UKC

I'm struggling to understand the implications of the GDPR regulations, and I wondered if anyone here was better informed than I am?

I chair the management company that runs the private estate I live on.  I have an excel spreadsheet on my PC which simply contains house number - owner name - owner email address - tenant email address if applicable.  We've had real problems in the past with communicating with some owners, so it was made an estate rule last year that everyone had to supply an email address for estate communications.

Does this fall under GDPR?  It's not clear to me if it does or not, since there is no data held beyond names and addresses (I'm sure our agent holds much more as they process payments, but I'm not concerning myself about them - they can sort their own compliance out).

If it does - what do I need to do?  It seems I might need to encrypt the spreadsheet (fine).  But must I ask everyone permission to hold their email address?

In reply to Jamie Wakeham:

My understanding is yes, you'll need permission from each person to hold their info.

In reply to Jamie Wakeham:

As you say, the regulations are not clear, but I think you’d be wise to take as many precautions as possible. Better safe than sorry. Definitely password protect that document and store it somewhere safe. 

Having said that, GDPR focuses quite heavily on how your use the data, if you feel you have legitimate interest to store and use the information, for example if you are providing a service, you may be covered, although you may have to explain this to the regulators. 

 

One thing you absolutly must do is have the ability to delete people from your list if they choose to ask for this. 

In reply to Jamie Wakeham:

Not sure anyone does. Last week the nursery we use emailed all parents without bcc, so now everyone has everyone else's name and email.

In reply to Jamie Wakeham:

How many houses are we talking here? If it's not too many, print the file off to a hard copy and delete the file. Problem solved.

 

 

In reply to Jamie Wakeham:

Thanks, all.  It's 51 houses and flats.  I don't really fancy having to type the email addresses in each time I need to contact them, so the hard copy solution isn't great (and does it in fact sidestep GDPR?  I'd still have the data).

I'm not looking forward to having to send out an email saying "according to GDPR, I need to ask for your permission to keep your email address on file.  And, by the way, don't forget that it's an estate regulation that all residents give me an up-to-date email address."  Getting an accurate mailing list together was hard enough in the first place!

As an aside, Billymo - am I going to have to contact a regulator to explain what data I hold, then?

In reply to Jamie Wakeham:

How did you get the information in the first place?
If you can prove that you obtained it in a fashion that meets the new regulations then you don't need to go through the process again.
If you can't prove it, then you'll have to do something to meet those requirements no matter how you store it.

In reply to Jamie Wakeham:

I put a letter through every door, asking the owner to send me an email at a newly created estate email address.  They had to actively send that email, so perhaps that counts?

In reply to jezb1:

He won’t.  He needs the information to do the management therefore has “legitimate interest”.  Consent is the last resort option.

Would be a good idea to encrypt the spreadsheet to reduce the chance of a breach though.  Excel will do this so dead easy.

In reply to Jamie Wakeham:

If you consider that you have a legitimate interest in holding the data then you do not need permission from the persons but you must record the nature of this interest. In this case it would seem to be the basic need to communicate estate management concerns to those occupying the estate.

It's not a marketing database just a list of interested shareholders, so I'd be surprised if you could not rely on the above.

The personal data is also not very personal is it? If you think the OIC is interested in your 50 email addresses while Cambridge Analytica's 2m UK targets' address books are being rifled for political advantage then it's time to chill out. The OIC is looking for gross exploitation of personal details for financial gain not your back of a fag packet list of a few co-tenants. 

Password protect your spreadsheet and sleep easy.

In reply to Jamie Wakeham:

I would suggest the following:

- As others have said encrypt it and store it somewhere safe (pen drive in the safe for e.g.)
- add a column in the spreadsheet to record the date and method with which consent was given, i.e. consent requested by personally delivered mail on xx/xx/xx, consent given by return email on xx/xx/xx.
- put a document into your risk assessments/operating procedures  which details what info you hold, why you hold it, how long you keep it, how you get consent, what your procedure is  etc. i.e. basically just google gdpr summary and rewrite the main requirements as company policy.

