The General Data Protection Regulation (GDPR) is a regulation in EU law which aims to 'give control back' to citizens of their personal data.

It comes into force from May 25, and affects all companies processing the data of EU residents. Penalties of up to 4 per cent of worldwide turnover, or €20 million - whichever is higher, are threatened for non-compliance.

The GDPR also brings a new set of "digital rights" for EU citizens in an age when the economic value of personal data in the digital economy has increased – and has become highly publicised with Facebook data scandal hitting media headlines.

Richard Truman, Head of Operations at Simple Landlords Insurance, said: “GDPR will affect all businesses – and that includes landlords, letting agents and other property professionals. It means changing how you store personal data in your business, and we know that lots of landlords aren’t ready for the changes later this month.

“However, it’s definitely time for action and not panic.

“The Information Commissioner - the Government body responsible for implementation of GDPR in Britain - has plenty of powers at its disposal already, but usually focuses help and guidance rather than sanctions. Only those who have ignored advice and warnings usually end up being fined.”

Research in February found that nine in ten businesses and charities have not even begun to prepare, and only 38 per cent of UK companies have even heard of GDPR.

Key features of GDPR include:

  • You must also have a valid lawful basis in order to process personal data – including tenant details.
  • Long illegible terms and conditions full of jargon will be banned - and customers will have the right to request confirmation as to whether or not personal data concerning them is being processed and for what purpose.
  • When requested, companies are required to provide a copy of the personal data, free of charge, in an electronic format.
  • Customers (including tenants) have the right to request their data be removed and further distribution ceased in specific circumstances (e.g. where the individual withdraws consent).
  • The collection of online identifiers such as IP address, cookies and tags also fall under the remit of 'personal data'.
  • Notifiable data breaches need to be reported to a data protection authority and the people affected within 72 hours, where feasible - or risk penalties.
  • Companies are advised to document their processes involving personal data in the first instance; only once this has been done can processes become compliant.
  • They should also work out which third parties they exchange personal data with to ensure both parties are compliant. Existing privacy policy should then be reviewed in conjunction with the above two points.

For more information, take a look at the GDPR Myth-Buster blogs on the ICO website: