GDPR Weekly: Exploring the requirements for personal data

Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.

For a while now, many estate and letting agents will have been working hard to prepare for the new rules. 

To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week. 

If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on press@estateagenttoday.co.uk.  

Under GDPR, personally identifiable data (PID) should only be retained for 'as long as necessary'. How can 'as long as necessary' be defined for agents?

Damon Bullimore, chief information officer at BriefYourMarket.com:

If agents correctly enforce GDPR-compliance guidelines, there are only three legitimate and lawful reasons that could apply when storing or processing a contact’s personal data: 

Compliance with Legal Obligations:

There are a number of legal obligations that require agents to store personal information for set periods of time.

We recommend that you review your legal obligations and ensure that all data-retention periods are clearly documented in your Privacy Policy.

Contractual Necessity:

In order to fulfil certain transactions, or to fulfil certain contractual obligations, agents are required to process or retain certain information. The data controller (i.e. the person determining the lawful basis for processing the information) must identify when this particular lawful basis for data processing can be used. Again, similarly to compliance with legal obligations, agents should ensure that they have documented all intended data-retention periods in their Privacy Policy.

Consent:

Personal data can be retained and processed if a contact has given your business explicit consent to receive marketing communications. The fundamental thing to remember is that the processing (i.e. collection, use or storage) of any personal data will be deemed unlawful if the data controller (i.e. the person/business collecting, using or storing the data) does not have a lawful basis for processing the data. Therefore, unless you have a legal or lawful reason to collect, use or store an individual’s personal data, you will have to delete it.

Find out what the GDPR means for businesses, how it will affect your agency, and what you need to do to be compliant.

Annabel Kaye, managing director of KoffeeKlatch:

You can decide how long you need to keep information about potential customers. If you look at your own sales and marketing model, you should be able to see how long it is between first point of contact and doing business with someone. You will need to keep that information up to date, so the longer you keep it, the harder it will be to update it – people will move!

In other areas the law decides. Information to do with money (invoices etc) needs to be kept for at least seven years in order to support your accounts. Anti-money laundering and other information will also have a long retention date. Check with your professional indemnity insurers and see how long you need to keep full client records for in case there is a claim.

Keeping records longer than necessary is a mistake – so how long you keep them has to be linked to a specific purpose and use. The days of ‘just in case’ are going.

Bernard George, solicitor for Socrates Training Ltd:

You must be able to justify why you are holding information about someone. Here are some rough guidelines for a typical firm:

Records of prices/rents: If the information is simply about properties, not identifiable people, you can keep it as long as you like.

Sales files: Many say six years is reasonable. That is the limitation period for someone to bring a legal claim, so it is hard to justify longer.

Lettings files: Seven years or more for financial records, due to possible tax enquiries. If you continue to represent a landlord you may be able to justify keeping all the records you hold about their affairs at least as long as that relationship lasts.

HR, payroll and pension records: Almost indefinitely. But records of unsuccessful applicants for jobs should be deleted after a year or so.

Anti-money laundering identification records: The law says five years from the end of the relationship. You must delete after that, unless the person consented to you keeping them longer.

Do not delete too aggressively – it’s relatively rare for anyone to complain that you kept information about them too long, at least unless the information is unusually sensitive.

Sharon Tan, partner at Mishcon de Reya LLP:

Storage limitation is one of seven data protection principles which form the core of data protection obligations– this principle means that personal data should only be kept for as long as it is necessary ‘for the purposes for which it is processed’.

You will need to look at each category of data and the reasons for holding it and identify how long it needs to be retained, based on why it was obtained in the first place. For example, if you hold an individual's bank or credit card details for the purpose of making or taking a payment, once the payment has been made, and allowing for a period of time for any rectifications, those details should not be kept.

Equally, you may hold personal information about tenants in relation to lettings – once the contract ends it will no longer be necessary to hold that information. However, you may be able to retain the names and contact details of clients if there is a business requirement to do so, such as keeping records of past clients or retain certain information about former employees for a period of time for reference purposes or to defend legal claims.

You should be transparent and inform those whose data you hold of the reasons for and period of retention. You can do this by putting in place a retention policy with time frames or relevant considerations for each category, and ensure you monitor compliance with that policy.

Paul Offley, compliance officer for The Guild of Property Professionals and Fine and Country:

The Information Commissioner's Office (ICO) states that personal information may be held for as long as legally required. Whilst this can appear open ended, it’s actually quite straightforward. 

It all depends on what regulatory body you belong to or which redress scheme you are a member of and whether those organisations state a required time period for holding on to personal information.

If you are a member of The Property Ombudsman, then as detailed in the Code of Practice, you should retain files for six years. From my discussions with the ICO, it stated that it would view this as your legal time to retain the information. You may have different requirements depending on the professional bodies you may be a member of, so you will need to check all your membership requirements. 

You will, however, need to document your ‘retention’ policy within your Privacy Policy Statement so that consumers are absolutely clear on how long you will retain their information.

*If you would like to receive further guidance from any of our GDPR experts, please click here. 

Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.

Angels Media Ltd Legal Disclaimer:

The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.

We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.

While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.

Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.