GDPR Privacy Notice H E L P p l e a s e

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    GDPR Privacy Notice H E L P p l e a s e

    It would seem that within six weeks all landlords holding so much as a tenant's phone number and email address, let alone copy driving licence, passport or National Insurance number must both register with the Information Commisioner's Office AND SERVE A NOTICE ON EVERY TENANT concerning that their data is kept secure. Some of the provisions are pretty unworkable but the penalties are needless to say stringent. Has anyone got a template Privacy Notice? If so please post it here. Thanks. I think the intention is that people dont have the right to part with this sort of information, sell it to marketing companies, which to me seems obvious but the compliance requirements are just another huge layer of red tape with which to comply

    #2
    It's been the case for years that landlords should register as data controllers with the ICO and confirm with people they collect data from what they will and won't do with the data.

    So there's no more red tape than there's always been.

    As you can imagine, all landlords don't register and those that have been penalised for that ommission number in the zeroes...
    When I post, I am expressing an opinion - feel free to disagree, I have been wrong before.
    Please don't act on my suggestions without checking with a grown-up (ideally some kind of expert).

    Comment


      #3
      You should have received a notice from your bank recently. If not have a look at their website. I have used the one my bank sent me as one of the templates for mine. Basically, I have been saving them up and am now writing mine based on the 3 or 4 that made most sense to me.

      Not sure you will need to register as a data controller, I know I don't have to. But you can phone the ICO helpline and they will talk you through it al, apparently!


      Comment


        #4
        Yes quite understand we have to register, have been registered for years. I am looking for a template letter to send out to cover the requirements. Even holding data in paper makes us a "data processor". If someone gives me their business card, daft as it may sound, I have to ask them if it is ok to hold the data. What a load of complete bo**ocks!!
        The people it is designed to catch is those sending our mountains of spam.

        Comment


          #5
          There isn't a template out there, unfortunately. I am on the committee of our local business club, a member of various networking orgs, FSB etc etc. Nobody has a 'template'. But lots of people have a lot of utterly impenetrable, scary sounding bumf that they foisting on businesses they succeed in scaring, often charging highly for the 'service'.

          In truth there isn't much to it, if you do not do a lot of telemarketing and collect a lot of data. Your Privacy Notice should include this sort of thing:
          You identify what personal data you hold: telephone numbers with names as ID, named email addresses (no 'enquiries/admin @ types, they don't count); bank details, addresses, IP addresses etc etc etc.
          - why do you have them?
          - Is your purpose current and legitimate?
          - do you gave explicit permission to hold that data?

          Where do you keep that data?
          - is it secure?
          - if online are they GDPR compliant?

          How long do you keep it, why and how do you destroy it?

          Do people know they can ask you to identify / correct / destroy / pass on to third party at their request?

          By the time you have done all of that, and made a note of having done it, you should have met the GDPR requirements for a non marketing company. It's the first part that is the nub of it. Website host, phone provider, cloud storage, any Apps /software and hard copies, diary, address book, filing system etc etc.

          As I said, I used the one my bank sent out as a template, figuring they would have had a lot of legal input!

          When their GDPR notice goes live, on the 25th May, I'll use that to check mine too!

          Comment


            #6
            What do landlords do with information held on ex-tenants? Are they required to destroy it once a tenancy ends? Do they keep it for six years after a tenancy?

            Comment


              #7
              Ah, so a measure intended to cut down on junk mail results in ... more junk mail.

              I ignore anything as ridiculous sounding as this.

              Comment


                #8
                Originally posted by MW1985 View Post
                What do landlords do with information held on ex-tenants? Are they required to destroy it once a tenancy ends? Do they keep it for six years after a tenancy?
                My notice says that will keep all documents for 6 years and 1 day after the end of tenancy. That means I am having to go back and re-name a few folders, so I can zap the contents without having to think too much.

                JKO, I am so tempted to just ignore it. But, as I am also a craft seller and have seen what happens when HMRC and/or the 'copyright police' catch up with people, I am just a little bit motivated to spend an hour or so making myself GDPR compliant.

                Comment


                  #9
                  Originally posted by Stef Cooke View Post

                  My notice says that will keep all documents for 6 years and 1 day after the end of tenancy.
                  That is a bit restrictive. It means you have to delete at a particular time.

