GDPR: WHERE ARE WE NOW?
With thanks to Cassandra Zanelli, Partner & Head of Property Management, PM Legal Services.
25th May 2018 is a date that’s indelibly etched on everyone’s memories as the milestone when the General Data Protection Regulations (GDPR) came into force.
In the days, weeks and months leading up to the GDPR deadline, organisations up and down the country were busy preparing for its implementation by reviewing their data protection policies and procedures, working out their position as data controller or processor, making sure their employees were suitably trained and communicating privacy information with individuals about whom they were processing data.
It was certainly a full-on period for all organisations, not least managing agents!
But now, nearly a year on from the introduction of GDPR, where are we with data protection? What’s changed - or, perhaps more pointedly, what should have changed that hasn’t? What’s been the impact of GDPR? And what do managing agents need to do to ensure ongoing compliance?
Above all, it’s not just what’s changed for managing agents in terms of their internal processes and procedures, but rather how far has data protection progressed generally now that GDPR has had time to ‘bed in’.
As the information commissioner sets out on its website, data protection is all about ensuring people can trust you to use their data fairly and responsibly. The regime in England and Wales is set out in the Data Protection Act 2018 along with the GDPR. Rather than setting down ‘hard and fast’ rules, the data protection legislation that we have in place is a more flexible, and risk-based approach. This means that it puts the onus on organisations to think about why they use data, and to justify how and why that data is used.
GDPR applies to personal data. This means information about a living individual. For managing agents, this might be leaseholders, subtenants, employees, other members of the public, etc.
It’s important to note at this juncture that the information doesn’t have to be ‘private’ information. Even information which is public knowledge can be personal data.
Almost anything that managing agents do with data counts as processing which is wide-ranging and includes collecting, recording, storing, using, analysing, combining, disclosing or even deleting information.
The GDPR sets out key principles, which should lie at the heart of each managing agent’s approach to managing personal data. These principles require that personal data should be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals
2. Collected for specified, explicit and legitimate purposes (not further processing in a manner that’s incompatible with those purposes)
3. Adequate, relevant and limited to what’s necessary in relation to the purposes for which the data is processed
4. Accurate, and where necessary kept up to date (every reasonable step must be taken to ensure that the personal data is accurate)
5. Kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data is processed (this is commonly referred to as the storage limitation principle)
6. Processed in a manner that ensures appropriate security of the personal data (including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
As data controllers, managing agents are responsible for - and must be able to - demonstrate compliance with those key principles.
This means they must:
1. Identify valid grounds under the GDPR for collecting and using personal data (in other words agents need to show that they have a lawful basis)
2. Use personal data in a way that’s fair and not in a manner that’s unexpected or misleading to the individuals concerned, and
3. Must be clear, open and honest with individuals about how their personal data will be used.
Dispelling some myths
In the days and weeks leading up to GDPR there were many ‘myths’ doing the rounds in relation to what GDPR meant for organisations generally, and specifically what it meant for managing agents.
So, let’s look at some of those myths, and see what can be dispelled.
It’s all about consent
GDPR requires managing agents to have a lawful basis for processing personal data. However, there are six lawful bases available and no single basis is “better” or more important than the others. Which constitutes the more appropriate depends on the purpose for which managing agents are processing the data - and the relationship with the individual concerned.
Consent is only one of the bases. The six lawful bases are as follows:
1. Consent. This applies where the individual has given clear consent for you to process their data for a specific purpose
2. Contract. This is where the processing is necessary and free for a contract you have with the individual, or because you’ve been asked to take specific steps before entering into a contract
3. Legal obligation. This is where the processing is necessary for you to comply with the law
4. Vital interests. This is where the processing is necessary to protect someone’s life
5. Public task. This is where the processing is necessary for you to perform a task in the public interest or for your official functions
6. Legitimate interests. This applies where the processing is necessary for your legitimate interests (or those of a third party), unless there’s a good reason to protect the individual’s personal data which overrides those legitimate interests.
When we are talking about how managing agents are processing the personal data of leaseholders and subtenants, etc, the guidance issued by ARMA indicates that the lawful basis is likely to be either contractual or legitimate interests.
Consent is unlikely to be an agent’s lawful basis, not least because it can be withdrawn at any time. Imagine the scenario where an agent relies on consent for processing leaseholders’ personal data, and then has to pursue that leaseholder for breach of their lease. How might that work if the leaseholder then withdraws the consent for the managing agent who processed their data?
Agents should look at their lawful basis (or bases) for processing personal data, and make sure they are still appropriate. As a reminder, the ARMA Guidance Note F03 on data protection provides some useful information.
