Contents
General
Data Protection Regulation
The right to see personal
information and when and with whom it was shared.
The new EU General Data Protection Regulation (GDPR) expands the rights of individuals to control how their personal data is collected and processed.
You must send everyone a policy document that explains how you use their personal information and, as of 25 May 2018, you need permission from your customers to use their personal data for what we’ll refer to as “discretionary services” – that is, share their personal information with 3rd parties or use the information you have for purposes beyond contract fulfillment and legal obligation.
For example you may have a landlord’s contact details in Rentman in order to produce agreements, notices and send invoices and management statements – all legitimate usage for which you need no consent; but you now need explicit consent to use that same contact information to, for instance, cross-sell insurance.
The standard Rentman policy information letters will list all ‘services’ you use and, separately, those that require consent.
An
important distinction here is if a 3rd party (e.g. brief your
market, fixflo, contractors, referencing agency etc) are “processors” rather than “controllers” - that is
they are processing the data on the agency’s behalf for contractual fulfillment
- then specific consent is not required. This may seem to counter the "if
you share the data you need consent" notion but
if the 3rd party are not deciding what gets done and not contacting the person
on their own behalf (i.e. they are not controllers) you haven't really shared
it. Rentman will always record what got sent and when in the spirit of
transparency.
You
do not need a tenant or landlord’s consent to share their contact information
with, for instance, a contractor… as that is considered ‘contract
fulfillment’ - BUT you need to be sure,
and have signed agreements in place, with every one you share information with
that the ‘processor’ will abide by GDPR regulations, not use that contact
information for other purposes and will remove it upon request.
1. Someone within your company should be designated as a “Data Protection Officer” – there is a new checkbox in the admin tab of the user preferences to indicate this.
2. In Rentman’s main menu click the Misc/Discretionary Services (GDPR) option and make sure you add any services/usage for which you need to notify the person or which needs explicit consent; mark those requiring consent as ‘consent required’. Each service can be marked with the type of person it applies to (landlords, applicants, tenants etc) and is used to compile a specific “privacy policy” for each contact type.
N.B. Rentman will have inserted some standard defaults but
each data protection officer MUST
compile the agency’s own list of services. The default services and the default
letters themselves are only examples; you must seek legal advice before sending
your privacy notices.
3. You need to send an email to every tenant, guarantor, permitted occupant, applicant, landlord and contact notifying them of the uses their contact info will be put to and requesting their consent where required. Rentman has a set of template documents (one for each role/privacy policy) to be emailed called “GDPR consent for discretionary services - role“ – you can customise them in the normal manner if required.
a. To notify and get consent from all existing customers use the File/Bulk Email option in Rentman’s main menu.
·
Select all tenants, all
applicants, all landlords or all contacts and select the appropriate
“GDPR consent for discretionary services” document then click the email button
b.
For individual customers (and
on an ongoing basis) find their GDPR page and click the “Request Consent”
button (an email dialog will appear based on that document template).
(where you have multiple applicants or multiple landlords on a single record you can also “get” and “receive” consent for each individual by clicking the + button)
4.
When people reply to the email you
should find their GDPR page in Rentman and click the “Receive Consent” button
· If you are using MS outlook you can drag and drop the email anywhere into Rentman; it will try and match the sender to the customer in question and bring up the ‘receive consent’ form automatically
· If you have set Rentman to receive emails direct from your mail server and you have set yourself as a Data Protection Officer Rentman will automatically search the journal for new consent emails and bring up the receive consent dialog if it can match the sender’s email address with an email address in Rentman.
5.
In the ‘receive consent’ window you should select those
services the customer has consented you share their personal information with….
Be certain that all services ticked
have been agreed to and appear in the email.
· If rentman has automatically brought up this window the text of the email should already be in the notes
· if the notes are empty and you are using MSOutlook drag and drop the email into this window and it will copy the email text in for you.
· It is always best to allow rentman to copy the email across as it will also include the email’s header – and this may help confirm the receipt of consent if there is a dispute.
· Otherwise you should type (or copy and paste) the customer’s consent yourself.
· If the consent is a scanned document or PDF file you can attach it as proof by clicking the ‘attach’ button
6. If someone does not give consent when consent is required for their personal information to be shared with a 3rd party and Rentman would otherwise upload this data from 25 May 2018 the data sent will be obfuscated – that is the receiver knows there is a tenant or landlord or whatever but the personal information (e.g. contact details) is replaced with gibberish.
