GDPR (General Data Protection Regulation) for Landlords and Agents

The GDPR (General Data Protection Regulation) comes into effect on the 25th of May 2018.

Set out below is a brief overview of landlord and agent responsibilities under GDPR, but landlords and agents should audit their own data protection procedures to ensure they are compliant. For further clarification, advice should be sought from the Information Commissioner’s website, available here: www.ico.org.uk/

Please note that this guide is intended to focus on property management arrangements undertaken by landlords and agents in regard to protecting tenants, not the general responsibility that comes with running a business and employing staff. Separate and additional advice should be sought in this area, if required.

 

Key Message

Action

Check if you need to register

Use the Registration Self-Assessment Toolkit to check if you’re required to register with the ICO.

Protect data

You have a duty to protect the data in your Possession - refer to ICO guidance on security

Keep your evidence

Ensure you have adequate evidence that your tenants have read and understood what data will be collected and how it will be used.

Destroy data when no longer needed

Once data is no longer needed, you should destroy it in a safe and secure manner.

Only use data for originally collected purpose

You must have a lawful basis for collecting, storing and using the data.

 

1. Introduction to General Data Protection Regulation

GDPR (Regulation (EU) 2016/679) is a European Union (EU) wide set of standardised rules for the handling and storage of personal information within the EU. The regulation will apply to anyone who is controlling the information of an EU citizen or processing it on their behalf, even if the data processor or data controller are based outside of the EU.

The GDPR aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment by unifying the regulation within the EU. When the GDPR takes effect, it will replace the 1995 Data Protection Directive, transposed into UK law by the DPA. Despite the intention to leave the EU, the UK Government has confirmed that the GDPR will be brought into UK law.

The Information Commissioner’s Office (ICO) is the appointed authority to uphold information rights and data privacy for individuals in the UK. To help individuals and organisations understand their rights/requirements under GDPR, they have produced an in-depth guide available to read here.

2. How does this affect Landlords?

Landlords collect and handle the personal data of tenants as part of the letting out process and are therefore classified in law as data controllers. They may also collect information in relation to staff they employ.

Data controllers ( in this case landlords)  are required to ensure that their tenant and staff information is kept safe and secure, and is only used for purposes which conform to the lawful basis.

Some landlords employ contractors to assist them in running their businesses. An example would be an agent to carry out the letting and management activities on their property, or work with other third party organisations that require tenant details during the course of a tenancy agreement (i.e. reference checks, credit checks). In these circumstances it is important to ask for evidence of the contractor /agents compliance with the GDPR before engaging their services.

In respect of existing relationships, landlords should check with current contractors and discuss their plans to ensure compliance. Evidence could be one of the following documents:

  • Data management policy

  • Privacy policy

  • Data processing policy

  • Privacy agreements

Data controllers have a responsibility to ensure that a legal basis exists for processing a subject’s data and that this is documented. Best practice is to provide all tenants, both current and prospective, with a Privacy Notice. More information about privacy notices is available below at section 7.

The ICO has a range of resources to assist landlords to get this right. Of particular relevance is the following:

  • Checklist for data controllers to ensure they understand and assess their high level compliance with the GDPR, available here. 

3. How does this affect Agents?

The majority of agents will act as data processors when acting on behalf of landlords. They may also collect information in relation to staff they employ and/or own property themselves and will in these circumstances be a data controller, and should follow the appropriate advice.

The GDPR places specific legal obligations on a data processor such as the requirement to maintain records of personal data and processing activities. The data processor has the legal liability for a breach.

To ensure best practice in ensuring compliance with GDPR agents should provide the landlord with evidence of their compliance with the legislation e.g. privacy policy, privacy notices, and privacy processes.

The ICO has a range of resources to assist in order to get this right. Of particular relevance are the following:

  • checklist for data processors to ensure they understand and assess their high level compliance with the GDPR, available here.

  • Checklist for data controllers to ensure they understand and assess their high level compliance with the GDPR, available here. 

4. What is the difference between Data Processors & Data Controllers?

A data ‘controller’ determines the purposes and means of processing personal data.

A data ‘processor’ is responsible for processing personal data on behalf of a controller.

The GDPR places specific legal obligations the data processor; for example, to maintain records of personal data and processing activities. The data processor has legal liability for a breach.

However, a data controller, is not relieved of obligations where a data processor is involved – the GDPR places further obligations on the data controller to ensure contracts with processors comply with the GDPR.

To ensure that personal data is kept as secure as possible, and to reduce the risk of a potential breach, it is best practice for data controllers to request information to demonstrate compliance with GDPR from any current or prospective data processor. For example; a landlord (controller) should always request to see evidence of an agent’s (processor) processing activities and procedures to ensure compliance with GDPR i.e. privacy policy, privacy notices, and privacy processes.

5. Do all Data Controllers need to register?

A principle requirement of the GDPR is for data controllers that collect and store data in a certain way to register with the Information Commissioner’s Office (ICO).

Although all landlords are required to comply with the GDPR, not all landlords are required to register with the ICO as each landlord collects and stores tenant’s information differently.

