This policy will help us address data protection in a consistent manner. The policy clearly sets out our organisation's approach to data protection together with responsibilities for implementing the policy and monitoring compliance. The policy is approved by management and published and communicated to all staff. The policy will be reviewed yearly and updated when required to ensure it remains relevant.
Our business is registered with the Information Commissioner's Office
Directors Neil Engall and Julie Engall are aware that the GDPR is changing. They appreciate the impact this is likely to have and have identify areas that could cause compliance problems under the GDPR as laid out below.
Information we hold
Following our data audit we have identified 7 instances of client data collection:
All clients will have Name Address Telephone number and Email collected.
1. As a general Applicant
2. As a vendor of a property. Additional proof of identification for AML regulations will be required
3. As a purchaser/Tenant. Additional proof of identification for AML regulations will be required and financial checks/right to rent checks.
4. As a client who has asked for a valuation.
5. As a mortgage customer. Additional information will be required for a mortgage application/insurance policy.
6. As a Lettings Landlord. Additional proof of identification for AML regulations will be required.
7. As a member of staff or a job applicant. Additional proof of identification for AML regulations will be required/references.
Our data is normally only shared with other property professionals in our normal day to day activities including solicitors, mortgage brokers, other estate agents, surveyors, EPC providers, AML checks as examples. Our Privacy Notice provides further information.
If we have identified inaccurate personal data and have shared this with another organisation we will tell the other organisation about the inaccuracy so it can correct its own records. We will record this change in the notes section of our property file. In the case of an email change which is likely to be the most common error a new verification email will be produced via our estate agency software.
Communicating privacy information
Our software allows for easy identification of a client and an easy deletion of their record. Once identified we are able to provide the following:
*the right to be informed * the right of access * the right to rectification * the right to erasure * the right to restrict processing * the right to data portability * the right to object, and * the right not to be subject to automated decision-making, including profiling*
Our paper files are dead filed upon completion of a transaction and are easily accessible up until destruction which is normally at 7 years depending on other associated regulations.
Subject access requests
We will not charge a client for complying with a request.
We will respond within a month of a request unless they are manifestly unfounded or excessive.
If we refuse a request, we will tell the individual why and that they have the right to complain to the supervisory authority and to seek a judicial remedy.
We will write to the client to acknowledge receipt of their request and confirm that we will respond within 30 days
If there is a delay in dealing with the request for any reason, the organisation contacts the requester to explain the reason and the expected date for the response.
The response to a SAR includes an explanation of the searches that have been made to deal with the request and the information revealed by those searches.
The organisation logs receipt of SARs and updates it to monitor progress as the SAR is processed. The log includes copies of information supplied in response to the SAR, together with copies of any material withheld and an explanation why.
A standard checklist is used to ensure consistency in identity verification procedures and to ensure that the necessary information is obtained from relevant departments across the organisation.
Lawful basis for processing personal data.
We hold personal data in order to comply with our Legal Obligations, Contracts and where we have a Legitimate Interest and with reference to AML Regulations, THE CONSUMER PROTECTION FROM UNFAIR TRADING REGLATIONS and THE ESTATE AGENCY ACT, amongst others.
Clients will be actively asked to opt into and consent to receiving our services and a record of this will be held on our software in most instances by an automated email system. All emails generated from our software will have a unsubscribe option. Consent will be freely given, specific, informed and unambiguous.
The data is taken to be able to provide the estate agency service required by the client and to protect our staff with information taken prior to viewings.
Where we feel consent is required, prior to the new regulations, we will ask all our clients to opt into our service and if they do not respond with an opt in we will not make further contact.
A breach would consist of our secure computer systems being hacked or computers stolen, or our offices broken into and the secure and locked filing cabinets opened.
We will notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify those concerned directly in most cases. Our high risk clients have been identified as those where we hold passport/driving licence and other financial records.
We are aware that failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Data Protection by Design and Data Protection Impact Assessments
We have instigated a privacy by design approach to data protection. Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. With this in mind we have designed our processes and systems with privacy in mind at the outset . This has resulted in the redesign of our estate agency software to have an opt in email and a review of how we hold, store and dispose of our personal data. We carried out a Privacy Impact Assessment (PIA) as part of this process.
Our assessment is that we do not need to carry out a Data Protection Impact Assessment as we do not fall under the mandatory requirements to do so.
Data Protection Officers
We do not need a formally designated Protection officer as our organisation does not fit the requirement as we are not an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions. Neil Engall and Julie Engall are our designated persons who take responsibility for data protection compliance.
We do not sell properties overseas and do not need to take further action on this point.
We do not collect personal data on children.
Many data security breaches are accidental and result from insider actions. All staff will be trained in handling personal data and on their data protection responsibilities. Specialist training for staff with specific duties, such as marketing, information security and database management, will also be delivered when the designated person deems necessary. Regular communication of key messages is equally important to help reinforce training and maintain awareness and will be circulated where applicable. Training records will be kept.