General Data Protection Regulation (GDPR) came into effect across the EU on 25 May 2018, and significantly revised the regulatory system relating to data protection and privacy. The changes have sought to align general data protection legislation more closely with the technological advances that have been seen over the last 20 years since the UK’s Data Protection Act 1998 came into force.
Individuals are now able to access and share their own and others’ personal information in ways which were previously unimaginable. It is also possible to collect and share personal data on an unprecedented scale and, while this can be for legitimate business purposes or to streamline daily living, the potential for misuse is huge. GDPR seeks to protect and regulate personal privacy rights across the EU and, alongside the general Data Protection Act 2018 (DPA), forms the central core of the data protection regime in the UK.
Essentially, the new regime means that everyone responsible for using personal data has to follow 7 “data protection principles”, the first being that “data controllers” (that exercise overall control over the purposes and means of the processing of personal data) comply with Article 5(1) of the GDPR, itself requiring that personal data shall be:
- processed lawfully, fairly and transparently;
- used for specified, explicit and legitimate purposes;
- processed in a way that is adequate, relevant and limited to only what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary;
- “processed in a manner that ensures appropriate security… including protection against unauthorised or unlawful processing… loss, destruction or damage”
There is stronger legal protection for more sensitive information, such as race, ethnic background, religious and political beliefs, trade union membership, biometrics, genetics, sex life or orientation, and health, and additional regulations concerning personal data relating to criminal convictions and offences.
The regime also provides individuals with more power to demand that organisations reveal or delete the personal data they hold. This includes the right to access personal data, have data corrected or erased, halt or restrict the processing of data, obtain information about how their data is being processed and, in some circumstances, object to that processing.
As landlords and managing agents handle their tenants’ data, legally they are classified as a data controller which means that they have responsibility to handle their tenants’ personal information in an appropriate and lawful manner and are obliged to comply with the general data protection principles. It is quite possible that in the course of their work, landlords and managing agents could have obtained sensitive personal data, and should therefore be mindful of their enhanced obligations in that regard.
As the new regime came into force on 25 May 2018, organisations, including landlords and managing agents, should already be well aware of their obligations. A tenant, or former tenant, is quite within their rights to request access to any data that is held, and can report any breaches (including a failure to provide information within the required time) to the Information Commissioner’s Office (ICO). Therefore, organisations should make sure that they are compliant with their obligations now, rather than trying to ensure they can comply at the time of a request.
Nevertheless, despite best efforts, breaches can happen. Penalties under GDPR are significant, with the maximum fine now reaching the higher of €20m (£17.5m) or 4% of a company’s global turnover. And if that is not enough, in English law the penalties for breach of privacy are not limited to those covered by the general data protection regime. Depending on the nature of the breach, the legal arsenal can extend to claims for Defamation, Misuse of Private Information, Breach of Confidence and Harassment. In addition, a wronged party may not wish for the ICO alone to resolve data protection breaches, and might chose to bring an action for injunctive relief for breaches of the legislation to force a Defendant’s immediate compliance. As hinted above, this might not be simple to do at short notice, and could result in costly restorative work as well as legal costs.
Finally, it should be remembered that the right to privacy is encompassed within the right to private and family life ensured by Article 8 of the European Convention of Human Rights, brought into UK law by the Human Rights Act 1998 (HRA). The HRA applies to all government organisations, and so ensures that any government organisation that handles data must be mindful of the right to privacy when doing so. However, it also obliges the Courts to keep this right in mind when considering cases brought before it and determining any breaches. This means that, if in doubt, the Courts should weigh in favour of the aggrieved party with respect to privacy breaches.
If you feel that your privacy rights have been breached, if someone has alleged that you have breached their rights, or if you are otherwise struggling to comply with your obligations, please contact Rachel Waller (with respect to general breaches) or Michael Kashis (with respect to reviewing commercial contracts to ensure compliance of Data Processor and Data Controller obligations under GDPR).
For more general property dispute matters, please contact our expert Litigation and Dispute Resolution team on firstname.lastname@example.org or call them on 020 7631 4141.