Introduction
The European Union has introduced measures to protect the right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will take effect from May 25, 2018. In a nutshell, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. Moreover, these rules specify how the EU personal data laws apply even beyond the borders of the EU. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data.
How will UK membership of the EU affect GDPR?
The UK is not scheduled to leave the EU until 29th March 2019, so all ‘Data Controllers’ and handlers (explained further below) will need to be compliant. GDPR principles are also likely to be part of necessary UK data protection reform. So it’s still better to work to GDPR compliance regardless of what happens after brexit.
Inventory Hive’s Pledge
At Inventory Hive we take our users data protection very seriously, as we do with all aspects of compliance within our platform. Regardless of GDPR, we have been registered with the Information Commissioner’s Office (ICO) since 2016 (registration number ZA203072) and abide by their data protection best practice guidance. We have never shared any of our data subjects (tenants, landlords, letting agents, property managers, purpose built accommodation providers) personal data with any third parties and we never will. In fact, we only collect and process personal information for the legitimate purposes of delivering market leading paperless accommodation inventory software (e.g. approval requests and important software update notification emails).
How has Inventory Hive prepared for GDPR?
Our user base has grown significantly over the last two years. To ensure continued and stable growth we see GDPR as a positive step forwards to further enhance our data handling reputation. As a ‘Data Processor’, we have taken the following steps to ensure we’re ready:
- Enhanced data integrity and security using encryption methods with redundant server backups.
- Implementing explicit ‘Privacy Policy‘ guidance on how personal data will be used.
- Implementing explicit ‘Terms of Service‘ of contractual use.
- Implementing explicit ‘Cookie Policy Terms & Conditions‘.
- Training for all our sales and support advisors to provide end-to-end security.
What does this mean for Inventory Hive users?
As ‘Data Controllers’ our users are responsible for compliance with data protection principles and must be able to demonstrate the steps taken to ensure compliance. For instance, storing data relating to tenants personally identifiable information should only be retained for a period that can be deemed as a legitimate business purpose.
How might a legitimate business purpose look when using Inventory Hive? To draw comparison, Home Office right to rent guidelines clearly stipulates that ID documents stored for occupants (e.g. passport and driving licence) should be retained for a period of 12 months after their tenure has ended. As Inventory Hive (Data Processor) is unaware of when the occupants tenure ends, the responsibility of deleting the personal data lies with the Inventory Hive user (Data Controller).
To summarise, all our users should ensure they have received the relevant GDPR training to enable compliance of regulations in effect from 25th May 2018. The fines in-place for non-compliance can be as much as €20 million or 4% of annual turnover.
Where should I go if I have general GDPR questions?
If you’re part of a trade body like ARLA then specialist training and advice specific to your industry will be available. Aside from such channels, you can also find out more and have your questions answered by visiting the ICOs Contact us section with live chat, email or helpline.