The effect of the General Data Protection Regulations on party wall surveyors.
Data protection has always been one of those buzzwords that people tend not to get too exercised about and I don’t blame them. Even big corporations dealing with millions of customers on a daily basis sometimes fail to give data protection enough attention. Some of them found out the hard way: Talk-Talk was fined £400,000 in October 2016.
Under the new General Data Protection Regulations (GDPR) and for a similar offence, Talk-Talk could have been fined up to €20,000,000!
All of a sudden, data protection sounds more serious…
So, what is it?
The GDPR will replace the current Data Protection Act 1998 and will come into force on 25 May 2018. It’s aim is to broaden the scope of how personal data is protected throughout the European Union and dramatically increase fines (so that people start taking it more seriously!).
Why does it affect your party wall practice?
The fact that it is a European piece of legislation doesn’t mean it won’t apply post-Brexit. The Information Commissioner’s Office and government have already confirmed that the UK will observe data protection laws in accordance with the GDPR going forward.
It affects you because you are processing personal data (i.e. collecting, recording, structuring and storing) when acting as a party wall surveyor.
You will be searching the land registry for names and addresses. Once these details have been found, you will copy them into a spreadsheet or other documents in order to issue notices and/or other correspondence.
The fact that the land registry is accessible to the public does not matter.
How does it affect you?
The processing of personal data as part of your activities is not unlawful as such and the GDPR doesn’t make such processing unlawful as long as you process it in accordance with the regulations.
The GDPR introduces a more stringent and prescriptive data protection regime that will apply to surveyors who process personal data.
Here are certain points you need to be aware as a party wall surveyor:
- Accountability and privacy by design
The GDPR places a heavier accountability burden on data controllers (i.e. you, the party wall surveyor) to demonstrate compliance. This includes keeping certain documentation showing compliance; conducting data protection impact assessment (unlikely for surveyors); and implementing data protection by design and by default (e.g. data minimisation).
- Consent and your obligation to notify
The processing of personal data must (for most of cases) be preceded by consent from the data subject and such consent must be freely given, specific, informed and unambiguous.
Party wall surveyors collect their data about adjoining owners from the Land Registry without the prior consent of the owners.
This is still lawful but, as a building owner’s surveyor, you will have to provide the data subject (being the adjoining owner) with certain information (as per Article 14 of GDPR), including your details; the purpose of processing; categories of data concerned; the recipients of the personal data; notification of their rights as to the data etc…
This will need to be provided “at the latest at the time of the first communication to that data subject”. It will therefore be necessary to include all the information required by Article 14 of the GDPR in the notices or covering letter sent out to individual adjoining owners. Article 14 has a long list of notification requirements, so be careful to cover them all without overwhelming the recipient.
We have been looking into this and Party Wall PRO will offer its users updated documents to be in-line with GDPR. As a Party Wall PRO user, you don’t have to worry about a thing.
If you are reading this and are not a Party Wall PRO user, you can download the standard GDPR notification wording that we prepared for you. Just copy and paste it into your standard cover letter. Click HERE and we will send it to you.
- Data Breach Notifications
Data controllers must now inform the Information Commissioner’s Office of any data breach within 72 hours. It is therefore important to have proper systems in place to monitor potential data breaches and policies and procedures for staff members to know what to do.
- Data Subject’s rights
The GDPR puts in place strengthened rights for data subjects. This includes (amongst other rights) the ability to ask organisations what data is being processed about them; access to that data in certain situations; correction of such data if erroneous; and the (infamous) right to be forgotten. These requests must be answered within a month. You will therefore need to have clear processes in place to enable you to meet these obligations.
What do you need to do now? Five first crucial steps.
- Prepare to monitor and report data security breaches
You will need to be able to demonstrate that you have in place the policies and procedures to be able to report effectively and show you are able to monitor potential breaches. You will need the technical ability to do so. Party Wall PRO customers will be notified instantly of any data breach, making it hassle free.
- Build accountability layers
Define who is accountable for data protection matters within your organisation. Put in place policies to prove that you meet the requirements and train your staff so they understand their obligations.
- Implement privacy by design
Your organisation needs to incorporate data protection in its daily activities. Using technology and adapting the notices to inform adjoining owners of their data protection rights will demonstrate your effort to comply.
- Update your privacy notices and policies
The GDPR requires that information provided to data subjects is in clear and plain language. Your policies should be easy to understand, transparent and accessible.
- Be ready for data subjects to exercise their rights
The European Commission’s intention is to advertise the expanded data subject rights under the GDPR. Rest assured that some disgruntled adjoining owners will ask to see what you have on them and if you can delete or amend their details. It is therefore important to have your data easily searchable and editable.
If you are still paper-based, it is time to invest into computer technology (and no, processing doesn’t only mean “automated processing”). Again, have in place policies and procedures determining how you will deal with such a request.
There is still time to get GDPR ready but start thinking about it now before the panic settles in by spring next year.
If you want our standard notification wording that you can use in your templates enter your email address here and we will send it to you (it’s completely free!).