The introduction of the EU-wide General Data Protection Regulation (GDPR) is a little over three months away, and the legislation will require landlords to process tenants’ personal data more rigorously and securely than many of us are used to.
Let’s start with the obvious: GDPR wasn’t designed with private landlords or people with second homes in mind. It was drafted to tackle some of the more egregious uses of personal data by tech giants such as Google and Facebook.
Nevertheless, the legislation applies to all of us and it’s important to have a basic understanding of how and why.
I have always said that the best landlords approach their portfolio, however small, as a professional business. Particularly with recent taxation changes, there are reasons not just to be businesslike, but legally operate as one. Perhaps GDPR is an opportunity and an incentive for all of us to implement strategies that make our operation as a whole more professional, effective and secure.
What constitutes personal data and do I process it?
With measures such as tenant referencing, it’s impossible to be a diligent, compliant landlord and not process some personal data, particularly if you self-manage. There’s a tendency to think of data as computer or cloud-based, and much of it is these days. But a filofax or ledger with tenants’ names, numbers and email addresses, dates of birth, and bank details, is just as relevant under GDPR. So too are digital scans or printouts of tenants’ IDs such as passports.
How can I handle data more securely?
There are some basic things each of us can do to make sure we comply with GDPR without creating masses of extra work for ourselves.
+ Ensure its physical safety. Keep tenants’ information in a locked cabinet or safe. This applies equally to paper copies, hard drives, USB sticks and anything else that carries personal data.
+ Ensure its digital safety. Password protect your mobile phones, computers and other devices. Be certain that your WiFi network is password protected and secure. Consider using a separate network for your business and home usage.
+ Be organised. Keep track of each tenant’s data and permanently delete anything you don’t need. Under GDPR a former tenant can ask you to delete all the information you have about them - so be diligent and make sure you can do so quickly and easily.
What does opting-in mean?
We need to always be clear about the legitimate reasons we hold or process any personal information. One of the significant grounds on which we can justify this is consent. The fact that a tenant has agreed to you recording and using their information is reasonable justification for you to, for example, save their contact information on your mobile phone so that you can contact them in an emergency.
Under GDPR, however, consent needs to be explicit - if you are relying on consent as a basis for holding someone's personal information, you need to have a record of their ‘opt-in’ to that purpose.
In our example above, just because a tenant has said that you can contact them in an emergency, this does not mean they have agreed to you doing anything else with their details. You would need to be able to show that your tenant also gave you permission to contact them and invite them to social events, and most certainly if you want to pass their information on to anyone else.
However, consent is not the only grounds you can have for processing someone's information.
For example, if you are in a business relationship with someone, you can process their information in order to maintain that relationship. So it is reasonable for landlords to contact existing tenants about their tenancy, or previous tenants about matters regarding their tenancy, for example the return of any deposit. It is also reasonable to record someone’s information if they have asked to rent a property from you: you need their details in order to do what they have asked you to do. You would, however, need to be clear with them if you were going to do a background check and pass their information on to someone else as part of that process: This would require clear consent.
Whatever you do, under GDPR you need to bear in mind that you should only be doing things with people’s information that they would reasonably expect you to be doing. Take time to think about what you are doing with their information in the context of the reason they gave it to you.
If you get someone’s information from a third party, or you want to use it for something different from what they have previously agreed to, in most cases common courtesy will bring you in line with GDPR: Check with the person first.
The most important thing to remember, however, is to keep a written record of the actual consent - a signed document though a text message, email, fax, or digital log will be adequate.
What about partners?
Most of us use partners or contractors to help out with areas such as property maintenance. This tends to require some sharing of tenant details. Even if your handyman is a friend you’ve known for years, under GDPR you are responsible for ensuring that any data you share with them is safe. Have a chat with your suppliers and contractors when you are taking stock of your own security, and ask them to replicate what you’re implementing if necessary. As a business person you need to ensure that their terms of service to you include acknowledged responsibilities for data protection.
Do I need to register with the ICO?
Unless you have significant property holdings and process large amounts of personal data, it’s unlikely that you need to register with the ICO.
However, if you do suffer a security breach that compromises tenants’ personal information, you will need to report this to the ICO within 72 hours, as well as letting the tenants themselves know.
Any other tips?
Being a technology professional as well as a landlord, I would always advise that the security of off-premises, cloud-based data is going to be much stronger than anything you could achieve locally at home or in an office. Using a cloud-based PropTech service is a move to explore, particularly as it shares or passes the security burden of GDPR to the provider.
It’s tough to be a small landlord at the moment, and I can certainly see that GDPR could feel like an unwanted headache. However, GDPR should be viewed as an exercise in getting the fundamentals right rather than making a sea-change in how we work with tenants’ information. I’m likewise inclined to view it through the lens of the safety of my own personal data as well as that of my tenants, as well as an opportunity to professionalise.
Vik Tara is a landlord, the CTO of Technology Blueprint, a founder of Rentr, and the Director of CheckDocs - a document checking service for landlords and letting agents.