There's no hiding from the fact that GDPR is coming, and with it the biggest shake up to Personal Data laws in the last 20 years.
There’s no hiding from the fact that GDPR is coming, and with it the biggest shake up to Personal Data laws in the last 20 years. There’s a lot of information to digest, so we’ve written a short series of articles to help guide you through the legislation and the things you need to be looking at ahead of 25th May 2018.
In this first of our series of articles we look at some the key terms under GDPR.
There are many key terms under GDPR that you will need to be familiar with:
- Personal Data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This could include:
- Email address
- Location Data
- Online identifiers (e.g. IP addresses)
Don’t forget that you could be holding personal data in multiple places – software systems, emails, filing cabinets – its’s really important to do an audit so you know what you are holding, and more importantly whether that data is relevant or whether it is even necessary to hold that data.
Each person to which Personal Data relates is a Data Subject. Remember that you are likely to hold Personal Data relating to many different types of data subjects – Tenants, Landlords, Applicants, Vendors. Don’t forget that you will also hold Personal Data on employees.
- Sensitive Personal Data
It is unlikely that as an estate agent you will need to hold any sensitive personal data, which is defined as genetic data, and biometric data where processed to uniquely identify an individual.
Data on criminal offences has its own special category.
- Data Controller
A data controller determines the purposes and means of processing the personal data.
As the estate agent, you will be the Data Controller for the data you collect and hold on your customers.
- Data Processor
Data Processors are those who process data on behalf of the Data Controller.
Dezrez acts as a Data Processor on behalf of you, the estate agent. There could be any other number of processors that you utilise as an estate agent, including tenant referencing companies, other software providers, HR systems among others.
- Lawful bases of processing
To process Personal Data, you will need a lawful basis for processing that data.
There are six lawful bases for processing Personal Data, and no bases is better than any of the others. It is up to you to choose the most appropriate basis for processing that data. The six bases are:
- Legitimate interests
- Legal Obligation
- Vital Interests (unlikely as an estate agent)
- Public task (unlikely as an estate agent)
Depending on the data you hold and how you intend to use it a single piece of data may have more than one basis for processing, for example, an email address may be :
- Used to confirm viewing appointments (contract)
- Used to upsell financial services (consent or another legal basis)
We’ll be talking more about lawful basis for processing in a future article.
- Individual Rights
Under the GDPR, individuals have a number of rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
- Privacy and Electronic Communications Regulations (PECR)
Alongside GDPR there is a piece of legislation called PECR. This governs electronic communications (email, text, phone calls, cookies). There is some overlap with the GDPR and its important to understand (and comply) with both pieces of legislation.
Underpinning all of the data you hold is documentation – internal documentation recording :
- what data you hold and how you process, store and delete data,
- dealing with data breaches and subject access requests.
- as well as external facing policiesMost organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.
- as well as external facing policies
- Data Protection Officers
Only organisations with 250 or more employees need to appoint a Data Protection Officer, however it is best practice to have a nominated internal contact to deal with GDPR issues that all staff can refer to.
Disclaimer: This article is based upon our understanding of the General Data Protection Regulation (GDPR). There are still some aspects of the GDPR which are undetermined or are awaiting guidance from the ICO. This should not be relied upon as legal advice nor how GDPR may apply to your organisation. We encourage you to work with a legally qualified professional to understand GDPR, how it applies specifically to your organisation, and how best to ensure compliance.