Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
For a while, many estate and letting agents will have been working hard to prepare for the new rules.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week.
If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on firstname.lastname@example.org.
Under GDPR, estate and letting agents will be deemed as 'data controllers'. What is this and what does it mean?
Bernard George, solicitor for Socrates Training Ltd:
Because your business holds information about people, that makes you a data controller. And that means the GDPR applies to you.
So, the minute anyone (like a client or a member of staff) gives you their contact details, you have all the basic GDPR obligations. That includes:
- only keeping information where there is a legal justification;
- keeping it secure;
- allowing people to check what you hold about them;
- deleting information when it is no longer needed.
It’s possible that you share some personal data with ‘data processors’. So, for example, if you contract out your payroll to a service company, they will be ‘data processors’. They have a bunch of further obligations to keep your data safe, and you may want to check they are taking the GDPR seriously.
Annabel Kaye, managing director of KoffeeKlatch:
A ‘data controller’ is the legal entity that decides what personal data is going to be processed, and how it is going to be done. A company is a legal entity in its own right. If you are a sole trader or a partnership, it will be the people who are trading.
In practice, you need someone in charge of this – it can be a particular director/partner/senior employee or you can appoint an external compliance organisation to do this for you.
You can delegate or outsource the work, but the responsibility will always remain with the directors/business owners.
The data controller is responsible for ensuring that the six GDPR data protection principles are followed. That means you have to get your software, your hardware and your people set up to ensure the data principles are followed.
You also have to be able to demonstrate the organisational measures you took. Keep good records and notes of your ‘GDPR journey’ and the decisions you took.
Make sure your employees are trained on GDPR. If external organisations are working with personal data that you control, make sure you have contract wording in place that controls and limits what they can do with the information.
The personal data that you hold is not ‘your’ data, it’s the individual’s data – and as ‘data controller’, you are responsible for making sure you only use it fairly and within the legal framework.
Sharon Tan, partner at Mishcon de Reya LLP:
Data controllers are those who determine how and why personal data is processed. The data controller must exercise control over the processing and carry data protection responsibility for it.
Most businesses will be controllers in relation to the personal data of staff, customers and others. In the same way that current data protection laws operate, most obligations and liabilities under the GDPR will fall on the data controller, who is not only responsible for, but must also be able to demonstrate compliance with, the data protection principles.
In addition, GDPR imposes obligations on controllers to ensure that there are written contracts in place with ‘processors’ – those who act on the controller's behalf – requiring them to comply with GDPR and its principles in relation to the data they process on the controller's behalf.
Processors could include, for example, a payroll company handling staff payroll, or a third-party management company collecting rent. Sometimes the distinction between data controllers and data processors is blurred but it's important to remember that it is the data controller that exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.
Damon Bullimore, chief information officer at BriefYourMarket.com:
The GDPR explicitly states that the data controller is solely responsible for determining the purposes and means by which the data you hold is processed. Therefore, anyone within your business that processes personal data is deemed to be a data controller, and must adhere to strict data protection principles.
Data controllers are responsible for:
- Enforcing all GDPR data protection activities within the business.
- Complying with all GDPR data protection activities.
- Demonstrating and documenting your business’ compliance with GDPR data-processing activities.
- Understanding, complying and enforcing lawful basis for processing.
It is highly recommended that your business trains its staff, and obtains formal declarations from them indicating that a training process has taken place in relation to their data-processing activities.
In practice, anyone within your business that collects, uses, or stores data must be able to demonstrate their ability to comply and enforce data protection principles at all times.
It’s essential that any member of your organisation that handles personal data has a comprehensive understanding of all lawful basis for processing, as this will ensure that they can always select the appropriate basis for collecting, using, or storing an individual’s personal data, and justify why they have processed personal data.
Find out what the GDPR means for businesses, how it will affect your agency, and what you need to do to be compliant. Book your free place on one of our roadshows.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.