What does GDPR mean for your business?
What does GDPR mean?
As of the 25th of May 2018, data protection laws are changing to EU GDPR and there are a number of changes that the team at James Laurence have made that some landlords and property owners may not be aware they have to make too.
The new regulation will focus more on documentation and procedures, reshaping how organisations approach data privacy and look after client’s information. Many organisations would be forgiven for thinking that this means that GDPR will solely focus on data from customers, but they will need to demonstrate accountability; how they store all their data, whether it is from suppliers, employees or tenants.
What does GDPR entail and what will you need to be aware of?
The official EU GDPR website cites the main aim of GDPR is ‘to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.’ Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to bring legislation up-to-date with technological advancements. Here are the top changes to be aware of:
- Increased Territorial Scope (extra-territorial applicability)
This will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements. There will be a tiered approach to fines
Companies can no longer use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form. In addition, it must also be easier for people to withdraw consent
- Breach Notification
Breach notifications will now become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach
- Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain confirmation as to whether or not personal data concerning them is being processed and for what purpose
- Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data
- Data Protection Officers
DPO appointment will be mandatory, only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
So, to answer the earlier question, GDPR means a lot, especially as the fines for failing to comply are so great, even for smaller businesses. EU GDPR does make allowances for smaller businesses, but it still imposes hefty fines for those that don’t make changes. Article 30 outlines that DPOs are only a requirement for businesses with over 250 employees, but businesses with under 250 employees still have to make everyone aware of breaches in data security, allow individuals to exercise their right to be forgotten and enquire as to how their data is being used, so make sure you have processes in place to make this job as easy as possible.
What does GDPR mean for landlords and property owners?
Estate Agent Today recently reported on how GDPR would affect the property sector. They called on the expertise of Adam Rose, a partner in the Mishcon de Reya law firm, who outlined the below changes that may prove useful:
- Firstly, Rose says the definition of ‘personal data’ not only covers names, addresses and telephone numbers, but also IP addresses and other online identifiers. “So if you provide free WIFI in your building, and collect the IP addresses of all users, this will be caught by the GDPR” he says.
- Secondly, GDPR now applies to ‘data controllers’ and ‘data processors’. “So, if a property manager is given the contact details of every person working or living in a building, or has the record of every person’s entry and exit in the building, they will be caught by the GDPR.”
- Thirdly, Rose writes that it is a common misconception that businesses always need consent to process personal data. “In fact”, he says, “they can rely on one of probably three other lawful bases for processing personal data. Most importantly, they might have a legitimate interest in processing the data, which is not outweighed by the individual’s data rights.”
The team at James Laurence are putting processes in place to ensure individuals can request access to their own data more easily. If you are a landlord or property owner, make sure you are doing the same and that all sensitive data is protected appropriately. Find all the details you need on the official EU GDPR website.