From our experience, housebuilders are a frequent recipient of data subject access requests ("DSARs") from customers. Failure to understand DSAR requirements (and the tools available to limit scope and extend timeframes, where appropriate), lack of adherence to DSAR deadlines and poor records management are regular pitfalls; contributing to delays and leading to unsatisfactory outcomes for customers. The ICO highlights good records management, in particular, as key to ensuring DSARs are dealt with smoothly.

Another matter we often advise housebuilders on is the sharing of customer personal data with sub-contractors. Among other issues, this can sometimes lead to unwanted marketing communications from the sub-contractor to the customer. As a starting point, personal data must only be disclosed when it is necessary and appropriate. Housebuilders must have a lawful basis for sharing customer personal data, such as consent. It is recommended that housebuilders have appropriate data sharing agreements in place with sub-contractors, requiring them, for example, to comply with data protection laws and follow the housebuilder's procedures. It is common to include a restriction on further processing, including marketing activities.

Ultimately, poor data protection practices can put housebuilder customers at risk and invite regulatory scrutiny (with the potential for enforcement action and / or fines). The ICO has published a blog expanding on some of the issues discussed and setting out further guidance.

Jade Kowalski jkowalski@dacbeachcroft.com a member of our DACB data, privacy and cyber team would be happy to discuss any areas of support.