The fastest and easiest way to determine whether or not you need to register with the ICO is to complete their useful self-assessment, available here. The assessment takes 5 minute to complete, and asks specific questions about how you collect and store personal data to determine whether or not you need to register.

6. What data do Landlords and Agents collect/process?

The following table provides an overview of the most common data landlords and agents will collect as part of the letting a property process.

Data collected

Method of Storing Data

Tenant contact details
e.g. Phone Number, email address, previous postal address

  • Computerised Systems

  • Mobile Devices

  • Hard Copy Files

  • Cloud Storage
References contact details
e.g. Phone number, email address, previous postal address
Data required to complete credit & background checks
e.g. ID card, passport, NI number

Payment details
e.g. bank details for direct debit, cheques

Emergency contact details
e.g. Next of kin
           

Right to rent checks
i.e. legality to rent/reside in UK

7. What are Privacy Notices?

GDPR provides data subjects (e.g. tenants) with the right to be informed about how their information is to be used. Data controllers should therefore provide them with a Privacy Notice which, cover the following elements:

  1. What personal data will be collected

  2. The legal basis for collecting the data (e.g. fulfilment of a contract)

  3. How the data will be used

  4. How long the data will be kept

  5. Details of any third party processors the data will be shared with.

In order to fully evidence that data subjects have been fully informed of how their data will be used data controllers should:

  1. Issue the tenant with a privacy notice

  2. Ensure the tenant reads & signs the privacy notice

  3. Include a ‘privacy’ section in the tenancy agreement that specifies that the tenant has been provided with a privacy notice explaining how their data will be used, and that the tenant has understood the terms.

8. What are the consequences not complying?

Sanctions for non-compliance with Data Protection under GDPR vary depending on the type of contravention, but fines are permitted equivalent to up to €20,000,000 (or 4 per cent of worldwide turnover, whichever is greater).

Whilst the majority of private landlords are highly unlikely to receive multi-million Euro fines, a ‘proportionate’ financial sanction may be a possibility.

The more pressing importance for landlords is the possibility of action taken by tenants who believe that their personal data has not been properly managed. As a result a tenant may sue their landlord for compensation if they believe the GDPR has not been adhered to.

It is also important that landlords and agent remember that there is a duty on them to report any suspected breach.

9. Putting it into practice

The following scenarios help to put GDPR into context and demonstrate the real value of having this protection in place for landlords, agents and tenants:

Scenario 1: A landlord has lost/been robbed of the mobile device which stored all of his tenant data. The landlord's device is password protected, and the landlord has managed to disabled the phone. What should the landlord do next?

If losing the data on the device poses a potential threat to the rights and freedoms of the person, there is a duty on the data controller (landlord or agent) to report the breach within 72 hours of when they became aware of the breach.   

It is not always easy to assess whether a person’s rights and freedoms have been threatened, the best course of action would be for the controller to contact the ICO’s breach team regardless of the scale of the potential breach; following a better safe than sorry approach. Breaches can be reported to the ICO by calling 03031 231113 or via the website here.

Scenario 2: A landlord has an extensive list of contact details from previous tenancies. The landlord starts a new home repairs company, and decides that he previous tenants are the perfect audience to target for marketing his new business, is this legal?

No, this would be unlawful, as the data is being used for a different lawful basis than what was originally stipulated. Should the landlord in this example want to market his new business to this audience, he would need to go back to square one and acquire lawful basis for using the data for that purpose through a privacy notice; which in this case would be a positive affirmative action (opt-in) with consent.

Scenario 3: A landlord has recently sold all properties within her portfolio, however she still has the contact details of her previous tenants in her mobile phone and in a filing cabinet. What should she do with this information?

Neither the Data Protection Act 1998 nor the GDPR stipulates a minimum/maximum term for retaining personal data. However, a data controller should ask the following key questions:

  1. Do I have a lawful basis for keeping this information?

  2. Is there a legal requirement for me to keep this information? Would I break another law if I destroy this information?
    e.g. financial data should be kept for 9 years

If the answer is no to both of the questions above, then the landlord should destroy the information in a safe and secure manner.

Scenario 4: A landlord has 3 potential viewings scheduled for a property. To organise the viewings the prospective tenants have given him their phone numbers. The landlord agrees the tenancy with one of the three, what should he do with the contact details of the other prospective tenants?

The information (contact telephone number in this example) was taken under the lawful basis of setting up a contract. Once the landlord set up the contract with one of the three tenants, the lawful basis is relinquished for the other two tenants, meaning the data should be destroyed safely and securely.

10. Useful links

ICO Website

Registration Self-Assessment Toolkit - a quick and easy toolkit to determine whether or not a user needs to register with the ICO.

Guide to the General Data Protection Regulation - provides an in-depth overview of GDPR. 

Data Processor Checklist - helps data processors audit their compliance with GDPR best practice.

Data Collector Checklist - helps data collectors audit their compliance with GDPR best practice.

Reporting a data breach - a guide to what constitutes a data breach, and how to report a breach.