GDPR Top Tips for Property Guardian Providers
The GDPR is now in force and will provide a “one stop shop” for data protection with a common set of rules which may apply across all EU countries.
We do not intend to run through all the new GDPR provisions in detail in this blog, but please contact John if you would like more information about this.
One of the ‘data protection principles’ is that data must be processed fairly and lawfully and this means that there must be a lawful basis for the processing.
The legal bases for processing that may be most relevant to you as property guardian providers are:
- Consent – your property guardians expressly consent for you to process their data from the outset;
- Contract – the processing is necessary for the performance of the legal agreement between you and the property guardian; and/or
- Legitimate interests – i.e. it is necessary for you to process the data for the purposes of your legitimate business interests (so long as these aren’t overridden by the interests of the property guardians themselves)
Businesses have traditionally relied heavily on consent as their basis for data processing. However, the GDPR makes it clear that consent should only be used where it is freely given. Arguably, in a property guardianship situation, if the guardian refuses to provide consent for you to process their personal data, you would not be able to engage them. Therefore, this is a clear sign that consent is not the right basis to rely on. Therefore, you will now need to identify an alternative basis for processing going forward and document this accordingly.
Suitable privacy notices are even more important now the GDPR is in force. You must make sure your privacy notice uses appropriate language for your target audience and incorporates all the required statutory information. If you are unsure what information you need to include, please contact us as soon as possible.
Thinking about the type of data you may collect as a property guardian provider, you will need to consider:
- Your ‘vetting’ procedures – we all know it is very important to find the right people to occupy your properties, but what data do you collect as part of your ‘onboarding’ procedure and importantly, how do you obtain that data? There is a distinction between ‘verifying’ data to ascertain whether information provided by a prospective property guardian is correct and ‘vetting’ which may involve making further enquiries of third parties or via social media. Vetting is considered high risk by the data protection regulator and you must make sure you comply with the stricter rules which apply in this area.
- Credit searches – you may gather information about a property guardian’s credit history (which is important for enforcement). Again, there are strict rules around how you should handle this type of highly personal financial information.
- Inspection records – regular inspections and well documented records (written records and/or photographs) are important for multiple reasons: keeping your clients happy, evidence that you retain control of the property to minimise the risk of a finding of exclusive possession and for assisting with any health and safety enquiries. However, such photos and documents are likely to comprise or include personal data (or even, in some cases, special category data – in respect of which more onerous rules apply). As a result, your privacy notices must deal with the collection of this data, you must be clear about your basis for processing it and also ensure that you handle it in accordance with the law.
If you need any advice about the GDPR generally or specifically in relation to your bases for processing or the content of your privacy notices, please contact us and we would be happy to helpBack to Our Thinking →