A residents management company (RMC) is deemed to be a data controller and that imposes duties to keep information safe. It may seem like ‘overkill’, especially if you only have a few flats in the building, but the law on data privacy applies to everyone. Data controllers all need to register with the ICO (Information Commissioners Office) and pay a fee annually.
What is the ICO?
The ICO enforces data protection law and will act where organisations flout the principles of UK GDPR law. Anyone who has an issue with the way someone us using their data can complain to the ICO.
It is the UK's independent body set up to uphold information rights and funded by a mix of data protection fees and government grant.
Under the Data Protection Act 2018, organisations processing personal data must pay a data protection fee, unless they are exempt. Personal data includes information like people’s names, addresses or telephone numbers.
What does registration cost?
It is up to you to check if you need to pay a fee and how much. The ICO makes it easy to do so with an online assessment tool.
ICO registration fees are relative to the size of the organisation and, while fees range up to £2900, an RMC will probably pay £40 a year.
You may be exempt if you only keep paper records, but it is increasingly unlikely that you are not using computers and electronic communications.
What do I need to do after registering?
The purpose of data protection law is to do just what it says on the tin: protect our data. So, as well as just registering, you should review your processes for storing, accessing, and using data to minimise the risk of a breach and make sure you comply with the seven key principles of UK law on data protection:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
If you keep these principles at the heart of your approach to processing personal data, you should not fall foul of the ICO. In many ways it all comes down to common sense and respect for your neighbours.
Generally, keep as little personal data as you need, only keep it for as long as you really need it, don’t share unless necessary and then only with a reputable firm, and keep it safe and secure.
Undertake a Data Audit. This can be a simple document to evidence the flow of your data, where it comes from, where it is stored and with whom it is shared.
Be prepared and to respond to scenarios such as a data breach or hack, subject access request (the right for information), individual’s right to be forgotten, and to quickly correct any errors in the data you hold.
Isn’t it my managing agent who should be registered?
While your managing agent may be registered for other purposes, they are only the data processor for your block of flats. You still have a duty to register as the data controller.
What is the difference between a data controller and a data processor?
Data controller: this is the person or body that determines how and why personal data is stored and processed.
Data processor: this is the person or body that processes the data on behalf of the controller.
What if I don’t register my RMC with the ICO?
Apart from the risk of penalties from the ICO, you might compromise your position with leaseholders. They could raise complaints about you to the ICO if they believe you're misusing their data. Also, if you had an issue such as like unpaid service charges, the tenants could use your non-registration, and failure to manage correctly, against you.
Registration is easy. Check out if and how to do it online now but, just as important, take time to think about your data control – is it fair and secure?