Are you ready for GDPR?

The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will immediately apply throughout the European Union.  In the UK, when the Data Protection Act 2018 is enacted, it will replace the current data protection legislation and will broadly implement the GDPR. The new Act will continue to apply after Brexit and will future-proof the transfer of personal data between the UK and EU. Any entity that “processes” personal data will be subject to the GDPR. “Processing” is widely defined and catches virtually anything an entity does with data, from collection and storage to analysis, sharing and destruction. The GDPR only applies to “personal data”. Personal data is any information relating to an identifiable natural person, such as name, identification number, location data and online identifier. Certain types of data are more sensitive than others, incuding data relating to health, race, ethnicity and certain biometric data. Key points The European General Data Protection Regulation (GDPR) comes into force on 25 May 2018.  Real estate entities will be affected if they process “personal data”.  “Personal data” is information relating to an identified or identifiable person. A“data controller” decides how and why personal data is processed and is directly responsible for compliance with GDPR including responsibility for the processing of data processors. A “data processor” collects and processes the data on behalf of the controller while processors have more limited direct obligations under the GDPR. How is real estate affected? As well as traditional property management information, the surge in proptech, coupled with a vision of smarter, more agile working, has prompted the growth of flexible, multi-purpose space and the development of sophisticated building management systems that harness personal data to increase building efficiency. In multi-occupied buildings, personal data might be gathered via security systems which depend on knowing the identity and movement of personnel and often deploy CCTV cameras. In the retail sector, personal data might be collected from customers to help both landlords and retailers provide a tailored shopping experience.  Other examples of personal data include the names and addresses of residential tenants and guarantors. In recent years there has been a surge in investment in the private rented sector and student housing, resulting in a parallel increase in the volume of personal data being collected.    On developments, sub-contractors provide employment details of personnel working on site, or there may be a flow of personal data between the various parties to the development.  Who controls the data? A “data controller” is a person or entity who decides how and why personal data is processed. Data controllers will be directly liable for data processors and are directly responsible for compliance with all aspects of the GDPR, for example providing appropriate notice to individuals, ensuring there is a legal ground for the processing, responding to requests from individuals to exercise their rights over their personal data, carrying out data protection impact assessments in certain circumstances, keeping personal data secure and accurate, not using it for purposes that are incompatible with those for which it was collected, only keeping it for as long as necessary, not collecting more than is necessary, and complying with the rules around transferring data outside the EEA.      A “data processor” is a person who processes personal data on behalf of a data controller. Under the GDPR, a data controller is required to enter into a contract with the data processor which imposes certain obligations on the data processor. Establishing who is the data controller and who is the data processor is an important part of the data protection process as the data controller will be responsible for personal data in the data processor’s hands. Complex ownership structures With complex property ownership structures, the ultimate owner will often be different from the asset manager and the property manager. For example, a pension fund is administered by trustees who employ an asset management company to decide how and what properties to invest in.     In these circumstances, each entity may have its own data protection responsibilities and should analyse what data is being collected and by whom, whether it is personal data, what the purpose of having the data is, and who is making the decisions as to how it is used, in order to establish who is the data controller and who is the data processor. Although management agreements between asset owners, asset managers and property managers can clarify the role of each party in relation to data protection and compliance with the GDPR, ultimately the identity of the controller/processor is one of fact. Lawful grounds for processing    Data processing of personal data is only lawful if: the person to whom the data relates has given consent to the processing; the processing is necessary for the performance of a contract with that person; processing is necessary to comply with a legal obligation to which the data controller is subject; the legitimate interests of the data controller/third party necessitate the processing and those interests are not outweighed by any detriment to the person; processing protects the vital interests of that person; or it is necessary for reasons of public interest. Under the GDPR, the threshold for establishing consent will be higher than under the current regime. Consent should generally not be included in written documents that concern other matters (eg leases). Silence, pre-ticked