Quick Start Guide for Landlords. Starting a cybersecurity GDPR audit

Quick start guide for landlords on putting together a cybersecurity GDPR audit

As block managers, landlords or property managers, you hold personal information on your residents and leaseholders.

When it comes to making sure internal policies for GDPR are implemented, we’d recommend conducting security audits to identify any vulnerabilities, whilst ensuring compliance.

By identifying and documenting the types of personal data you collect as a business, then defining the purpose for handling each data category and assessing the lawful basis for processing, you will be taking a systematic approach to ensure transparency and compliance in accordance with Article 5(1) of the UK GDPR* are on point.

GDPR’s seven key principles

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

You might consider putting a GDPR audit together via the following steps:

Transparency and the law

Determine what information you process and who has access to it by conducting an information audit.

Have a legal rationale for what you are doing with your data.  Only collect what’s needed for a specific purpose, i.e. don’t collect data “just in case”.

In your Privacy Policy, ensure you provide explicit information about your data procession and legal justification.

Data Protection

From the moment you start offering a service to the moment you process data, data security should one of your business’s top priorities.

Personal data should be encrypted, perhaps pseudonymised, or anonymised whenever possible.

Create an internal security policy for your employees and raise data security awareness through training.

Know when it is time to conduct a data protection impact assessment and have plan in place to deal and evidence it.

 In the event of a data breach, have a procedure and also controls in place to notify the authorities and your data subjects.

Governance and accountability

Assign a processor or controller to be in charge of ensuring GDPR compliance throughout your company and communicate with your residents to let them know they are safe.

Sign a data processing agreement between your company and any third parties and contractors you work with, who handle personal information on your behalf.

Data Protection Officer (DPO) should be appointed, if necessary. There are three instances where the UK GDPR requires companies to appoint a DPO, being:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/ or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Please click on the ICO’s DPO checklist for more help HERE.

OR, check if you need a DPO for your specific property management company HERE.

There are also some occasions where an organisation may voluntarily appoint a DPO. A GDPR audit will determine whether you require a DPO and how a DPO can fulfil their responsibilities in line with Article 39 of the UK GDPR.

Right to privacy

Your residents can easily request and receive all of the information you have on them. Leaseholders have the right to request that inaccurate personal data be rectified. This request can be made verbally or in writing, and can be directed to anyone in the organization.

Make sure that your residents are able to obtain a copy of their personal information that you hold in a format that can be easily read and also has the ability to be transferred to another company, if needs be.

Breaches

If a resident believes their data protection rights have been breached, they can complain to the landlord or managing agent, and can request an investigation by the Information Commissioner’s Office (ICO), or take civil proceedings.

In summary and when it comes to staying compliant and headache free it’s better to get your ducks in a row in the earliest possible timeframe.

You may already have taken up the Government’s Cyber Essentials programme. Cyber Essentials is a government backed scheme that helps protect your organisation, whatever its size, against a whole range of the most common cyber-attacks.

*Article 5(1) of requires that personal data shall be: 

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Please use our Quick Start Guide in conjunction with your overall Cyber Security Policies, Procedures and Controls.

If you need help with updating leases and property law legislation, please do contact me for a chat, my experienced and professional team of lawyers are here to help.

CONTACT US

Laura Severn

Laura Severn - About Author

Laura Severn - About Author

Laura has worked within the property management industry for quite a few years now and loves seeing it develop and grow. Over the years she has developed and managed arrears collection teams for service charge and ground rent arrears, and advised on many property management issues and service charge dispute cases. Laura's email address is laura.severn@lmp-law.com.

More posts by Laura Severn