GDPR - Four letters of fear for property businesses

GDPR are four letters of fear for many estate and letting agents coming to terms with the impact of new data protection laws on their businesses.

General Data Protection Regulation is a new concept in law and turns some long-held rules on their heads.

One of the problems for letting and estate agencies that might also offer mortgage or financial advice is how long do the new rules allow a business to keep personal data.

GDPR lays out six rules that define when a firm must delete or restrict processing personal data. At least one must apply to allow a data controller to process the information.

But to stay within the law, data controllers need to know what the six categories are and how they apply to their businesses.

How long can letting and estate agents keep data?

Here’s a run-down of the categories:

  • The data subject has consented to specific use of their personal information – No time limit is set, but financial and property firms should consider renewing consent every two years
  • Processing is necessary to perform a contract- typically letting and estate agents will work under this category to complete a sale or manage a letting property
  • Processing is necessary to comply with a legal obligation – This will vary between businesses as mortgage brokers and financial advisers will have to keep records meeting professional standards laid down by the Financial Conduct Authority and other regulators
  • Processing protects vital interests – unlikely to apply to letting and estate agents
  • Processing is necessary in the public interest – obligation – unlikely to apply to letting and estate agents
  • Processing is necessary for legitimate purposes – limited application but could come up if the data is accessed because of a complaint.

How long a property or financial firm can keep customer data depends more on time limits when the customer can make an official complaint or resort to legal action.

For instance, courts generally have a six-year limit on claims, as does the Financial Ombudsman.

The Property Ombudsman sets a 12-month time limit from the time a customer receives their final viewpoint letter.

For letting and estate agencies without a financial arm, the time for holding GDPR data is likely to be a lot less.

Complying with GDPR

Businesses must operate GDPR regulations from May 25, 2018.

By then, managers should have carried out a data protection audit and have procedures in place for managing data in line with the new rules.

Another place to watch for a potential data calamity is who your business swaps data with and how they comply with GDPR.

The new rules do not allow a business to assume GDPR compliance on receiving data – the same audit trail needs to be followed for internal and external data processing.

The UK Information Commissioners Office will oversee GDPR and has published a guide and checklist for businesses getting to grips with the new rules.

Premiums start from £12.60* a month

*Based on £100,000 worth of cover. Plus insurance premium tax (IPT) currently at 12%.