I really don't think it's likely that small businesses will be getting dragged through the courts and provided you don't do anything stupid like refuse a request from someone then you'll be fine.

That probably would be something to keep out of any documentation! Consent must be freely given.

Oh and there's no reason to print it out on paper, you're just creating more hassle and the same rules apply as far as I'm aware.

In reply to Oceanrower:

No its not. It doesn't matter how the data is stored.

Essentially the OP needs to create a legitimate business use statement for the Management company that covers what data is held/collected, as well as how the data is used and then communicate this to the residents and seek their approval.

He'll also need to put in place a policy to delete data once no longer needed (i.e. when a resident leaves or within a reasonable period).

The whole thing is a PITA but may afford better data management for individuals

In reply to BnB:

You do need permission and it needs to be an 'Opt In' option as opposed to an 'Opt Out' one. For example, in the case of an electronic form, a box will need to be actively ticked instead of a generic disclaimer at the bottom of a page. I assume that's why UKC asked everyone to re-submit their email addresses to get the News Letters.

 

In reply to Jamie Wakeham:

My understanding:

Normally informed consent is required but where it’s bleeding obvious you need the data you can make a case for holding it without explicit consent.  Legal agreements entered into with the estate management company as part of their purchases may well form the basis of that.  

Paper or electronic media - this is irrelevant in terms of legislation.

Excel password protection is worthless.  I would use a properly encrypted drive.  If the files are breeched it will likely be by malware not theft of media - so keep your computer clean.  

You should have a simple document listing the kinds of data you hold and who you hold it on - this is likely not limited to (1) names, addresses and email addresses but also (2) electronic and paper correspondences and (3) invoices and accounts data.  Anything else you can think off.

As ridiculous as it would be in your case, you need to be prepared to honour a request for deletion of data, so keeping data organised and filed in a tidy way is important.

If you share any personal details with subcontractors think carefully about how much (litttle) to share and if you need consent to do so.  I can’t see it applying to your case but beware sharing with non GDPR compliant entities (from itinerant tarmac layers to US registered businesses). 

As long as you don’t c—k up and breach someone’s privacy, the only risk I can see is if Arnold Rimmer lives on your estate and has it in for you.  From what little I know of managed estates and their politics...

In reply to Jamie Wakeham:

Hi Jamie, 

Are you going to market to these people? 

If so you will likely need consent, at least for the existing residents unless you had a PECR compliant soft opt-in process when they entered into the contract with you.

If you are not, you may be able to rely on the lawful bases of either: legitimate interests, or in order to carry out your side of the contract.

If you decide on legitimate bases you will need to record a legitimiate interests assessment, where you balance the interests of the data subject vs the interests of your company processing. You will also need to allow people to object to this processing and consider these objections. 

If you go down the contract route you'll need to demonstrate why the processing is necessary to carry out *your* side of the contract. 

You will want to provide a privacy notice in either case (or update the privacy notice already provided to residents) and keep the data secure.

 

 

 

 

In reply to FactorXXX:

Incorrect. Have a read of this:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-r...

It opens thus, which sets the tone and the detail goes on to give multiple examples where consent is not required:

"It may be the most appropriate basis when:

• the processing is not required by law but is of a clear benefit to you or others;
• there’s a limited privacy impact on the individual;
• the individual should reasonably expect you to use their data in that way; and
• you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing."

In reply to BnB:

Doesn't that rather depend on how you interpret 'Legitimate Interests'?
You might well be correct and the OP has a legitimate right to store email addresses as well as the house address which is in reality the only data needed.
However, you might also be wrong and I suspect that a lot of people might well try and use 'Legitimate Interests' as a loop hole to effectively do nothing with the introduction of GDPR.  I also suspect that a lot consultants are going to make a lot of money out of this...
As for the OP.  You've got the email addresses, why not email them individually and ask them to email you back their consent to store that information?
 

 

In reply to wintertree:

I couldn't possibly comment..!

