Estate Agents and GDPR
Our January article discussed “Three things you need to know for the GDPR”. The regulations come into force on 25th May 2018.
Now we will provide a brief overview of how this relates to Estate and Letting Agents.
This new regulation builds on existing DPA law which you will have complied with, therefore see this in a positive light as a chance to “Spring Clean” and a golden opportunity to delete and/or review old data and if necessary update your IT security policies and procedures. See it as an opportunity to remind staff the importance of keeping client information safe.
Concerns have been raised that Estate and Letting Agents who hold a significant volume of personal data are not using this properly
- Landlords and tenants:
- are not being told how their personal information would be used;
- data is being kept for longer than necessary
- There is a general lack of awareness about the importance of using technical security controls like encryption and paper records containing personal data are often not kept securely.
- Staff have not been trained to understand what is needed from them.
There are many issues that need to be considered here is a flavour of the new requirements:
- Tenants should be given a privacy notice explaining how data collected will be processed. This can be made available on a website. We would suggest it is also included it in the paperwork provided to the tenants.
- Tenants written consent is required at the outset where data is passed onto a third party regarding a tenant (or any resident in the property).
- Delete data which is no longer required to fulfil the purposes for which it was originally collected. Data collected for a specific tenancy should be deleted once the tenancy has ended, but first check whether it is needed for any other reason, legal, insurance etc. and make a note of the reason for not deleting the data.
- Agencies used to assist with marketing who receive personal data to will need to be aware that they will now be regulated under the GDPR.
Put simply, if data identifies a living person, that data will be governed by the GDPR.
Customers expect personal data to be processed securely and in compliance with the law. Non-compliance will result in large fines (proportionate to the actual breach).
More importantly loss of reputation with customers (past, present and future) and employees assuming you would process their personal data securely and in compliance with the law.
For more information: