It’s finally here. As from today the EU General Data Protection Regulation (GDPR) applies throughout the European Union.

Any entity that “processes” personal data will be subject to the GDPR. “Processing” is widely defined and catches virtually anything an entity does with data, from collection and storage through to analysis, sharing and destruction.

The GDPR only applies to “personal data”. Personal data is any information relating to an identifiable natural person such as name, identification number, location data or online identifier. Certain types of data are more sensitive than others, including data relating to health, race, ethnicity and biometric data.


A “data controller” is a person or entity who decides how and why personal data is processed. Data controllers will be directly liable for data processors and are directly responsible for compliance with all aspects of the GDPR. A “data processor” is a person who processes personal data on behalf of a data controller.

Under the GDPR, a data controller is required to enter into a contract with the processor which imposes certain obligations on the data processor.


With common property ownership structures, the beneficial owner is likely to be different from the legal owner and decisions over the asset are likely to be shared between the asset manager and the property manager.

In these circumstances, each entity may have its own data protection responsibilities and should analyse what data is being collected and by whom, whether it is personal data, what the purpose of having the data is, and who is making the decisions as to how it is used, in order to establish who is the data controller and who is the data processor.

Although management agreements between asset owners, asset managers and property managers can helpfully clarify the role of each party in relation to data protection and compliance with the GDPR, ultimately the identity of the controller/processor is one of fact.


Data controllers have extensive obligations in relation to personal data, including an obligation to notify individuals how the data controllers use the data. This information is often included in a privacy notice and no-one can have escaped the flurry of e-mail activity as entities update these privacy notices to comply with the GDPR.


Where there is a “personal data breach” the data controller must notify the Information Commissioner’s Office (ICO) of the breach within 72 hours of becoming aware of it. The data controller must also notify the individual of the breach, where the breach would be likely to cause a high risk to the individual’s rights and freedoms which may be given by a public communication.

In contrast, a data processor simply has to notify the data controller without undue delay after becoming aware of a personal data breach.


The consequences for breach of certain provisions of the GDPR are eye-wateringly high. Fines may be levied of up to:

• 20m Euros; or, if higher, • 4% of annual worldwide turnover.

In relation to some other breaches, the ICO may impose sanctions of up to 10m Euros or, if higher, up to 2% of an undertaking’s total worldwide turnover.

And it won’t stop here. In the UK, when the new Data Protection Act is enacted, it will broadly implement the GDPR and it will continue to apply after Brexit, so future-proofing the transfer of personal data between the UK and EU.