No marketing whatsoever.  This is the mail list that I use to send out AGM minutes, warn people that the gardener is going to cut the hedges, and occasionally whinge about the state that someone's left the bin store in.  I'm only really concerned because I can forsee that sooner or later I'm going to get a GDPR-based grumble. 

BnB - that's a fantastically useful link.  I'll have a proper read of it, but it very much looks to me that I can make a case for a legitimate interest basis.

In reply to FactorXXX:

20 of them won't reply (half of those because they never read my email anyway) and then they'll complain when they don't receive their AGM minutes next year!

In reply to Jamie Wakeham:

Here's what UKC have said about email addresses and newsletters: 

https://www.ukclimbing.com/news/2018/04/how_you_can_support_ukc_and_ukh-715...

Is that similar to your situation with AGM Minutes, etc? 
A bit of a judgement call on your behalf.  I doubt that GDPR is really intended to include what are effectively informal organisations like yours and I would hope that the relevant authorities don't get too pedantic about chasing every single such organisation.
I personally think that most people in your position haven't even considered the implications of GDPR and in many cases haven't even heard of it.
Maybe just ignore it until you can find a clever way of implementing it without laying yourself open to scrutiny at a later date? 

In reply to FactorXXX:

No you don’t.  Permission is needed only if the other legal bases don’t apply.  Both contract and legitimate interest do here.

In reply to Neil Williams:

Does that mean that any organisation that holds a database including emails can just continue using it as if nothing has happened with the introduction of GDPR?
UKC don't appear to think so, which is why they went through the process of getting everyone to resubmit their email address details recently and as far as I can tell, the OP is pretty much using those details for the same reason.
I really think that people need to look at 'Legitimate Interests' and what it's limitations are - I certainly don't think it means that you can arbitrarily declare 'Legitimate Interests' and carry on as if nothing has happened.
In the case of the OP, I would either ignore it, or declare use of it and do it properly with consent, etc.

In reply to FactorXXX:

The reason is different in the eyes of GDPR. There is no strictly necessary reason for UKC to contact you, but there is very good reason for the OP to need to contact his database for specific purposes.

Of course they can't. Case law will ultimately determine the limits of "Legitimate Interests". Companies and data holders have to use their judgement (or pay for someone else's, or play very cautious) to determine if it falls under LI. In the case of the OP it's clear that it does, it meets at least 3 of the criteria, and just one would do.

 

In reply to Jamie Wakeham:

It’s less than 250 people. You don’t have to worry about it. 

In reply to FactorXXX:

Certainly not. But there's a world of difference between

a) keeping emails of people with whom you are currently in business, which in itself constitutes legitimate cause and who, as the link I posted makes clear, would expect and require you to contact from time to time; and 

b) maintaining a large database of individuals with whom you are not currently engaged and who have not given you consent to treat as targets for your marketing

One of the businesses I'm involved with holds personal data that is far more valuable (bank account details, dates of birth etc) about its customers. It isn't however seeking consent as the company has legitimate cause to do so as it is mandated by law that it retains this data. On the other hand, the firm has discarded its direct marketing database of prospects in its entirety, and is rebuilding with consent from scratch.

It is obvious that a) applies in the OP's case and you are a lone voice to the contrary. I applaud your persistence but would it not make more sense to read my link in detail and think it through?

In reply to FactorXXX:

The ICO site has a good document with examples and this is definitely OK.

Consent is an absolute last resort as it can be withdrawn which would be a nuisance.

In reply to Jamie Wakeham:

Go on to the IOC website there is a very simple check list with Yes or no as to whether the regulation apply. Easy to follow.

In reply to Jamie Wakeham:

Go on to the IOC website there is a very simple check list with Yes or no as to whether the regulation apply. Easy to follow.

In reply to neilh:

You mean the ICO web site.  The International Olympic Committee has rather less to do with upholding the law than the Information Commissioner's Office does.

In reply to Jamie Wakeham:

Names & addresses are definitely personal data under GDPR.  GDPR uses the term "lawful basis for processing" to describe the various justifications that organisations can have for processing personal data (and "processing" means, amongst other things, just having it).  Consent is but one of the lawful bases.  Another is Legitimate Interests.  There's also Contract, which might apply in the case of a management company for a private estate.

IMO far too many people seem to be defaulting to consent as the easiest basis to use.  On the face of it, if the data subject has said it's OPK then you're home free.  Except you're not.  If the data subject changes their mind, then you have to stop processing their personal data there and then.  How would the management company, er, manage if one or more of the residents suddenly said "no"?  You must also be able to demonstrate that the data subject gave their consent freely (i.e. there was no down side to them if they did not consent), and you have to be able to evidence the consent, which means keeping scrupulous records.

People seem to shy away from legitimate interests because it sounds difficult, but it's not really that hard.  If what you're doing is not illegal (and I don't believe that it's illegal to manage a residential estate), if what you are using the personal data (names and addresses) for can't readily be achieved another way (which the management company seems to have already decided is the case), and if the residents of the estate would reasonably expect the estate management company to be able to communicate with them, then it seems highly likely that legitimate interests would apply.

There is a very comprehensive collection of advice and guidance about legitimate interests on the ICO web site, including guidance about how to decide whether legitimate interests applies in a particular case - a task called a Legitimate Interests Assessment.  It may look daunting at first but it really shouldn't be beyond the capability of someone who's operating an estate management company to work it out IMO.

Of course you still have to comply with the GDPR principles, and allow data subjects to exercise their rights (as explained on the ICO web site).  The funny thing is that neither of those things are massively different to what they were until the DPA, just a bit broader in scope.  The 1998 DPA has been law for twenty years.  The main reason why people are getting their knickers in a twist over GDPR is because the sanctions regime is significantly harsher (ie you can be fined a lot more).  But for low risk personal data like names and addresses, the likelihood of a mahoosive fine is pretty miniscule unless you've been utterly reckless (and/or broken other laws in the process, they always like that).

Bottom line: GDPR does not say that you always have to have consent to process personal data, and consent may be more trouble than it's worth if you can justify another lawful basis for your processing of the residents' personal data.  Which I suspect that you can.

Final point: if you were to see what GDPR consultancy rates are at the moment, you might want to consider how worthwhile free advice on a public internet forum is likely to be...

In reply to Neil Williams:

Quite. I’m not sure why my reply got a dislike. 

Like any new rule, there’s always a bunch of consultants, some more honest than others, lining up to advise people for a fee. 

In reply to Jamie Wakeham:

Thank you all.  I was fairly sure that asking on UKC would be a lot more efficient than trying to work it all out myself!

I am now reasonably sure we can use contract as the basis - as to buy a house here you are bound by the estate regulations (as invoked in the covenants) and these regulations require you to give the company an up-to-date email address.  I'm also pretty sure we could use legitimate interest.  So no need to ask everyone to re-confirm their consent - hurrah.

One thing I'm not yet sure of - do I need to inform the ICO that we process data?

In reply to Jamie Wakeham:

GDPR is hilarious.  We've had 5 years to think about it and get in shape and now, a month away, everyone is flapping.

As it's only a small list, just mail them and ask for confirmation by return.  Encrypt the file and ensure you housekeep it regularly to remove old names etc.

 

In reply to Deadeye:

Good point. We've got about 20 project managers working on it; this morning I was told to prioritise only things GDPR (and TLS 1.2) related.

 

 

In reply to DancingOnRock:

Des GPDR not apply to everything? Why should <250 people require less protection than >250?

To the OP - keep everything neat and tidy, and establish how long you need to keep data for. If, in 10 years time, your PC gets compromised and data harvested on someone who moved out last week, then you could potentially be in lots of trouble.

In reply to Kipper:

My PA is flapping this morning because a hundred customers suddenly want to know what we are doing about GDPR. I've told her to send a round robin to the effect that since we don't process data on their behalf it's none of their business and they ought maybe to have a read of the regulations before wasting their supplier's time with spurious enquiries. Naturally, all dressed in polite language about being committed to working in partnership blah blah.

In reply to Toerag:

It’s to do with your record keeping. You still have to comply but the record keeping and reporting aspect is removed. GDPR applies to everyone who keeps data, not just businesses. 

