GDPR confusion and misinformation

GDPR confusion and misinformation

11:26 AM, 23rd April 2018, About 6 years ago 125

Text Size

I am told that ALL organisations, including private landlords (and their contractors), will have to be GDPR compliant by 25th May 2018. I have attending training on this and I’m getting contradictory advice from different GDPR professionals. About 4 weeks ago I was told that there is no need to register with the ICO, as everyone has to comply with GDPR so no need to register to do so, then earlier this week I was at an RLA event and was told that it would be necessary for everyone to register with the ICO, so these two GDPR speakers basically contradicted each other! The ICO website itself says that most data controllers (yes, that includes landlords) will need to register, unless they fall into an exemption (examples are on the ICO website).

At the RLA event earlier this week, I was told that we would need to provide all our tenants (and other people we hold data about) with a Privacy Notice. The RLA have one of these on their website that landlords can download, they said it is 30 pages long. I mentioned that there are probably a couple of hundred organisations that hold a persons data, so does that mean we can expect to receive 200 x 30 page documents arriving in the post in the next few weeks, and she said that most would be sent by email. I asked, what if the person does not have an email address, and she said then I could post them a hard copy, (so if you have any tenants who do not have an email address, they may be getting 6000 pages in the post very soon!!! (200 x 30 page documents). I asked if we could simply have the Privacy Notice on our website, and she was unsure whether this would be acceptable for not. She said that she only takes tenants if they have an email address, but clearly she deals with more affluent or well educated tenants, whereas I deal mainly with vulnerable tenants who very often don’t have an email address (or may not be computer literate, may have mental health issues, or learning difficulties, etc).

I asked if GDPR applies to all government, and local government departments, and she said yes, it applies to all companies and organisations. However, the bloke sat next to her from the Council was asked if the Council were compliant, he said that his Council “are currently looking into it”. If all organisations have to be GDPR compliant, then how will the politicians send us all their party political mailings asking us to vote for them!

Overall, it seems that nobody is quite sure how GDPR will affect individual situations, it is legislation designed for application to massive companies to stop them abusing the data they hold (using it for wrong purposes, or selling it on, etc), but it is applicable to everyone so even one landlord with just one tenant will have to comply with all the GDPR rules.

Are any other landlords having trouble understanding the GDPR compliance rules? Getting misinformation or contradictory advice? Are all landlords aware of how GDPR will affect them, and what they need to do?

Robert


Share This Article


Comments

Chris Clare

12:06 PM, 25th April 2018, About 6 years ago

Reply to the comment left by Chris Amis at 24/04/2018 - 22:28
It is an interesting question. When I looked at the self assessment on the ICO's website and pretended to be the tradesman, it said I did not need to registered. That said, it may be an idea that they are asked to delete the contact details once the job is completed as the protection requirement falls on us more than them.

Chris Clare

12:11 PM, 25th April 2018, About 6 years ago

Reply to the comment left by Chris Amis at 24/04/2018 - 22:52
The problem is you have a legal right to pass the tenants details to the plumber but no legal right exists for you to pass the plumbers details to the tenant, unless, that is, you set up a GDPR privacy statement between you and all your tradespeople.

I would just do an all encompassing Privacy Statement that covers everyone I interact with and that way they all have the cover and protection that their data has been processed in accordance with the regulations. As everyone has to comply regardless of the need to register the registration issue is more of a red herring IMHO.

Annie Landlord

12:37 PM, 25th April 2018, About 6 years ago

I registered with the ICO a while ago. That bit is very easy and I think its just £35 a year. I've received recently privacy statements from a bank, a pension provider and an insurance company. All are just two sides of A4 and more or less lifted verbatim from the ICO website. The NLA's privacy statement suggests landlords should insert specific information into the privacy statement sent to tenants, which complicates the matter somewhat

Chris Clare

13:44 PM, 25th April 2018, About 6 years ago

Reply to the comment left by Annie Landlord at 25/04/2018 - 12:37
It shouldn't be too complicated Annie, you have to just include some things:
Who will you collect data from (known as Data Subjects) suppliers/tradespeople, Staff and tenants/customers
What type of processing will you do with the respective Data Subjects data.
What rights each Data Subject has.
How long will you maintain and process their data.
What geographical location will the data be stored and processed.
Who and how will you share the data with.
And finally a summary of what measures you undertake to protect that data.
It does sound a bit daunting but if you follow this structure you will be 99% there.

