GDPR confusion and misinformation

by Readers Question

11:26 AM, 23rd April 2018
About 2 years ago

GDPR confusion and misinformation

Make Text Bigger
GDPR confusion and misinformation

I am told that ALL organisations, including private landlords (and their contractors), will have to be GDPR compliant by 25th May 2018. I have attending training on this and I’m getting contradictory advice from different GDPR professionals. About 4 weeks ago I was told that there is no need to register with the ICO, as everyone has to comply with GDPR so no need to register to do so, then earlier this week I was at an RLA event and was told that it would be necessary for everyone to register with the ICO, so these two GDPR speakers basically contradicted each other! The ICO website itself says that most data controllers (yes, that includes landlords) will need to register, unless they fall into an exemption (examples are on the ICO website).

At the RLA event earlier this week, I was told that we would need to provide all our tenants (and other people we hold data about) with a Privacy Notice. The RLA have one of these on their website that landlords can download, they said it is 30 pages long. I mentioned that there are probably a couple of hundred organisations that hold a persons data, so does that mean we can expect to receive 200 x 30 page documents arriving in the post in the next few weeks, and she said that most would be sent by email. I asked, what if the person does not have an email address, and she said then I could post them a hard copy, (so if you have any tenants who do not have an email address, they may be getting 6000 pages in the post very soon!!! (200 x 30 page documents). I asked if we could simply have the Privacy Notice on our website, and she was unsure whether this would be acceptable for not. She said that she only takes tenants if they have an email address, but clearly she deals with more affluent or well educated tenants, whereas I deal mainly with vulnerable tenants who very often don’t have an email address (or may not be computer literate, may have mental health issues, or learning difficulties, etc).

I asked if GDPR applies to all government, and local government departments, and she said yes, it applies to all companies and organisations. However, the bloke sat next to her from the Council was asked if the Council were compliant, he said that his Council “are currently looking into it”. If all organisations have to be GDPR compliant, then how will the politicians send us all their party political mailings asking us to vote for them!

Overall, it seems that nobody is quite sure how GDPR will affect individual situations, it is legislation designed for application to massive companies to stop them abusing the data they hold (using it for wrong purposes, or selling it on, etc), but it is applicable to everyone so even one landlord with just one tenant will have to comply with all the GDPR rules.

Are any other landlords having trouble understanding the GDPR compliance rules? Getting misinformation or contradictory advice? Are all landlords aware of how GDPR will affect them, and what they need to do?

Robert



Comments

Chris Clare

14:12 PM, 1st May 2018
About 2 years ago

Reply to the comment left by brian O'Donoghue at 01/05/2018 - 11:57
You are right Brian public domain can be a get out for many, but it has some issues and limitations:

1 You have to be able to prove it was in the PD at the time it was processed
2 You have to maintain that it continues to be in the PD for the duration of processing.

Failure to ascertain these two could mean unlawful processing as it is only lawful to process it if there is a reasonable chance of any member of the public being able to access the data during the period it was being processed.

Again this causes more problems than just processing it lawfully as you now need processes and procedures to manage PD data and monitor its standing, constantly as PD data.

It is easier to just have a Privacy Statement that covers suppliers and tradesman, problem solved.

Jireh Homes

11:14 AM, 2nd May 2018
About 2 years ago

For those landlords who have registered with ICO, what sector was selected as appears every possible "job" other than Landlord is listed?

Chris Clare

11:24 AM, 2nd May 2018
About 2 years ago

Reply to the comment left by Jireh Homes at 02/05/2018 - 11:14
I put "Property Management and Property Rentals" even if you have one property that description is appropriate.

Robert Mellors

10:00 AM, 3rd May 2018
About 2 years ago

I have now completed my GDPR Data Protection Policy document, so if anyone wants a copy of this, for FREE, (to adopt or adapt for their own landlord business), just email me: robert.mellors@hotmail.co.uk

Lillian Howell

14:34 PM, 4th May 2018
About 2 years ago

Reply to the comment left by Robert Mellors at 03/05/2018 - 10:00Hi Robert,
Would you email me a copy of the GDPR policy.LAH55555@aol.com
Thank you.