As of 25 May 2018 any individual for whom you hold personal information can ask to be removed from your system. Do NOT delete them.
In Rentman you “remove” them by finding their GDPR page and clicking the “Forget” button.
The record is not deleted and it will
continue to appear in your Rentman history but it is rendered anonymous and all
contact information overwritten. Note : documents in the customer’s journal will remain
unchanged and continue to show any contact information (until the automatic
delete below removes them).
You have the ability to refuse to ‘Forget’ a customer “for the exercise or defence of legal
claims” – you should seek your own legal advice but, for instance, our legal
advice tells us you should retain information relating to agreements and
notices (e.g. tenant and landlord details) for at least 6 months after a
tenancy has ended.
If you
‘forget’ someone and Rentman sends data to 3rd parties (including fixflo, brief your market etc)
the data sent will also be anonymised.
Rentman will automatically ‘forget’ people and remove their journal history from rentman (including agreements, invoices and notices) according to preferences you set.
Go to the ‘Extended Options’ tab in your company preferences screen (under System, Options in the main menu).
You will see the options that are available for automatic removal. Set any option to zero to disable it.
For applicants (both sales and lettings) you can select the following options.
· Forget Applicant
· Delete Journals (except legal documents and invoices – see below)
If you don’t find a property for an applicant they will be forgotten the specified number of months after the date they first contacted you. The default is 6 months.
A lettings applicant who becomes a tenant will have their applicant record removed after that many months but of course they now become subject to the tenant’s GDPR policies.
A sales applicant who entered an offer with you will have their details forgotten that many months after a sale is complete or an offer is rejected.
For landlords you can select the following options:
· Forget Landlord
· Delete Journals (except legal documents and invoices – see below)
·
Forget Prospective landlords
If you enter a landlord into Rentman but their property is not let by you (i.e. they remain a prospective landlord) Rentman will forget their details the specified number of months after they first contacted you.
If you are successful in letting out a landlord’s property they will be forgotten that number of months after the last tenancy has ended.
For vendors you can select the following options:
· Forget Vendor
· Delete Journals (except legal documents and invoices – see below)
·
Forget Prospective vendors
If you enter a vendor into Rentman but their property receives no offers through you (i.e. they remain a “prospect”) Rentman will forget their details the specified number of months after they first contacted you.
If you are successful in getting an offer they will be forgotten that number of months after a sale has completed or an offer is rejected.
For tenants et al you can select the following options:
· Forget Tenant
· Delete Journals (except legal documents and invoices – see below)
· Remove Right to Rent documentation
Tenants, guarantors and Permitted Occupiers will be forgotten the specified number of months after a tenancy has ended (and the tenancy is archived in Rentman).
The right to rent legislation requires agents keep for 1 year after the end of the tenancy any documentation. Inherent in GDPR is the notion that you shouldn’t keep information longer than necessary…. so Rentman will automatically delete the documentation.
For Contacts you can select the following options:
· Forget Contact
· Delete Journals (except legal documents and invoices – see below)
Contacts will be automatically forgotten the specified number of months after they contacted you unless they are referenced in Offers and Tenancies (i.e. they are solicitors or other agents).
Legal Documents will be deleted from Rentman’s journal a specified number of months after a tenancy has ended.
These will be deleted from Rentman’s journal a specified number of years after they were created. The default is 6 years
The GDPR tab on each
landlord/applicant/tenant etc has a ‘Report’ button.
Click that and Rentman will create a report with the data dumped from the underlying
database table in plain text. It will also include :
·
Journals (and attachments)
·
Jobsheets (and attachments)
·
References
·
Bank Transactions
Note. every journal; the rentman.online ‘tenantvisible’
and ‘landlordvisible’ checkboxes have no effect here!
Before creating the report Rentman will show all items
in a grid and you have the option of removing them if
the items contains sensitive information for someone other than the requester
(a sharer perhaps).
You can remove all bank transactions with
one button. If transactions were imported using open banking or file import they may well show personal information and should be
included. But, depending on the reason behind the request, they may not be
required.
The report and any attachments are encrypted in one
.ZIP file that is uploaded to a Rentman website (the file is likely too large
to email).
A download link and password are sent to the requester
in separate emails.
For safety reasons
this zip file is protected with AES 256 bit encryption
which Windows itself cannot open – they will need to use a 3rd party
application such as WinZip, WinRar or 7Zip.
You can customize the cover note sent with
the download link
email by downloading (or creating your own) document “GDPR SAR
Notes”.