Subject access requests have to be in writing
The right of access (or subject access requests) was revamped under the new rules. Individuals have had a right of access since the Data Protection Act 1998, but when exercising the right previously they had to pay £10, and the recipient of the request had 40 days to respond.
This all changed with GDPR.
Firstly, there’s no requirement under the Data Protection Act (or GDPR) for a subject access request to be made in writing. An access request can be made orally and might even be made via social media. The request doesn’t have to be made to a specific person or contact point. It doesn’t even have to include the phrase ‘subject access request’, so long as it’s clear that the individual is asking for their own personal data.
This can present a challenge to managing agents, as any of an agent’s employees could receive a valid request. If agents haven’t given training to their employees who regularly interact with individuals, then it’s advisable to do so at the earliest opportunity.
In its guidance, the Information Commissioner’s Office (ICO) suggest that organisations might consider designing a subject access form that individuals can complete and submit electronically. Although they aren’t compulsory, if you can encourage individuals who make a subject access request to complete a standard form it might make life a whole lot easier for everyone involved.
A fee can’t be charged unless the request is manifestly unfounded or excessive. And an agent must act on the subject access request ‘without undue delay’, and at the latest must provide the information within one month of receipt of the request.
If agents process large amounts of information about an individual, it is possible for the agent to ask them for more information to clarify their request.
Perhaps one of the thorniest areas of GDPR is the storage limitation principle which means that managing agents mustn’t keep personal data for longer than they need it.
In practice, this means that agents will need to think about (and be able to justify) how long they retain personal data.
Managing agents should avoid retaining data for an indeterminate length of time, but instead ought to be thinking about what data they hold, and why it needs to be kept. Agents should have a policy setting out standard retention periods, which will then help to demonstrate that they’ve complied with the principle on storage limitation.
This means that agents will need to review the data they hold on a periodic basis, and erase or anonymise it when it’s no longer required.
In summary, agents need to make sure they have policies and processes in place which:
a. Set out their standard retention periods for data, and
b. Deal with periodic reviews of that data, with a view to erasing or anonymise it when it’s no longer needed.
I’m GDPR compliant, I don’t have to do anything else
Compliance with data protection isn’t a ‘once and for all’ process but an ongoing obligation. Organisations that might have been compliant on 25th May 2018, could now find themselves being non-compliant in certain areas.
The overarching message is that data protection is a living and evolving process which requires periodic review. It needs you to conduct periodic training on yourself and your staff. Data protection policies and procedures cannot be drafted and then placed on the shelf to gather dust. They need to be regularly reviewed, updated, and improved upon.
In the countdown to GDPR’s first anniversary, now is a good time for managing agents who haven’t revised their policies, practices and procedures lately to dust them off, check and review that they’re still representative of what agents are doing and how they’re processing data - and also to conduct refresher training for staff.
How will Brexit impact on GDPR?
One of the questions that repeatedly came up at the series of ARMA GDPR training courses that I presented last year was Brexit, and whether GDPR ‘went away’ with Brexit.
It doesn’t, because we have the Data Protection Act 2018 which requires the implementation of GDPR as outlined above.
To help maintain an element of clarity on the way forward, the government have published an updated guidance for stakeholders setting out the proposed changes to data protection legislation if the UK leaves the EU on 29th March 2019 without a deal in place.
It includes a summary and illustration of how the government intends UK data protection law to work, particularly in the ‘no deal’ scenario.
The guidance states that the fundamental principles, obligations and rights that organisations and individuals have become familiar with will stay the same, but changes are necessary to ensure the regime operates effectively in the UK post Brexit. The guidance proposes:
1. The preservation of EU GDPR standards in domestic law
2. The recognition of all EEA countries (including EU member states) and Gibraltar as “adequate” to allow data flows from the UK to Europe to continue on a transitional basis.
More information on details laid out by the government in the event of a ‘no deal’ Brexit can be found here: https://www.gov.uk/government/publications/data-protection-law-eu-exit/amendments-to-uk-data-protection-law-in-the-event-the-uk-leaves-the-eu-without-a-deal-on-29-march-2019.
Irrespective of the constantly shifting Brexit backdrop (no doubt by the time this article is published, the winds will have changed once again) I urge managing agents, in their roles as data controllers, to remain focused on the key principles to processing personal data as outlined above.
With the Information Commissioner’s Office (ICO) dealing out punitive sanctions and fines of 4% of annual global turnover or €20 million – whichever is greater – for businesses falling foul of GDPR laws, demonstrating compliance remains critical.
 Set out in article 6 of the GDPR