GDPR, or General Data Protection Regulation, is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It is the most important change in data privacy regulation in 20 years, and it came into effect on 25th May 2018.
GDPR retains much of the Data Protection Act 1998 framework, but it makes a few important changes as well. In the past landlords were advised to give tenants a privacy notice telling them what would be done with their personal data - that will no longer be enough. Now, not only will they have to explain clearly why the data is being collected and how it will be used, but the GDPR will require an individual’s consent to be fully informed and actively and freely given.
The aim of GDPR is to give individuals full control over how their data is handled. This includes the right to be forgotten, the right to alter data and the right to transfer data. So, if a tenant is not happy with you holding their information any longer, they can decide to update it, transfer it to a competitor, or have it deleted. As a landlord, you must comply to their wishes.
Despite the intention to leave the EU, the UK Government has confirmed that the GDPR will be brought into UK law.
If you are thinking of, or already letting a property in the UK, you need to ensure you understand your responsibilities under GDPR.
Landlords collect and handle the personal data of tenants as part of the letting out process and are therefore classified as data controllers. As a Landlord, you are responsible for handling your tenants’ personal information in a way that you ensure your tenants’ data is kept safe and secure and is only used for lawful purposes.
In some cases, landlords will find themselves working with agents for the management of their properties, or third-party organisations that require tenant details during the course of a tenancy agreement (i.e. reference checks). In these circumstances it is important to ask for evidence of compliance with GDPR before engaging in their services.
Evidence could be one of the following documents:
As agents act on behalf of landlords, legally they are classified as data processors. Data processors have legal liability for a breach, and as such they are required to always maintain records of personal data and processing activities.
Compliance with the GDPR can be broken down as a multi stages process:
If you store, use or delete tenant personal information (such as name, email, telephone etc.) using an electronic device (mobile phone, computer etc.) then you should be registered. The best way to make sure if this applies to you is to complete ICO’s self-assessment form.
Please note: there is a small registration fee to pay every year.
List the data you hold and where you have sourced it. You should be transparent about what information you collect about someone and why. A responsible landlord should audit the organisation to map as accurately as possible all the different ways that personal information streams into the business:
This information can be logged on a spreadsheet for your record.
Below are a few important sections you should include:
Handling and protecting your tenants’ data
A common-sense approach should ensure that GDPR is adhered to when handling personal data:
Keep data in a locked cabinet or safe. Paperwork, external hard drives, USB sticks and anything else that carries personal data.
Password protect your mobile phones, computers and other devices. Fingerprint scans are also available on many smartphones.
Keep track of each tenant’s data and permanently delete anything you don’t need. A previous tenant can ask you to delete all the information you have about them, however, be sure to comply with any legal requirements to keep the data – HMRC records, for example.
The most important thing to remember, however, is to keep a written record of the actual consent – a signed document though a text message, email, fax, or digital log will be adequate.
Failure to comply with GDPR laws will lead to large penalties for data breaches. Sanctions may vary depending on the type of contravention, but fines are permitted equivalent to up to €20 million (equal to 4% of annual worldwide turnover).
The ICO (Information Commissioner’s Office) is the organisation responsible for ensuring people comply with GDPR and has the authority to test your systems at any time.