boxes or inactivity will not amount to consent. The strict requirements for consent make it an unattractive ground to rely on particularly as consent can be withdrawn at any stage. Data collected as part of managing a building, such as CCTV footage, keyholder details or personnel data for security passes, will often be justified by the legitimate interest of the data controller who needs to preserve the security and value of the asset. Market data obtained to monitor footfall in retail centres may be carried out for the legitimate interest of maximising the value of the asset, provided it was solely used for that purpose. However, wherever legitimate interest is relied on, it will be important to ensure that steps are taken to mitigate any risks to the individual. Putting people in control of their data One of the principles behind the GDPR is to give individuals more control of their data. New rights for individuals include a right of access to the data; the right to have any inaccurate or incomplete data rectified; a right to restrict processing in certain circumstances, which means that the controller can continue to store data but may only process it in limited circumstances; a right to erasure (“right to be forgotten”); a right to data portability meaning that an individual can obtain a copy of the personal data and transmit it to another data controller in a machine-readable format; and a right to object to the processing process. Privacy notices Data controllers have extensive obligations in relation to personal data, including an obligation to notify individuals of how the data controllers use the data. This information is often included in a privacy notice. For example, a privacy notice relating to the use of CCTV might be a sign on the side of the building. Privacy notices are also often displayed on the controller’s website. Where a data controller has no direct relationship with the individual (for example, with a customer in a shopping centre), the data controller may want to control the wording of any privacy notice displayed at the property by third parties (for example, any notice advising the use of CCTV) to ensure that it is sufficiently widely drafted to satisfy the data controller’s extensive legal obligations. Record keeping and accountability Under the GDPR, data controllers will no longer have to register with the Information Commissioner’s Office (ICO), although they will still have to pay a fee. They will also be subject to record keeping requirements in relation to their data processing activities and must make their records available to the ICO on request. Data controllers must also be able to demonstrate compliance with the data protection principles. This will be easier for entitles that have properly documented procedures. Third parties who process data on behalf of a data controller must keep similar records. Cyber security Although the draft Data Protection Act 2018 does not specifically single out cyber security, by implementing the GDPR standards it requires organisations that handle personal data to evaluate the risk of processing such data and implement appropriate measures to mitigate those risks. For landlords and tenants with linked building management systems, this will be a particular concern as any data leakage will inadvertently affect the other. A combined data breach policy, including identifying individuals or teams who will take the lead in responding to a breach should be considered.  Contractual obligations in leases could require the tenant to report a breach to the landlord as soon as the tenant is aware of it, and to assist the landlord with gathering information necessary to comply with the breach notification requirements. Data breaches Where there is a “personal data breach” the data controller must notify the ICO of the breach within 72 hours of becoming aware of it. The data controller must also notify the individual of the breach, where the breach would be likely to cause a high risk to the individual’s rights and freedoms which may be given by a public communication.  In contrast, a data processor simply has to notify the data controller without undue delay after becoming aware of a personal data breach. Sanctions for non-compliance Breaches of certain provisions, including those relating to basic principles for processing; individuals’ rights; or transfers of personal data to a third country, may result in fines of up to: €20m; or, if higher, 4% of worldwide turnover. In relation to some other breaches, the ICO may impose sanctions of up to €10m or, if higher, up to 2% of an entity’s worldwide turnover.  Nine steps towards GDPR compliance Assess who is the data controller and who is the data processor by reviewing what personal data is collected by whom, and who is deciding on why it is used. Review management agreements between asset owners, asset managers and property managers and document the respective data protection obligations.  Assess the type of personal data being processed and the legal grounds for processing that data. Assess where the data comes from, and how it is stored, used and shared. Conduct a data protection impact assessment for any high-risk processing to assess whether there are any gaps between current analysis and GDPR requirements. Review privacy notices. Can you comply with the new personal rights in relation to data such as the right to be forgotten? Assess whether cyber-security measures are up to scratch and keep them under review. Adopt a data breach policy, including who will take the lead in responding to a breach. Jane Dockeray is a PSL counsel and Nick Westbrook is an associate at Hogan Lovells