Landlords and GDPR: a guide
General Data Protection Regulation, commonly known as GDPR, came into effect in 2018 and changed the way that personal data of consumers is collected and processed. Anyone who holds or processes personal data must comply with GDPR data protection legislation, including landlords.
This guide explains how the regulations apply to landlords and what it could potentially mean for your property business.
What is GDPR?
GDPR is the legal framework that establishes strict guidelines for how personal data can be collected and processed. Any commercial entity gathering data must ensure the information is:
- Used fairly, lawfully and transparently
- Used for specified, explicit purposes
- Used in a way that is adequate, relevant and limited to only what is necessary
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
It came into effect on May 25th 2018, and ultimately protects the personal information of individuals. It was designed to update current rules that have been in place since the 1990s and so that they are fit for purpose in our contemporary data-saturated lifestyles.
The document itself is hefty, with 99 individual articles relating to personal data. It took four years of discussions and negotiations before being greenlit and implemented in 2018. Following its introduction, GDPR is the world's strongest set of data protection regulations.
How does it apply to landlords?
While GDPR wasn't designed with private landlords in mind, it will likely affect you in some capacity. There's every chance that you use and store tenants' personal information, such as their names, email addresses, phone numbers, etc. Because you have access to such information, and indeed need to request it for legitimate commercial interests, you'll need to store and process it transparently.
This involves notifying tenants:
- What personal information you collect on them
- Why you need their personal information
- How you might use that information, including who else could potentially see it
- How long you keep the information for
As a landlord, you acquire lots of personal information about tenants, especially when you receive a referencing report on them. Therefore, it's important that you understand how GDPR applies to you and your relationship with tenants to protect yourself from liability for unlawful handling of personal data.
What constitutes personal data?
Essentially, personal data is anything relating to an identified or identifiable individual. This could be something as simple as a name or a number. It's even possible to identify people by having things like their IP address or a cookie tracker.
Information becomes personal data protected by GDPR if you can directly or indirectly use it to identify someone. For the purpose of GDPR, indirect identification means that, while you might struggle to identify an individual through the information you are processing alone, you may be able to by using other information you hold or information you can reasonably access elsewhere. For example,
As a landlord, you will almost certainly collect and store information that identifies a tenant.
What personal data do I hold on tenants?
Personal data is information relating directly to the person who gives it to you. For landlords, the type of personal data you hold on tenants is likely to include:
- Email address
- Personal income
- Tenancy application
- Tenancy agreement
- Bank account details
All of the above are examples of the information you probably have on tenants. As you can see, it's pretty thorough, and you will need to comply with GDPR regulations when collecting and processing this information.
What do I need to do with tenant data to comply with regulations?
Here are the key steps you need to take to remain in line with GDPR requirements.
Keep evidence tenants have given permission for their data to be held
You can ask tenants to consent in writing to your legitimate storage and processing of their data, with them acknowledging that you have access to their personal data and they're happy for you to have it. Because most of the information provided will be under a contract (more on that in a bit), this will often serve as implied consent. However, it's always good practice to document that you have explicit permission to handle certain personal data, whether by including a GDPR clause in your tenancy agreement or asking tenants to sign a separate waiver.
Only use data for original intended purposes
As a landlord, you have a fair amount of sensitive data about tenants. You also have a responsibility to only use it for the intended purpose – e.g. to decide a tenant's suitability to live in your property. The personal details held should never be used for anything other than the intended purposes. One such example of misusing data in this manner would be a scenario where the landlord has handed over tenant contact details to a third party in order for them to market services to them.
Destroy data when it’s no longer required
Once you have the information needed for a tenant, such as the reference results, you should destroy it when you no longer need the info. Most details are stored electronically, and you can destroy them by deleting emails and ensuring there is no digital file with the information.
How do I handle data more securely?
Ensuring you're compliant can seem daunting, especially if you didn't know much about GDPR before reading this article. Still, there are some straightforward actions you can take to ensure compliance with GDPR rules.
- Use strong passwords for the devices that contain personal tenant data
- Limit the use of other people who access the devices
- Install anti-virus software, so it's harder for hackers and malware to access your devices
- Dispose of documents properly, for example by shredding any physical documents that contain personal data once you no longer need them
- Don't release the information to anyone else other than those with consent
Following the above guidelines will reduce the chances of your tenant's information (and yours too) falling into the wrong hands.
What are privacy notices, and how do they apply to landlords and tenants?
What is ICO registration?
As a landlord, you should register the personal information of tenants with the ICO if you currently or at some point have stored, used or deleted tenant personal information on any electrical device. It costs about £40 per year to store the information with the ICO.
The precise legal obligations of landlords with regards to registering info with the ICO are currently a bit of a grey area. However, it's probably better to be on the safe side and register the information to safeguard yourself from further complications.
What about consent from the tenant?
Most businesses need consent to store and use data. For landlords, however, the situation differs slightly. Consent isn't required if the personal information is processed under a legal requirement, a contract, vital interest or legitimate interests.
Landlords and tenants enter into a rental contract for the property, which means consent should be assumed based on the communication between both parties as long as it relates directly to the tenancy.
Examples of lawful and unlawful use of data
Example uses of lawful data include using it for the intended purpose. For example, if you receive a tenant reference, you can use the information provided to decide whether or not that tenant is suitable to live in your property. Under those circumstances, you're using personal data on a tenant lawfully.
If, however, you went on to sell that information to an unrelated third party for commercial use it would be unlawful. There's no need for a landlord to provide the referencing results with anyone else other than the letting agent. Trying to profit from the information provided could land you in hot water.
Summary: Landlord GDPR
Understanding GDPR can be a bit like navigating a maze at times, but it doesn't need to become a major burden. If you’re compliant and use the information as intended, then you shouldn't have anything to worry about and can focus on your primary landlord responsibilities.
At Home Made, we offer a hybrid lettings solution that adds value at every stage of the rental process. With our game-changing new landlord platform, The Property Wallet, we offer London landlords exceptional tenant-find and property management services for a low monthly fee.
- Avoid expensive upfront fees and spread the cost of marketing your property with the option to pay monthly.
- Free rent collection and arrears chasing.
- Sign off and see all charges and payments in your dashboard.
- Real-time updates on marketing, viewings, and offers.
Prices start from just £50+VAT/mo for tenant-find and £60+VAT/mo for management. Alternatively, you can pay a one-off upfront fee of £1,200+VAT for our tenant-find service.
If you would like to speak with us about your property needs, contact us via our website to find out how we can help. If you're ready to get started, book your free valuation here.Book valuation
Check out more of our landlord advice here and follow us on Twitter, Linkedin, and Instagram for regular updates on industry compliance standards, market insights, and Home Made company news.