A recent investigation has revealed that many businesses are failing to take basic steps to comply with current law and best practice and as a result are putting both their clients and themselves at risk.
But that’s not all – the new Right to Rent rules could catch out many landlords and their agents, and forthcoming new EU law will mean getting it wrong could be very costly indeed.
In January 2016 the ICO, the body responsible for regulating data protection laws in the UK, published a report that identified common themes and challenges faced by residential sales and lettings agents in complying with the DPA. Among other things, the ICO found that most agents:
- Did not have a data protection policy or train staff about data protection
- Were unaware of the legal requirement to have information security clauses in written contracts when sending personal information to maintenance contractors
- Had insufficient security in place for manual records containing personal data
- Did not provide enough information about how they were going to use the personal information they collected
- Kept personal information for longer than necessary
In addition, of those agents contacted by the ICO, none of them who permitted staff to work from home had a remote working policy outlining staff responsibilities on personal data in these circumstances, and none provided guidance for staff on how paper documents and mobile devices should be stored off-site or secured in transit. The report can be found by clicking here.
In December 2015 the EU reached agreement on the much-anticipated General Data Protection Regulation (GDPR), which will replace the UK’s Data Protection Act 1998 and come into effect in 2018.
The GDPR will change the legal landscape of data protection in the UK. It creates new rights for individuals and imposes new obligations on organisations that collect and use personal information. The impact it will have on property managers, valuers and lawyers should not be underestimated.
As ever with new legislation the devil is in the detail, and those details (and there are a lot of them) are still emerging. What we do know so far is that getting it wrong will, potentially, be very costly.
First, in some circumstances there will be a legal obligation to notify the Information Commissioner’s Office (ICO) – the body responsible for regulating data protection laws in the UK – that a data security breach has occurred.
Second, the GDPR increases the maximum fine for breaching data protection law from £500,000 to 4% of turnover, which means that any business with a turnover of more than £12.5 million will be adversely affected.
Third, depending on what exactly has happened, it will be obligatory in some circumstances to also inform those whose personal information has been
compromised. Think about what that would do for your business reputation – remember TalkTalk?
However, there is some good news, as it will no longer be necessary to ‘notify’ (register) with the ICO, and the £10 fee for responding to access requests will be raised in some circumstances for some organisations.
There is, of course, much more to say and much more to digest about these far-reaching reforms.
Businesses have just over two years to gear up for the profound changes in the way they collect and use data.
So, with many already not getting it right and the risks of getting it wrong increasing, it seems 2016 is the year to take data into the boardroom.
Robert Walsall, Consultant Solicitor and Claire Halle-Smith, Solicitor at Brethertons. The company is staging a ‘Property Management Unwrapped’ conference on the 24 and 25 June.