establishment of tenancies.
(c) The increasing use of technology (email, texts and social media) to communicate available properties to potential buyers.
(d) The establishment and use of CCTV in properties that are being managed by property management companies.
(e) The use and handling of the personal data of employees and other staff.
What can property companies do?
All property businesses need to be looking seriously at GDPR compliance now. They can start by looking at the following:
- Put in place clear policies and well-practised procedures.
- Establish a framework for accountability and establish a culture of monitoring, reviewing and assessing your data processing procedures. Aim to minimise data processing and retention of data, and building in safeguards.
- Start training your staff to understand their obligations.
- Ensure that privacy is embedded into any new processing or product that is deployed.
- Analyse the legal basis on which you use personal data and consider what data processing you already undertake.
- Check your privacy notices and policies.
- Bear in mind the rights of data subjects and be prepared for data subjects to exercise their rights under the GDPR.
- If you are a supplier to others, consider whether you have new obligations as a processor and consider whether your contractual documentation is adequate.