Passing Dave, the plumber a postage note to organise access with a tenant could now cost you up to €20 million
The compliance deadline for GDPR (25 May 2018) has been and gone but many agents still don't quite understand the regulations and the implications of instructing third party contractors.
The General Data Protection Regulations (GDPR) are in force from 25 May 2018. The Information Commissioners Office (ICO) is the supervisory authority responsible for data protection. The regulations are intended to give people greater control of their personal data, requiring organisations and businesses to be accountable and transparent for the processing of that data.
Who does it apply to?
Businesses, organisations and governments within the EU and those outside the EU who process EU residents' data.
What is Personally Identifiable Information?
Personally identifiable information refers to any information relating to an identifiable person who can be directly or indirectly identified; this is also known as ‘personal data’. Personally identifiable information also refers to sensitive information that relates back to a person, for example, the salary information of a prospective tenant along with their name would be classed as personal data.
Roles within GDPR
Within GDPR there are two roles that are important to understand. The role of the ‘controller’ and the role of the ‘processor’.
The controller determines the purpose for which, and the manner in which personal data is processed, therefore making the decisions. The processor is responsible for carrying out the controller’s instructions and is limited to the scope of those instructions and must not process the data any further.
GDPR places specific legal obligations on the processor. The processor will have a legal liability if they are responsible for a breach. Controllers will need data processing agreements with processors stating what can and cannot be done with personal data the processor is processing.
The ICO’s Guide to the General Data Protection Regulation defines: a “data controller as determining the purposes and means of processing personal data and a data processor being responsible for processing personal data on behalf of a controller”.
What is processing?
Processing is collecting, recording, storing, retrieving, using, erasing and the destruction of data.
What is consent?
A lawful basis of processing and GDPR sets a high standard for consent but you will often not need consent.
There are actually six lawful bases for processing, of which consent is only one and you must have a valid basis in order to process personal data.
The most likely bases for agents to rely on will be "Contractual fulfilment". An agent provides their tenants’ contact details to the carpenter in order to repair the kitchen cupboard door, this would be contractual fulfilment, the agent acting on behalf of the landlord is fulfilling their contractual obligations to repair the property.
What is a data audit and why is it required?
A thorough data audit (sometimes called an Information Asset Register) is the first step towards achieving GDPR compliance. You need to determine what data you hold, who is collecting it, how it is collected, why it is collected, the lawful basis of processing, who it will be shared with, how it is stored and when it will be deleted. As an agent or property manager your data subjects include maybe your landlords, tenants, previous tenants and contractors.
Data Processing Agreement
Ok, so this is the bit which is often overlooked or not implemented...Where a data controller (you the agent) engages a data processor (Dave the plumber) the controller needs to provide the processor with a data processing agreement.
The agreement should include how Dave is collecting, recording, storing, retrieving, using and erasing the tenant data given to him. In reality Dave will probably be given a tenant’s mobile number on a postage note and get told to arrange access. So now Dave has to log the details of the postage note and when they received it on a register or spreadsheet. Dave needs to include how and where he is storing said postage note, how and when he will use the details included on the note, how he will erase the data (Dave will enter the tenants contact number into his phone so this will need to be deleted) and they log and prove how the note will be destroyed.
More information about how to create a Data Processing Agreement and what to include in one can be found here ...Or you could use Sorbet to quickly and easily instruct your contractors.
Tenant information is stored on the Contractor mobile app and is only visible to contractors who have confirmed a job request and get automatically deleted from the app once a job has been completed, everything is recorded in a full communications audit trail.