Robert M

14:27 PM, 25th April 2018, About 6 years ago

Reply to the comment left by Chris Clare at 25/04/2018 - 13:44Is that just for the Privacy Statement? The RLA's Privacy Statement for landlords to use is about 30 pages long.

However, in addition to having a Privacy Statement (whether it is 2 pages or 30 pages), I believe that you also have to have (for example) a:
GDPR Data Protection Policy
Data Inventory Schedule
Data Protection Impact Assessment
Data Confidentiality Agreements (for contractors and other third parties)
Subject Access Request Policy
GDPR Training Policy (if you have staff)
Data Processing Risk Assessment
Fair Processing Policy
Data Retention Requirements Policy
Security Access Policy
A process for obtaining explicit consent for data sharing, particularly if you have sensitive data or data about the tenant's children
Disposal of Removable Storage Media Policy
All of these policies and corresponding procedures have to be cross referenced to each other where appropriate, and of course have to be implemented into your actual day to day processes.
ALL landlords (and almost all other businesses) will be processing personal data (even if most of it is done by a letting agent or third party), so the GDPR regulations and requirements will apply.

Mick Roberts

14:28 PM, 25th April 2018, About 6 years ago

Brilliant Rob and Chris.
If u can't understand it Rob, I ain't gonna.

And yes Chris, we'll just no longer save plumbers numbers or them not save tenants numbers, the same tenant they visit a few times a year.
It ain't happening, not in my business. Quite often my tenants contact plumber builder Electrician direct. It's called efficiency.

What are we coming to.

And £35 a year? For what? Amongst all the other unnecessary charges being chucked at us.

Chris Clare

14:36 PM, 25th April 2018, About 6 years ago

Reply to the comment left by Robert Mellors at 25/04/2018 - 14:27
Yes and no. Policies such as the ones above are designed for multi staff organisations so their approach to all things is uniformed and compliant no matter who gets involved.
If you run a portfolio of properties on your own you could easily argue the policies are in your head as you are the only one that controls the activities of the business.
Having things like asset registers both physical and data along with privacy impact assessments and so on are necessary but as long as you can demonstrate that data is being held and processed in accordance with the regulations the policies are merely train tracks to operate on.
Don't get me wrong I would recommend everyone does all that is suggested but most who would be reading this would struggle to do it and it is also a sledge hammer to crack a nut if you control 3 properties whilst holding down a day job.

Chris Clare

14:44 PM, 25th April 2018, About 6 years ago

At some point I am going to be doing my own GDPR Privacy Statement for the properties I own and manage. I am half inclined to offer a service to other landlords so they can get theirs right.

Would that help?

Robert M

14:54 PM, 25th April 2018, About 6 years ago

Reply to the comment left by Chris Clare at 25/04/2018 - 14:36I agree that the whole raft of GDPR requirements is designed for big companies to comply with, BUT it does also apply to sole trader landlords whether they have one property or 500 properties, and under GDPR even the sole trader (including a landlord with just one property) has to be GDPR compliant. Yes, it is a sledge hammer to crack a nut, but nevertheless it still applies, and it is not acceptable under GDPR to argue that you have not documented your policies and procedures "because they are in your head".

Thank you for your offer to share your Privacy Statement with other landlords. I've not completed mine yet, but I am working on it, along with all the aforementioned policy documents.

Chris Clare

15:16 PM, 25th April 2018, About 6 years ago

Reply to the comment left by Robert Mellors at 25/04/2018 - 14:54
You may very well be right

That said Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Having a filing cabinet full of policies and procedures rarely proves compliance. Compliance proves compliance, hence a LL who has a couple of properties doing everything right within the law but without the documents can still comply IMHO.

Leave Comments

In order to post comments you will need to Sign In or Sign Up for a FREE Membership

or

Don't have an account? Sign Up

Landlord Tax Planning Book Now