The GDPR stands for General Data Protection Regulation. It is a set of regulations adopted by the European Parliament, Council of the European Union, and the European Commission designed to give European citizens greater control over their personal information. Essentially, it aims to streamline the data protection regulations, creating a single framework that applies to both businesses and individuals across the continent.
Plans to reform Europe’s data protection policies started in 2012 when the European Commission proposed to bring the continent up to speed and ‘fit’ for the digital age. The reforms were not unfounded, considering that countries across the globe are rapidly becoming connected through the internet.
After four years, the GDPR was finally approved by the European Parliament. It was enacted on May 25, 2018.
Why is protecting data so important?
People’s lives revolve around data. From the social networking sites that they frequent to the online banking services that they use, almost every online service that people use involves the collection of personal information. A colossal amount of data such as names, addresses, phone numbers, credit card numbers, and more are gathered, analyzed, and stored every day.
It’s no secret that data breaches can happen. Cybercriminals or hackers can maliciously steal data that was never meant to be seen. Once the data falls into the wrong hands, damaging consequences such as the following can happen:
- Financial loss
- Reputational damage
- System downtime
- Permanent loss of data
Even established companies like Facebook and LinkedIn have experienced a data breach more than once — so, what’s preventing hackers from hacking into your data?
What types of data does the GDPR protect?
Article 4 of the GDPR defines “personal data” as “information relating to an identified or identifiable natural person.” Simply put, the GDPR protects information that pertains to a particular person. But does this mean that the GDPR is applicable only when the information points directly to someone, hence making them “identifiable”?
Not quite. Since organizations and businesses collect a variety of information, not every piece of data that they store may automatically individuate someone. For instance, a business may require its customers to declare their occupation when they sign up on their website. Evidently, someone’s occupation isn’t unique to them. There may be thousands of persons who share the same job title.
Similarly, names aren’t always unique. The name ‘Jane Doe’ may not be considered personal data under the GDPR because there are other individuals who share the same name. However, when this single piece of data is used alongside other relevant information (e.g., addresses, phone numbers, etc.), then it may be sufficient to identify an individual.
As you can see, it can be tricky to determine whether a piece of data is considered “personal data” under the GDPR. It would be best to consult a property manager or an attorney who is adept in data protection regulations.
Generally, however, the following types of data are protected by the GDPR:
- Basic information such as names, addresses, and telephone numbers
- Web data such as IP addresses and cookie data
- Data on one’s race or ethnicity
- Data on one’s sexual orientation
- Biometric data (e.g. fingerprints, typing cadence, etc.)
Which companies does the GDPR apply to?
Under the GDPR, organizations and businesses that retrieve personal data from customers from Europe or the European Economic Area (EEA) are legally obligated to keep their customers’ data secure.
If you’re wondering if the GDPR affects your rental business in the United States, the answer is yes. Any company, whether or not they are located in the EU, must comply with the GDPR. As long as your website collects and processes data from residents of the EU, you need to meet the GDPR’s conditions.
How can you comply with the GDPR?
When processing personal information from clients from the EU and the EEA, your website must meet these conditions to be considered compliant:
- What type of data will be collected?
- Why will the data be collected?
- Where will the data be stored?
- How will the data be processed?
- Who has access to the data?
If you’ve hired a property management company, you can ask their property managers for the exact information that your tenants will have to provide.
#2 Secure the data
Aside from identifying the type of data that you’ll be collecting, you should also create policies regarding how the data will be used and disposed of. If you’re self-managing consider conducting training sessions for your staff. This will enable them to understand when they can legally retrieve and release the sensitive tenant data. Additionally, make sure that your team knows what to do in the event of a data breach.
#3 Give control to your tenants
Your tenants, or your “data subjects”, should have complete control over their data. They should be able to:
- Retrieve their data from you
- Retrieve a copy of their data in digital file formats such as CSV
- Correct or update their data
- Request that you wipe their data
- Opt-out of your data collection
Before retrieving data from your tenants, you should always obtain their clear consent. Make sure that the tenant understands why you need their data. Consider looking into consent management platforms (CMPs) if you’re retrieving tenant data through a website.
Data protection is not just something that protects your rental business’s valuable files. It is a legal obligation that can be tricky to navigate. If you fail to protect your tenant’s data, you might permanently damage your reputation, lose significant revenue, and face long-drawn-out lawsuits should your tenant find themselves a victim of identity theft.
Since it’s a complicated matter, you should consider hiring a property management firm that complies with data protection regulations. At Luxury Property Care, our property managers are well-aware of how important it is to safeguard your tenant’s data. By partnering with us, you can benefit from having 24/7 security and contingency plans should there be a data breach.