Data discovery and record keeping
Understanding what data your organisation holds and why is fundamental to building a GDPR compliance programme. Companies may be required to maintain an internal record of the data that they hold, for example about commercial and residential tenants, and the reasons for which it is used.
Individuals must be made aware of how their data will be used. Existing privacy policies need to be updated to reflect the GDPR’s granular requirements. If your organisation collects data indirectly, you will need to consider how the information can best be made available.
Companies should have a paper trail in place to demonstrate how they comply with the GDPR, in case of future regulatory audits. This may involve updating existing policies and procedures, or implementing new ones. Organisations can be required to make records and policies available to supervisory authorities.
Relationship with third parties
The GDPR requires organisations to have specific contractual provisions in place with suppliers (including managing agents) handling personal data. Existing contracts should be reviewed and updated to ensure they meet GDPR standards.
The GDPR enhances individuals’ data rights and brings in new rights. Organisations will need to have procedures in place to ensure that they can respond to requests in the required time frames.
Due diligence process
In corporate or asset sales, all parties will need to ensure the necessary contractual and practical provisions are in place to protect personal data, for example through the use of non-disclosure agreements and techniques such as pseudonymisation.