In under a year’s time, on 25 May 2018, the EU’s General Data Protection Regulation (GDPR) will come into effect across the EU (including the UK – regardless of Brexit). The GDPR will have a significant impact on those who collect, use and otherwise process “personal data”. In a property context, that means landlords, their property managers and any of their contractors or sub-contractors.

Broadly, “personal data” means any information which relates to an identified or identifiable individual. It will include, for example, an individual’s name and contact details; it will also (usually) include information about their energy usage and the dates and times they enter / exit a building.

Property businesses increasingly want to collect and share more personal data, for a wider variety of purposes, than those associated with traditional building management. For example, personal data may be collected and used for the purposes of:

  • increasing the energy efficiency of buildings;
  • measuring energy usage, for example by installing smart meters;
  • sharing data as part of Smart City or Smart Building projects; and
  • generating revenue from data, by sharing it with third parties.

It is therefore essential that property businesses understand and comply with the GDPR, not least because there will be increased penalties for non-compliance, including (in the worst cases) fines of up to Euro 20 million or 4% of worldwide turnover.

Key areas of impact for property businesses The key areas of impact will be around:

  • rent and payments collection data;
  • energy usage data;
  • building and car parking security data;
  • property occupancy data; and
  • contracts between the property owner or fund manager and the property manager.

Next steps The key areas of impact highlighted above are just some of the considerations for property businesses. This guide and our checklist of key questions are designed to monitor your progress towards GDPR compliance.

With less than 12 months to go, property businesses must:

  • give careful consideration to what personal data they collect and how they use, share and otherwise process it;
  • review their existing property management agreements to ensure that they meet the more onerous requirements of the GDPR, and properly allocate risk between the property manager and the fund or business contracting with the property manager;
  • ensure that they have a GDPR-compliant privacy policy explaining (amongst other things) what personal data is collected, for what purposes and how it is shared; and
  • put in place those other policies, procedures and governance structures which will be needed – together with relevant training – to ensure on-going compliance.