Personal individuals, clubs, charities, anyone who holds private data of someone else. 

If you’re running an estate with only 50 houses on it, you only need to make sure your data is secure, the rest of the GDPR don’t really apply. See the links above. 

In reply to DancingOnRock:

In reply to wintertree:

Correct.  Personal use of data is totally exempt.

In reply to Martin W:

An excellent practical summary of the new GDPR legislation.

In reply to Deadeye:

Don't you just love it when somebody piles in at the end without reading the whole thread.

In reply to DancingOnRock:

The 250 breakpoint is the size of the organisation, not the size of the data set.  (And it doesn't apply if the information includes certain particularly sensitive types of data which present a high risk to the data subject's privacy or freedoms.)

Glib answers about a law that runs to 99 articles with nearly twice that number of recitals are more likely than not to be wrong, or at least questionable.

As the estate management company is unlikely to employ anything like 250 people or process sensitive types of data* then the obligation to keep Records of Processing Activities likely doesn't apply in the OP's case.  But you still need to have a lawful basis of processing, and you still need to respond appropriately (within a month, without levying a charge) to a data subject's request to exercise their rights (basically: access, correction, objection or erasure).  There is more to it than just making sure that the data is secure.

There also appears to be no shortage of semi-informed clever-clogs offering glib but questionably accurate advice about a new law that runs to 99 articles with nearly twice that number of recitals which hasn't even been tested in the courts yet (partly, it must be said, because it's not yet come into force).

In reply to Deadeye:

The regulation was adopted by the European Parliament in 2016.  It's not hugely surprising that a lot of people who were busy enough with their day jobs didn't take a whole lot of notice of the details embedded in it until then.  Even some of the advice on the ICO's web site is still in the consultation phase, and they were involved (as the UK's representative on the EU Article 29 Working party) in drafting the thing!

In reply to Martin W:

You're absolutely right, and even the scope of the exemption is very limited e.g. you still need to document activities which are not occasional or of they pose a heightened risk to data subjects. So day to day processing activities would still need to be documented.

In reply to Deadeye:

Most of my customers have been preparing for at least two years.

In most cases the work they had to do for GDPR actually benefited the business, as it forced them to implement effective metadata management solutions.

 

In reply to Martin W:

We are talking about a small management company made up of residents with no employees where the database will be the same size as the number of members. It’s unlikely to have any day to day activities. At most they’ll be having a monthly meeting that may or may not mean emailling out minutes. Possibly there may be some direct debits set up for an annual service charge. 

Make it as complicated as you like but 98 of your 99 pages just wont apply, they certainly won’t need an expensive consultant to tell them that. 

I’m running exactly the same set up with 18 members and also manage a Members database for a local sports club with 300 members and have spoken to people who are experts. 

In reply to DancingOnRock:

You might need an expensive consultant to tell you that it’s 99 articles, not 99 pages.

 

If a legally qualified person told the OP that 98 of the 99 articles don’t apply, I think that would qualify as malpractice.

 

http://GDPR-info.eu - the language is surprisingly simple and easy to read for a legal document.   Perhaps this is a result of having to have the document logically and legally invariant under many languages.    Perhaps have a read through it for your role, as several of your posts show an incorrect understanding.

In reply to BnB:

I hope you took her “cc” button away!

As a question it does have some validity.  I’m running with my assumption that your business supplies software or data services.  

I’m coming to see data protection legislation as parallel in general intent - and potential legislative clobbering - to health and safety legislation.  

I expect supplier’s offerings to be certified as compliant with relevant H&S legislation but I’m not aware of routes to certify their offerings - where appropriate - as data protection compliant.  In this light a sensible question for a supplier might be “does your product follow or facilitate best practices in anticipation of GDPR”.  

I’m sure many companies haven’t thought this far in to it and are in a general flap...

In reply to wintertree:

Yes. I’m familiar with it and have read it. There are huge parts of it that just don’t apply to the Esate Management Company.

Compared to the club with 300members the Estate Management has absolutely nothing to be bothered about.