by Jen Lemen
Hot Topic Highlight - Ready for 2018? General Data Protection Regulation (GDPR)
Building a better you
Property Elite’s sole aim is to build better property professionals - supporting your career every step of the way, whether you are completing a RICS accredited degree course, your RICS APC or simply seeking engaging CPD.
Our Hot Topic Highlight blog posts will arm you with information on the hottest topics - ready to tackle an important client meeting or begin revising for your RICS APC final assessment.
This blog article will focus on what you need to know about the General Data Protection Regulation (GDPR). This is relevant to all property professionals and will be a hot RICS APC topic for Session 2 2017 onwards.
Relevant RICS APC competencies
- Data management
- Property records/information systems
Why is this relevant?
GDPR and the Network & Information Security Directive (NISD) are EU Directives published in May 2016 with the aim of improving data protection for EU individuals. They will build upon the principles of the Data Protection Act (DPA) 1998 and will be brought into UK law through the Data Protection Bill. This will apply from 25 May 2018, so we need to prepare now to avoid business disruption and ensure compliance.
The importance of data security is confirmed by Verizon’s 2016 Data Breach Investigations Report, ‘no locale, industry or organisation is bulletproof when it comes to the compromise of data’.
In this article, we will consider:
- What is the DPA 1998?
- What are the 8 key DPA principles?
- What is GDPR?
- When will GDPR apply from?
- Who does GDPR apply to?
- What data will be affected?
- What are the key principles of GDPR?
- What are the 8 individual rights under GDPR?
- How do DPA and GDPR differ?
- What are the penalties for non-compliance with GDPR?
- What about Brexit?
- 10 tips to comply with GDPR
What is the DPA 1998?
The DPA 1998 came into force in March 2000 to provide protection to individuals in respect of personal data held by companies. Most UK property companies/consultancies will process personal customer data, so they will need to comply with the DPA.
Those falling under the DPA are known as data controllers, i.e. any company/professional storing clients’ personal data to perform business activities. Data controllers must notify and pay an annual registration fee to the Information Commissioner’s Office (ICO).
What are the 8 key DPA principles?
- Information must be processed fairly and lawfully - obtain consent to collect and hold personal data
- Information collected must be processed for limited purposes - the purpose of why the data is held must be specific and confirmed to your clients
- Information collected must be adequate, relevant and not excessive - only store the information you need at this point in time
- Information collected must be accurate and up to date - check the accuracy of information and keep personal data up to date
- Information must not be held for longer than is necessary - regularly review information held and securely destroy data which is no longer required (remember the Limitation Act 1980 - 6 years minimum, 12 years if a deed is involved)
- Information must be processed in accordance with the individual’s rights - clients have a right to access the data you hold
- Information must be kept secure - data security is an absolute must; lost, leaked or corrupted data could lead to a Professional Indemnity (PI) insurance claim
- Information should not be transferred outside the European Economic Area (EEA) unless adequate levels of protection exist - don’t store data overseas unless you have consent
What is GDPR?
Essentially an extension of the DPA 1998 to cover modern data and technology.
When will GDPR apply from?
25 May 2018.
Who does GDPR apply to?
Data controllers and processors. The former control how and why personal data is processed, the latter act on behalf of the controller.
If your data processing activities are covered by DPA, then you will also likely fall within the scope of GDPR. In simple terms, additional obligations are placed on those holding personal data by GDPR, over and above the DPA 1998.
What data will be affected?
- Personal data - this goes further than the DPA to include personal data and identifiers, e.g. IP address.
- Sensitive personal data - some minor changes to the DPA, including genetic and biometric data.
It covers both electronic and manually held information, which could include business cards and written records.
What are the key principles of GDPR?
Article 5 of GDPR confirms that personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
What are the 8 individual rights under GDPR?
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
How do DPA and GDPR differ?
- Accountability to ensure that data is kept in accordance with the principles of GDPR
- Tougher penalties for non-compliance
- Wider definition of personal data
- Non-EU organisations holding EU-related personal data will need to comply
- Parental consent required for holding personal data of <16s
- Active consent must be required to hold data, i.e. silence does not equal consent!
- Data breaches must be notified to ICO within 72 hours of awareness, unless exceptional circumstances apply
- Risk-based reviews (Privacy Impact Assessments) must be undertaken for high risk activities
- Right to be forgotten introduced
- Requirements for electronic data portability if a data request is submitted
- Compliance/privacy by design must be included within systems and processes, including staff training and contractual clauses
- Additional liabilities placed on both data controllers and processors
What are the penalties for non-compliance with GDPR?
Fines of the greater of 4% annual global turnover or €20m.
In the worst cases, this could lead to insolvency so early preparation to comply with GDPR is essential. We understand that the highest penalty issued by ICO to date is £400k.
What about Brexit?
Irrespective of Brexit, the UK Government has confirmed they will be implementing GDPR.
10 tips to comply with GDPR
- Prepare now to ensure compliance by May 2018
- Assess any privacy risks inherent in business processes/activities
- Involve IT support to make appropriate changes
- Provide staff training and support on data security
- Appoint a Data Protection Officer if required by GDPR
- Ensure you have adequate systems to deal with a breach and subsequent notification to the ICO (within 72 hours)
- Do your systems comply with all GDPR principles, including the right to be forgotten?
- Update your internet security, e.g. virus protection, including on desktops, laptops and mobile phones
- Ensure any data already held is up to date and compliant with GDPR
- Can you release personal data promptly if a subject access request is made?
How can I find out more?
- Read more about the DPA 1998
- Read the full ICO GDPR guidance
- Listen to some TED talks on data
- Read the RICS advice on keeping good property records
- Read the RICS Electronic Document Management guidance note (no longer available to download on the RICS website, still available to purchase or check it out on iSurv)
Want to know more?
- Book your RICS APC final assessment review & feedback service here - there is limited availability so contact us before it's too late
- Check out our RICS APC Revision Conferences (Bristol/Manchester/London) and Mock interview availability
- Contact us on 07491 252 025 / firstname.lastname@example.org for your free & friendly 30 minute RICS APC consultation
- Make sure you sign up for your free CPD certificate
Stay tuned for our next blog post to help build a better you