QUESTION
Can you please give advice on how Residents Associations and Management Companies will be affected and how they should handle the new General Data Protection Regulations?
ANSWER
As a general point all EU businesses will be affected by the General Data Protection Regulation (“GDPR”). Many of the GDPR’s main concepts and principles are not new—they are familiar from the Data Protection Act 1998. There are, however, some new elements and significant enhancements, meaning the property business will have to do some things for the first time and some things differently.
The driving aim of the GDPR is to protect individual’s data. Any business cannot deal with personal data simply because it wants to. Every element of data processing must be justified according to the GDPR.
The starting point for dealing with the GDPR in relation to any property business is to establish what personal data you hold, where it came from and who you share it with including if any direct marketing takes place. This is called a data mapping exercise and once completed, will then allow the property business to assess what processes and procedures need to be put in place to ensure compliance with the GDPR.
Once the data mapping has taken place, you can then establish the lawful basis for processing the data which in general may be pursuant to a contractual obligation either under the lease or another contract (say terms of business with the managing agent). If there are any gaps in relation to a lawful basis for processing personal data (e.g. someone living at the property who is not a party to the lease) these will need to be dealt with, for example, by way of data consent forms in order that the property company has the relevant rights to deal with the individual’s data.
The property company will need to review the current agreements and procedures in place to establish what changes will be required, plan the relevant changes and then implement them in a GDPR compliant manner.
Inevitably the property business will need to communicate its GDPR compliant privacy information to leaseholders, shareholders, residents, clients and other third parties as such it is likely that a new or updated privacy policy may be required. The new or updated privacy policy will need to include a statement of individual’s rights in relation to data protection.
Having advised a number of property businesses in relation to the GDPR, whilst the issues may seem daunting in practice once the data mapping exercise is completed, usually it is straightforward to deal with the issues arising from this but some changes to processes and procedures is likely to be required.
If you want to know more specifically about how you may be impacted as a business; click the link below to take our free, short and simple questionnaire. https://www.surveymonkey.co.uk/r/bolt-burdon- gdpr-questionnaire
Once completed you will receive an immediate score indicating how at risk your business might be. If you provide us with your contact details one of our lawyers will contact you directly and provide some pointers as to what practical steps you should be taking to minimise the risk of non-compliance.
Vincent Billings, Partner at Bolt Burdon
