If you are a landlord, have you registered yourselves with the Information Commissioner’s Office? If you are a large organisation or deal with high volumes of tenants’ persona data, have you appointed a Data Protection Officer to monitor compliance with the Regulations?
If not, recent changes to data protection laws mean you may need to do so, urgently.
You should all be aware that the General Data Protection Regulation (“GDPR”) came into force on 25 May 2018.
It is true that GDPR is an extension and evolution of our existing data protection laws. However, the changes have brought may new obligations which will affect the property rental sector.
A common scenario
As a property litigator, one issue that has come to my attention in relation to GDPR is the ability for a landlord to share the tenants data with third party suppliers. Many landlords will have encountered tenants that have vacated a property without paying utility bills. The tenant may not have provided a forwarding address for outstanding invoices or bills.
Your business may also rely on third-party websites or software products to manage your properties and tenant information.
The old way
Past practice relied on by landlords was to use a clause in a tenancy agreement. This would state that consent is granted to allow them to provide the utility supplier with a copy of the tenancy agreement or a copy of the notice seeking possession, or even a court order. This is now most definitely at an end. GDPR is more detailed than previous data protection legislation.
The new way
Under GDPR, using such data without a valid lawful basis and consent can lead to significant fines. The provision of specific consent by the tenant is now required by a landlord to process any personal data. For example, consenting that information may be passed to a utility company for the purpose of invoicing for the supply of services, or chasing payment for those services following termination of the tenancy.
The consent must be a “positive opt –in”; that is to say that the tenant must have taken steps (ticking an unticked box – “a clear affirmative action”, – for example) to confirm their consent to process their data. Alternatively, and a slightly more risky approach, is that if the tenancy agreement permits the landlord to pass on data to assist the utility company, the landlord could be deemed to be lawfully processing the data. Even if the tenancy agreement did not permit the landlord to pass on details, it may be that the landlord would be able to pass it on relying on the legitimate interest ground.
If you haven’t already done so, you should carry out an audit of the data you hold, and who you share it with. You should take advice and implement any changes necessary to ensure you are compliant with GDPR.
Whilst it may initially seem burdensome, GDPR compliance should be seen as a benefit to your business. It will give your tenants confidence that they are dealing with a professional organisation, and that their personal data will be managed properly.
For more information about this topic or to arrange a GDPR healthcheck for your business, please contact me by telephone on 0114 3496983 or email firstname.lastname@example.org.