From 25th May 2018 the General Data Protection Regulation (‘GDPR’) is coming into effect and will have an impact on the way that organisations can handle personal information and the rights that individuals have in relation to their data.
At Rentshield Direct, we process personal data for referencing, insurance and marketing purposes, so we want to reassure you that we’re fulfilling our responsibilities when it comes to handling personal information.
GDPR outlines a set of data protection principles which organisations must remain compliant with and a set of rights held by individuals or “data subjects”. As part of the Barbon Insurance Group, we have an appointed Data Protection Officer who has worked with us to review our processes to ensure that we’re fulfilling our responsibilities when it comes to how we collect, store, process and share information.
In addition to this, each Barbon Insurance Group employee has undertaken a course and knowledge assessment to demonstrate that they understand the changes that have taken place and how this will affect them in their roles.
GDPR also enhances the standard of consent needed in order to process personal data, and specifically for data which is used for digital (i.e. email and SMS) marketing purposes. Businesses need to ensure that the consent obtained is done so in a way which is clear, unambiguous and demonstrates an affirmative action, i.e. ticking a box to opt in. We’re pleased to say that Rentshield Direct’s current processes for obtaining marketing consent as a basis to contact tenants are already in-line with the GDPR requirements.
Finally, you may be aware that we occasionally send out marketing and informative communications by post. We have a robust Supplier Selection Policy in place to ensure that any third parties who provide us with a service meet a set of requirements, with particular emphasis on data security. Rest assured that when we use a supplier for a task such as mailings, we will have assessed their processes and will be confident that they’re working in a GDPR compliant manner, and data securely provided to them will be handled as such.
I’m a letting agent – what do I need to do?
There are requirements that must be met before an organisation can begin processing data. These are as follows:
- Data processing agreements – processors may only process personal data on behalf of a controller where a written contract is in place which imposes a number of mandatory terms on the data processor, as set out in the GDPR
- Controller instructions – processors may only process personal data in accordance with the instructions of the controller
- Accountability – processors must maintain records of data processing activities and make these available to the supervisory authority on request
As a letting agent, you will handle data provided to you by tenants, guarantors, landlords and other individuals. We would suggest that you familiarise yourself with the GDPR data protection principles and the set of individual rights held by your customers, and if you haven’t already, carry out an audit of your data handling processes to ensure you remain compliant. You can find more information on this from the Information Commissioner’s Office who enforce the requirements of the GDPR.
It’s also important to note that the sanctions for serious data breaches under GDPR are more severe than under the current Data Protection Act. Fines of up to £17million or 4% of global turnover (whichever is higher) can be imposed for serious breaches of GDPR, so we would advise that you implement a robust process for identifying and reporting data breaches and ensure staff are trained to understand the changes in legislation.
For more information on GDPR and your responsibilities, please visit ico.org.uk
where you’ll find a comprehensive introduction to GDPR.