2 min read

Housebuilder Top Tip: Review and Refresh Data Protection Practices

Read more

By Jade Kowalski & Ellen McWhirter

|

Published 02 February 2024

Overview

Housebuilders often collect and process personal data to provide their services and to support customers. The Information Commissioner's Office ("ICO") has identified a need for some organisations in the sector to improve their understanding of data protection law. Housebuilders will be advised to closely review their data protection practices to ensure continued compliance and avoid customer complaints and potential ICO action. We have set out below some common areas where housebuilders experience challenges and identified preventative measures.

From our experience, housebuilders are a frequent recipient of data subject access requests ("DSARs") from customers. Failure to understand DSAR requirements (and the tools available to limit scope and extend timeframes, where appropriate), lack of adherence to DSAR deadlines and poor records management are regular pitfalls; contributing to delays and leading to unsatisfactory outcomes for customers. The ICO highlights good records management, in particular, as key to ensuring DSARs are dealt with smoothly.

Another matter we often advise housebuilders on is the sharing of customer personal data with sub-contractors. Among other issues, this can sometimes lead to unwanted marketing communications from the sub-contractor to the customer. As a starting point, personal data must only be disclosed when it is necessary and appropriate. Housebuilders must have a lawful basis for sharing customer personal data, such as consent. It is recommended that housebuilders have appropriate data sharing agreements in place with sub-contractors, requiring them, for example, to comply with data protection laws and follow the housebuilder's procedures. It is common to include a restriction on further processing, including marketing activities.

Ultimately, poor data protection practices can put housebuilder customers at risk and invite regulatory scrutiny (with the potential for enforcement action and / or fines). The ICO has published a blog expanding on some of the issues discussed and setting out further guidance.

Jade Kowalski jkowalski@dacbeachcroft.com a member of our DACB data, privacy and cyber team would be happy to discuss any areas of support.

Authors