Coming into force on May 25, the General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - is something which all businesses are expected to comply with.
For a while, many estate and letting agents will have been working hard to prepare for the new rules.
To help you on your way, in association with The ValPal Network, we've assembled a panel of experts who will be answering a GDPR-related question each week.
If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on email@example.com.
What is a legitimate interest and how does it relate to estate and letting agents' services?
Bernard George, solicitor for Socrates Training Ltd:
People often think the GDPR means you can only hold personal data about people with their consent. This is not the case. There are lots of grounds for holding information about people. For example:
- You can keep records about your staff without their consent. You have a legitimate need to keep tax, pension, health, disciplinary and other records. The key point is to keep it secure.
- You can keep records of your clients. For a start, you have a legal duty to collect and keep anti-money laundering records. But, in any case, people give you their details for the purpose of your work and that is fine. You do not need to get explicit written consent.
But, is it ok to keep information people give you about third parties? Actually, yes! Or at least usually yes. For example, a seller might give you information about a potential buyer, or a landlord might tell you things about a tenant. This is personal data. But you can normally record it and keep it.
If it is relevant to your work you will almost always be justified in keeping it, on the basis that it is necessary for the services you are providing.
As ever, keep it secure and allow people to check it and correct it if they want.
The basic point to understand, however, is that you need a justification for holding information about people. But there are lots of possible justifications other than the person’s consent.
Annemarie Proudfoot, head of customer relations at BestAgent:
A legitimate interest is a basis for processing data - one of the several alternatives to consent as a means for holding and processing personal information.
An example of this is: A debtor stopped making payments, moved house without informing the creditor, and now the creditor-company passes the debtor’s personal information to a collection agency to attempt to recover payment.
A signed terms of engagement demonstrates the agency has a legitimate interest in processing the customer’s data in order to fulfil its business obligation.
When a person is already a ‘client’ of the agency, then the agency has a legitimate interest to process their information - but be careful about passing their data to third parties, because you must ask yourself whether the data subject could reasonably expect you to process his/her data, and for the purpose that you are doing it.
Annabel Kaye, managing director of KoffeeKlatch:
Many people are saying that ‘legitimate interest’ allows you to process personal data as it suits your business. But before you can use ‘legitimate interests’, there is a three-part test you need to go through:
1. Define your ‘legitimate interest’ specifically. ‘Commercial interest’ is too wide. ‘To grow our business’ or ‘to enhance our reputation’ would be specific (depending on what you were intending to do).
2. Consider if this processing is ‘necessary’. That’s not as high a barrier as ‘essential’, but it must be a targeted and reasonable way to help achieve the purpose.
3. Do a balancing test, to take into account the rights and freedoms of the individuals. Ask yourself – would the individual reasonably expect us to process their data this way and would they consent to it if they knew? If the answer is no, don’t do it this way. Even better, ask your customers what they expect, as it is their reactions that really count at the end of the day.
Damon Bullimore, chief information officer at BriefYourMarket.com:
Legitimate interest can be thought of in two ways by agents. Firstly, as a lawful basis for processing, it can be defined as one of six approaches that an agent can choose to take when processing data under GDPR.
Secondly, as a concept for use, it can be thought of in terms of the relationship that the agent has with an individual, what the agent is looking to achieve by using legitimate interest, and if there will be any detrimental impact on the individual when using it.
The Information Commissioner’s Office (ICO) state that the GDPR does ‘not define what factors to consider when deciding if your purpose is a legitimate interest’. The nature of legitimate interest means that usage is ‘flexible and could be applied to any type of processing for any reasonable purpose’. However, an agent’s legitimate interest must have some ‘clear and specific benefit or outcome in mind’.
Therefore, an example of legitimate interest in practice might be: “our agency has a specific interest in marketing our properties and services to our customers to increase sales and enhance the level of customer service we offer.”
Agents must then evaluate if this decision will have a detrimental impact on the individual, if the individual would reasonably expect their data to be used in relation to the legitimate interest, and if they can object to the processing.
Due to the flexible nature of legitimate interest, agents take on much more responsibility to balance their reason(s) for using it in relation to the rights and freedoms of the individual. To help identify what your legitimate interest is, agents should conduct a Legitimate Interest Assessment (LIA), as this will help them to identify what the purpose of the legitimate interest is, if it is necessary, and what the relationship is with the individual.
Sharon Tan, partner at Mishcon de Reya LLP:
A legitimate interest is one of the potential lawful bases under GDPR for processing an individual's personal data, and is the most flexible.
A business can identify that it, or a third party, has a legitimate interest to process that individual's personal data, and this may cover a wider range of circumstances for any given business.
However, in order to be compliant, the business must also (1) consider whether the processing of that personal data is necessary, i.e., is it a targeted and proportionate way of achieving the purpose and (2) conduct a balancing assessment of whether the individual's interests or fundamental rights and freedoms override its interests.
Generally, reliance on legitimate interests will be appropriate where individuals would have a reasonable expectation of you using their data in that way, and where it has a minimal privacy impact.
For example, an estate agent instructed to sell a property can process data related to people looking to buy properties by relying upon its legitimate interest.
GDPR also specifically recognises that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest, and it may therefore be an appropriate basis for solicited direct postal marketing (but not by email or text, where GDPR-compliant consent will be required).
However, once an individual objects to your marketing on the basis of legitimate interests, you must stop immediately.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Sharon Tan.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.