                  My rules are "no more than 7 years after end of tenancy or completion of any legal action arising from the tenency", so I have a year to get round to deleting.

                  Comment


                    #10
                    Ooh! You are quite right! I try to get a few people to look at anything I write, I spent far too long lecturing, writing funding bids etc. Specific timeframes and pedantry a speciality

                    I thought I had broken the habit, but, as you have clearly pointed out, I haven't - yet!!

                    Comment


                      #11
                      I've just had a very detailed email this morning from the NLA about this, and how from 21 May you can no longer create AST's etc online with them:

                      "In order to comply with GDPR requirements, we are unable to store your tenants’ personal information. Hence we have had to take the decision to suspend the ‘Create Online’ functionality from NLA Forms (where you could input tenants' data to forms via our website), and instead offer a range of downloadable forms for you to edit offline. These will be available by the end of the month.

                      We have also had to remove any populated tenancy forms we currently store on your behalf. If you wish to retain any forms, documents and agreements stored on our website you will need to download them by 21st May 2018. Please see here for a guide on how to do this."

                      "As a landlord you handle your tenants’ data. By law, this classifies you as a data controller, and as such you have a responsibility to handle your tenants’ personal information in an appropriate and lawful manner and are obliged to comply with GDPR. We understand it can be a confusing topic, and difficult to know what you should be doing and when you should be doing it by."

                      It also says we need to register with the ICO and costs £40.

                      Comment


                        #12
                        Ye gods! That isn't what is supposed to happen!! The NLA should be able to arrange their "Create" so it complies, they only need a privacy statement and a secure online host! Like any other server. What about all the other lettings Apps, like inventories etc? They aren't just shutting up shop, forcing everyone to revert to paper based working again!

                        Comment


                          #13
                          The NLA (and a lot of other organisations) have a big issue with the GDPR.

                          When you are a data processor (which they would be in the activities described), they have to have a contract in place with the data controller (who is the landlord) which complies with the GDPR guidelines - essentially making sure that the data controller's obligations are met.

                          Controllers instructions with processors have to be documented.

                          As the NLA can't rely on landords even registering with the ICO as data controllers, they've just accepted as a given they won't contract with the NLA properly as a data processor.

                          They had the same issue with the DPA but everyone just kind of ignored it.

                          Under the DPA the liability for not doing that was with the data controller.
                          It seems less certain with the GDPR where the liability lies for non-compliance.
                          When I post, I am expressing an opinion - feel free to disagree, I have been wrong before.
                          Please don't act on my suggestions without checking with a grown-up (ideally some kind of expert).

                          Comment


                            #14
                            I was unsure what to do with all this. I signed up and paid the £35 to register and one tenant I emailed them and said look it up but any data I have on them won't be shared with anyone without their permission but my accountant I said I would give their name to him just to say who was making payments and I gave the T the registration number to confirm I signed up with the ICO. They were happy for me to do this but my other tenant is not too clever and does not have a email address and barely knows how to use a mobile phone so I might type up some letter explaining what it's about and see if he will sign it.

                            Comment


                              #15
                              The biggest change in the new regulations are the potential penalties (up to 4% of turnover), which is why large organisations are rushing to comply.

                              Landlords have always been required to register as a data controller (and I am registered and comply with the regulations).
                              (Obviously, I'm not the only one, but how many others?)

                              But I am not sending letters to my tenants, as it would simply confuse them.

                              The ICO (and the EU) aren't concerned with my tiny business and the tiny amounts of data I hold.
                              I don't have any data that isn't physically locked away or hidden behind passwords.
                              I don't hold more than I need.
                              I destroy data I don't need from time to time (usually as part of an annual tidy up).
                              I'd happily tell anyone who asks what data I hold on them and correct it if it's wrong.

                              These are the people who the act is targetting.
                              http://www.informationisbeautiful.ne...reaches-hacks/

                              I'm not suggesting anyone follows my example, it's a terrible idea and you should comply with the legal requirements in full.
                              When I post, I am expressing an opinion - feel free to disagree, I have been wrong before.
                              Please don't act on my suggestions without checking with a grown-up (ideally some kind of expert).

                              Comment

                              Latest Activity

                              Collapse

                              Working...
                              X