Blog: GDPR: beyond tenants and employees, who do social landlords process personal data for… and what do they need to do about it?
By Kelly Sleight, a solicitor in the Housing team at law firm Harper Macleod
As pretty much everyone is aware, new data protection legislation comes into force in the form of the General Data Protection Regulation (EU) 2016/679 (the GDPR) on 25 May 2018.
We have been advising a number of our Registered Social Landlord (RSL) clients in relation to their preparations for this new law and it is clear that it is not just tenants and employees that RSLs need to be aware of in terms of data protection and compliance with GDPR.
What is personal data?
For information to be personal data, it must relate to an identified or identifiable living individual. This means that information comprising of an individual’s name, address, date of birth, etc. will constitute personal data and the GDPR will apply.
RSLs will process large amounts of personal data regarding tenants and employees, including information relating to their health, racial or ethnic origin, religious or philosophical beliefs, etc. which constitutes “special categories of personal data” and merits additional protection under the GPDR.
Other individuals to be aware of
However, RSLs will also process personal data for a number of other categories of individuals, such as sharing owners, shared equity owners and owners of factored properties.
If a RSL has an agreement with, for example, a sharing owner, that agreement will include the owner’s name, address and signature at the very least. This constitutes personal data and the retention by the RSL of a copy of this agreement, particularly in electronic form, or any file related to such individuals constitutes the processing of personal data under the GDPR.
What does this mean?
The GDPR regulates the processing of personal data by organisations and includes a number of obligations that RSLs must comply with when processing personal data for any type of individual. Individuals also have certain rights under the GDPR that RSLs must comply with within specified statutory timescales.
Failure of RSLs to comply with their obligations and respond to individuals exercising their rights under the GDPR could constitute a breach of the GDPR and result in a significant financial penalty.
What do you need to do?
We would recommend that RSLs start making preparations now for the GDPR coming into force. The preparations in relation to the processing of tenants and employees’ personal data will be more extensive and should take priority in our view.
However, RSLs should start by mapping out all of the personal data they process for different categories of individuals, to come up with an action plan for their GDPR preparations.
In relation to sharing owners, shared equity owners and owners of factored properties, we would recommend that RSLs undertake the following two-step process:
- Undertake a legal review of any current and template agreements to determine whether these need to be updated in light of the GDPR. Following such review, RSLs should adopt a new template for individuals signing up to new agreements in advance of 25 May 2018; and
- In relation to current agreements, the GDPR sets out specific information that RSLs will need to provide to individuals for whom they process personal data in the form of a “privacy notice”. We can assist RSL clients to prepare appropriate privacy notices for issue to individuals in advance of 25 May 2018.
This blog originally appeared on the Harper Macleod website.