Mr Cooper, you are a man after my own heart - although I have mastered the art of blogging (he said, modestly), the world of electronic data and communication moves at a dizzying pace and it's difficult to keep up.
Many of our landlords prefer more traditional methods of record-keeping, and while there is a lot to be said for the convenience and traceability of computer communications, I can understand why you prefer to keep it primarily paper-based too.
I won't claim to be a GDPR expert and would urge you to use this article as a guide and a signpost rather than an instruction manual - consult a professional data protection expert for any major decisions or strategies in this area.
However, I consider the pointers below to be a good start in wrapping your head around what's expected of you and some good sources of further information.
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It came into effect on May 25th 2018.
Firstly, if you haven't already (and unless you are exempt), you need to pay a fee to the Information Commissioner's Office (ICO). For sole traders and very small operations, this is usually an annual fee of around £40.
Take the ICO's self-assessment quiz here to check if this fee applies to you.
Secondly, I believe there is no need to computerise your data if your current systems are working well for you. As long as you document and monitor your data activities, I see no reason why a paper-based system puts you at a disadvantage in terms of GDPR.
You are considered to be the Data Controller for the personal information you handle in relation to letting out your houses. It's your business and it's you making the final decisions on what data is processed and what's done with it.
As an agent, my company acts as Data Processor for our landlords. Both have important responsibilities in how we collect and use personal information.
The Information Commissioner's Office (ICO) explains:
From your letter it sounds as though you are managing the properties yourself, but if you do opt to use an agent to manage your properties, make sure they have robust data protection systems in place - ask them to talk you through the policies and procedures they have in place.
Once you've paid your fees and figured out what hat is worn by whom, it's time to map out exactly what personal information you process. Personal information is any information that can be used to identify an individual.
This can include (but isn't limited to):
Then make a list of any sensitive information you might collect - that's personal information that can identify someone's racial or ethnic origin (not nationality), political opinion, religious or philosophical belief or trade union membership, genetic data biometric data, data concerning health, or sexual orientation.
This can include (but isn't limited to):
For each piece of information you collect from tenants and potential tenants, you should map out its journey through your business (even if you are a one-person operation) - write it all down.
Once you've done this, congratulations - you just performed a full audit of your data processing activities.
You also now have a very useful reference document for both assessing and demonstrating your GDPR compliance.
In a word, no. You can, but you don't have to by law.
There are 8 lawful bases for processing personal data:
You are processing it in the performance of a contract and also as a legitimate interest.
I hope this has been useful to the rest of the blog's readers. Important to note I received and replied to this question before the legislation came into effect. I get a lot of questions and try my best to answer them all, so the blog's content slots fill up rather quickly.
I felt it was worthwhile sharing my response as there are still people wrapping their heads around the rules and getting their houses in order.
Are you one of them? Do you have any other questions or want to share your experience of GDPR as a landlord that others could learn from?
Drop me a line to the usual address - firstname.lastname@example.org