General Data Protection Regulations (GDPR)

GDP Regs

The General Data Protection Regulations apply in the UK from 25th May 2018 and came into force under the Data Protection Act 2018. These regulations have similarities to previous data protection requirements under Data Protection Act 1988 but update data protection laws for the digital age.

The Data Protection Act 2018 will affect the way letting agents and landlords collect and use individuals’ personal data but most of the data protection requirements have been in force since 1988 including providing a privacy policy, processing data in line with the six data protection principles and processing data lawfully.

Some of the main changes include:

  • Larger companies will be required to appoint a Data Protection Officer;
  • Consent must be explicit and pre-ticked opt-in boxes are not allowed. Consent will be harder to get and can be withdrawn at any time;
  • More information must be included on a privacy notice;
  • The Information Commissioner’s Office can issue fines up to 4% of global annual turnover for data breaches;
  • Indviduals will be able to request that online content is removed;
  • Individuals must give explicit consent for their data to be transferred outsided the EEA;
  • Individuals have the right not to be subject to a decision based solely on automated processing

The Information Commissioner’s Office provide guidance on data protection regulations here.  

Data Protection Act 2018 Requirements

The use of any personal data must be justified using one of the following ‘lawful basis’ conditions for processing data:

  • That the person gave explicit consent
  • To fulfil or prepare a contract
  • There is a legal obligation
  • To save someone’s life or in a medical situation
  • To carry out a public function
  • There is some other legitimate interest

The use of personal data must also comply with six key data protection principles:

  • it must be processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
  • It must be collected for specified, explicit and legitimate purposes (purpose limitation);
  • it must be adequate, relevant and limited to what is necessary (data minimisation);
  • It must be accurate and kept up to date (accuracy);
  • It must  not be stored longer than necessary (storage limitation); and
  • It must be processed safely and securely and protected using appropriate technical organisation measures (integrity and confidentiality)

The data controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.

Under the 2018 Regulations, agents that determine the purpose for which personal data is processed are required to register with the ICO and pay the ICO a data protection fee.  

The regulations apply to data controllers and data processors.  A data controller is a person who decides how, why and when personal data will be processed such as a landlord or an agent dealing with contractors and referencing agencies.  A data processor is a third party who is responsible for processing personal data for the data controller for example referencing agencies. An agent may be a data processor where they are acting on behalf of the landlord.  Any lawful basis for processing data which agents and landlords wish to rely on will need to be documented in a privacy notice.

It is important that contracts are in place between the data controller and processor setting out details of data processing. For example, clauses should be included in agency agreements/terms, contractor terms and conditions and referencing agents’ terms ensuring that the parties agree to comply with their obligations under the data protection act.  Letting agents who rely on explicit consent will need to ensure that the individual has agreed to the sharing of their data and an automatic opt-in tick box or consent has not been used.  

Letting agents and landlords may be able to rely on the ‘legitimate interest’ or ‘contract’ lawful basis with regard to using personal data.  In order to fulfil the ‘legitimate interest’ basis a legitimate interest must be identified, you must be able to show that the processing of data is necessary to achieve it and it must be balanced against the individual’s interests and rights e.g. sharing data for referencing purposes.  To fulfil the ‘contract’ basis you must have a contract with the individual and you need to process personal data in order to comply with your obligation under the contract or, if there is no contract yet, you have been asked to do something and you need to process their personal data to do what they have asked e.g. tenancy application form or preparing a tenancy agreement. 

Companies must document all processing activity but those with less than 250 employees only need to document processing activities which are not occasional or could result in a risk to the rights and freedoms of individuals or involve processing of special categories of data.  Information to be documented must include the company details, the purposes of processing, a description of categories of individuals, their data and recipients, details of transfers to third countries, retention schedules and a description of the company technical and security measures.  The ICO provide an example documentation template that can be used in their guidance.

Letting agents using mailing lists will need to ensure that explicit consent has been provided and individuals have opted into the type of mailer being sent.  Information must be retained appropriately, kept secure and protected by using appropriate technical or organisational measures and a privacy notice informing individuals about what you do with personal data must be available.

A privacy notice must be displayed on a company website and given to the individual at the time data is collected.  Privacy notices are not new under the regulations; these have previously been required under the Data Protection Act 1998.  However, more detailed information will now need to be provided.  A privacy notice informs people who will be collecting their personal data, how their personal data will be used and who it will be shared with.  The following information must be included:

  • The name and contact details of the organisation and any representative or data protection officer, who is collecting the data and what data is being collected;
  • whether it will be shared with any other organisation and their details including any third countries or international organisations;
  • the purpose for processing the data, the lawful basis for processing the data, the legitimate interests for the processing and how it will be used;
  • the recipients of personal data and the retention period of the data;
  • the right to withdraw consent and the right to lodge a complaint; and
  • details of whether individuals are under a statutory or contractual obligation to provide the personal data.

Where data has not been obtained directly from the individual they must also be informed of the source of where it was obtained from and whether it came from a public source.  Further information is available from the ICO website above.