Letting agent GDPR responsibilities and why it is important

Arthur Online

By Arthur Online

20 October 2022

Letting agents have been responsible for data, privacy, and protection since the renewal of the Data Protection Act (2018). This responsibility brings pressure to keep sensitive information and data stored securely, especially with the risk of identity theft, hacking, and much more. 



Therefore, it is vital agents know their responsibilities, understand and abide by GDPR law to remain compliant, and use a safe, reliable system of storage and protection.


GDPR – what it is and why it’s important

According to GDPR legislation, anyone controlling and processing data is seen as either a data controller or data processor. A data controller is any organisation overseeing the way data is handled and processed, and a data processor is any organisation processing personal data for the data controller. Letting agents are usually both unless processing is outsourced to an external third party.

There are many different types of personal data. Contact number, individual’s name, email address, residential address, and many more are examples of personal data agents are responsible for when dealing with tenants. These details can be obtained through different processes, such as booking a viewing with prospective tenants.  

When working with external contractors, agents will be required to acquire written consent from these organisations before controlling and processing their information.

There is strict protocol when it comes to gathering and storing personal information. Guidelines state data must be:

  1. Used fairly, lawfully, and transparently: communicate how data will be used and who it will be shared with.
  2. Used for specified and explicit purposes: such as storing tenancy information for deposits.
  3. Used in a way that is relevant and for what is necessary: for instance, taking simple contact details from prospective tenants for viewings.
  4. Accurate and kept updated: all information stored must be updated if/when necessary, such as a tenant’s new occupation.
  5. Deleted when no longer necessary: deleting prospective tenant information after a few months when they have likely found residence.
  6. Handled securely: protected against “unlawful or unauthorised processing”, loss or damage. 

GDPR protocols are very strict to ensure individuals’ personal data is protected. Negligence in following protocol can lead to severe consequences. Agents must ensure they’re transparent with how data will be used, and make sure to gain consent from individuals to avoid “unlawful or unauthorised processing”. Failure to do so can lead to hefty fines. 

Failure to follow GDPR law can lead to severe repercussions, meaning agencies could face fines of up to 20 million euros. The minimum penalty includes fines of up to 10 million, which would be followed by an investigation by data protection authorities. Therefore, compliance is extremely important.


Letting agents’ roles and responsibilities:

It is important for agents to know their responsibilities, including providing privacy notices, registering with an ICO, and much more. 

Providing a privacy notice is important to remain compliant with GDPR guidelines and individual rights. One of the most integral principles of GDPR is the right to inform persons by using a privacy notice. This notice outlines who you are, what you plan on doing with the information, and where and/or who you will share the information with, e.g. HMRC. Agents should personalise the notice to fit their agency’s branding and terms of use. This should also be clearly displayed on any platform or strategy used to gather data.

Agencies should also create a data protection policy, which is used to outline the terms of how the organisation and staff handle data. These policies aim to maintain compliance, and help staff understand their responsibilities. Agencies should ensure the policy is direct and clear on how individuals’ data will be stored. 

If agents plan on collecting and storing data on an electronic device, they should also register with an ICO (Information Commissioner’s Office). This incurs a fee which is based on your agency’s maximum turnover in the financial year, however, most usually fall into ‘Tier 1’, which is a £40 annual fee.

Methods of processing data are different for each agency. However, it is recommended to categorise the types of individuals you work with, e.g. existing tenants. You then need to decide what the minimum amount of information is needed. For example, an existing tenant would mean agents need contact information, such as name, phone number, email addresses, etc. Agents will also need financial information, such as direct debit or bank details when dealing with rent payments. 


Effective cloud-computing data protection:

Cloud-based software is a reliable, safe solution to data privacy and protection. Although using complex systems comes with some risks, the tools provided in property management software help to minimise these risks, optimise processes, and save the added expense of hiring more staff, e.g., a data protection officer.


To find out more about GDPR, data privacy, and the benefits of using cloud-based software, download our eBook “Managing Privacy and Data Protection Safely for Letting Agents”.


*Disclaimer: this blog is only intended as a guide, and should not be taken as legal advice*


Arthur Online

By Arthur Online

20 October 2022


Subscribe to get the latest news direct to your inbox!