Smart meters in residential property, remotely controlled heating or access to your doorbell camera could give rise to data protection questions. Collecting the vaccination status of your visitors means that you are processing special categories of personal data subject to a stricter legal regime.
The Information Commissioner's Office (ICO) is particularly vigilant when it comes to the use of CCTV and, more recently, facial recognition and biometric verification technologies in real estate.
When does data protection apply?
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 impose certain obligations on "controllers" and, to a lesser extent, on "processors". Controllers are responsible for compliance with the data protection principles, while processors follow the controller's instructions.
"Personal data" is any information about, relating to or affecting the individual. For example, technical energy usage data could reveal an occupier's location or be used to infer information about their daily routine and habits.
Owners, landlords and leaseholders will likely be controllers if they collect personal data in connection with their property. For example, a commercial property owner might operate a CCTV system on its premises. All image data collected by the system will constitute personal.
On the other hand, a property management company may interact with tenants as processors on behalf of the landlord, for example, by collecting a form of acceptance for a proposed maintenance project. In this instance, the names, addresses, signatures and other personal data will be passed on by the processor to the landlord who is the responsible controller.
Controllers will be responsible for their processors. If sensitive occupier data is disclosed to a malicious third party due to the processor's negligence, if data becomes unavailable due to a system fault or if excessive location data is collected, this could result in liability for the landlord or property manager. This is why service providers must be chosen with care, subject to appropriate due diligence assessments and data processing agreements.
Key steps towards GDPR compliance
GDPR compliance requires some key steps and initial investment in policies, procedures and training.
· Carry out a data map and understand your personal data.
· In respect of each activity, establish why you process personal data and on what lawful basis.
· Update your privacy notices and make them easily accessible by all individuals.
· Implement appropriate data protection policies and procedures and provide training to staff.
· Designate suitably skilled staff to look after your data protection compliance.
· Review the reliability of your third parties and enter into appropriate agreements.
· Review your data sharing arrangements and assess each law enforcement access request on a case-by-case basis.
· Ensure that personal data transferred outside the UK is appropriately safeguarded and that the transfer is lawful.
· Keep a record of your assessments, such as legitimate interest assessments, transfer impact assessments, data protection impact assessments, data breach log, information security assessments, etc.
· Implement state of art information security measures to safeguard personal data including regular monitoring, logging and testing.
· Consider data protection implications early in projects.
· Implement a responsive complaint handling and data protection rights process.
· Register as fee payer with the ICO.
· Monitor the effectiveness of your compliance framework.
Property transactions require careful assessment and allocation of data protection responsibilities between the parties to help deal with unexpected situations, such as a data breach or a high volume of data access or objection requests from tenants.
