The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 replacing the Data Protection Act 1998. Every public and private organisation in the UK, including RSLs, will have to comply with the regulations which relate to how organisations process and handle personal data.
What are some of the main changes?
- Notice of purpose of processing data
There will be an emphasis on giving notice prior to collecting personal data explaining exactly what you are doing with the data you are collecting and processing and the reasons you require it.
- Proper consent to process an individual's data.
You will be required to get consent of an individual in order to process their personal data. The consent must be given 'freely' and through a 'clear affirmative action'. If a person refuses to give consent this would not necessarily entitle you to refuse to provide a service such as providing a tenancy agreement. If a prospective tenant refused to give consent to process data, then you could only refuse to provide them with a tenancy if you could show that the information you were requesting was strictly necessary to provide them with that tenancy.
- Changes to subject access requests
Individuals will still have the right to request to see information held about them. However, these requests will be required to be dealt with within one month rather than 40 days and you will no longer be entitled to charge a £10 fee.
- Right to be forgotten?
An individual can now request that you delete any data you hold on them. In certain circumstances, you will be permitted to keep the data but only if you are able to show that it is still required by you.
All public sector organisations will need to appoint a DPO. As RSLs are still regarded as Private organisations, they will only be required to appoint a DPO if they are carrying out large scale processing of data as part of their core business. The DPO will be required to monitor compliance with the GDPR, report any data breaches and will be accountable to the regulator along with the organisation.
Breaches will be required to be reported to the regulator within 72 hours of becoming aware there has been a breach. Reporting will only be required when there has been a risk to the rights and freedoms of those affected by the breach. Penalties for breaches can be up to 4% of annual turnover.
If you would like us to assist you in ensuring your organisation complies with the GDPR then please contact our experienced team.