Robert Mellors

23:53 PM, 4th May 2018
About 2 years ago

Reply to the comment left by Lillian Howell at 04/05/2018 - 14:34
Could anyone wanting a copy of my GDPR Data Protection Policy please email me direct: robert.mellors@hotmail.co.uk rather than putting their email on this thread. Thanks.

Chris Amis

1:26 AM, 9th May 2018
About 2 years ago

OK, next query, not addressed on RLA guide, Roberts comprehensive example etc.

Which of these services must I ditch, I am sure I am not the only one who needs to work this bit out?

GoogleDrive
I pay google for extra space, but not for google apps (or whatever the comercial bit is called now). I AES encrypt and then backup to gdrive, very convenient if you need to dig out an insurance policy on holiday.

OneDrive
I got a free 200 GB from onedrive, so I duplicate backups to onedrive.

GoogleMail
My email gets directed thru gmail, it is convenient to have many years email always on tap. Google could read this, and they store it who knows where.

Backblaze
Main backup is backblaze, again AES encrypted, they claim GDPR compliant even as a US company.

The cynic in me would say Google and MS have no incentive to say if the 'free' services are compliant, as they get to sell upgrades, would buying the google apps stuff be compliant?

Chris Clare

10:25 AM, 9th May 2018
About 2 years ago

It is my understanding that none of those services can be compliant as they cannot confirm where data will be held. If you drill down on their T&Cs they actually state they reserve the right to store data pretty much anywhere.

Providers like Google and Microsoft have data-centres all over the globe and they move data around routinely just to optimise storage globally and it is for this reason they are reluctant to state where exactly any data will be at any point in time. That's great for them but for anyone having to audit their data and geo locate data accurately it is difficult.

For this reason many firms have sprouted up offering costly solutions for EU/UK data storage solutions. None of them are overly necessary as there are cheaper alternatives to hosting your own data within the UK.

The fact that the data is encrypted is great and essential regardless of its geographical location. But not knowing where the data is, leaves you in an unquantifiable bind. IMHO

All that being said, if you don't deal with any big companies who are putting constraints on you, you can build your own risk assessment and decide to do what you want to do, as long as you can justify whatever it is you are doing and it minimises any potential risk to data subjects data. If you do take this route you will have to document and inform all of your data subjects precisely where their data may be and why. This is why so many businesses stick to UK hosted solutions.

Robert Mellors

12:32 PM, 9th May 2018
About 2 years ago

Reply to the comment left by Chris Amis at 09/05/2018 - 01:26
Hi Chris

It is my understanding that these large software and operating system suppliers are stating that they are GDPR compliant because they have the US Privacy Shield accreditation/standard and/or they have contractual arrangements in place that satisfy the GDP requirements. I have checked this for Microsoft, Dropbox, and Xero, and all claim to be compliant, so as a user of these services I believe that we would be entitled to rely on those statements. However, I would suggest that you make your own enquiries with the various providers that you use so as to put your own mind at rest, and as evidence of your due diligence.

Boru

13:43 PM, 9th May 2018
About 2 years ago

We are in danger of setting the bar too high and planning for risks that are very unlikely and jumping through all sorts of hoops. Be transparent, register with the ICO, fill in the template Record of processing, be secure in how you hold data physically and electronically, don't hold more data than you need. If there is a complaint to the ICO which prompts them to contact you(after they finish with Facebook) it is unlikely to end in a fine. Of thousands of cases that that came to the ICO attention last year only a tiny percentage ended in fines. There is a lot of scaremongering going on to sell 'solutions'. Register and use the helpline when uncertain.

1 4 5 6 13

Leave Comments

Please Log-In OR Become a member to reply to comments or subscribe to new comment notifications.

Forgotten your password?

OR

BECOME A MEMBER

LANDLORDS TAX PLANNING PAGE UPDATE

The Landlords Union

Become a Member, it's FREE

Our mission is to facilitate the sharing of best practice amongst UK landlords, tenants and letting agents

Learn More