A GDPR guide for Landlords in 2019


GDPR, or General Data Protection Regulation, is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It is the most important change in data privacy regulation in 20 years, and it came into effect on 25th May 2018.

GDPR retains much of the Data Protection Act 1998 framework, but it makes a few important changes as well. In the past landlords were advised to give tenants a privacy notice telling them what would be done with their personal data - that will no longer be enough. Now, not only will they have to explain clearly why the data is being collected and how it will be used, but the GDPR will require an individual’s consent to be fully informed and actively and freely given.

Cyber changes made in preparation for the new Data Protection Act 2018 (GDPR)

The aim of GDPR is to give individuals full control over how their data is handled. This includes the right to be forgotten, the right to alter data and the right to transfer data. So, if a tenant is not happy with you holding their information any longer, they can decide to update it, transfer it to a competitor, or have it deleted. As a landlord, you must comply to their wishes.

Despite the intention to leave the EU, the UK Government has confirmed that the GDPR will be brought into UK law.

If you are thinking of, or already letting a property in the UK, you need to ensure you understand your responsibilities under GDPR.

Landlords collect and handle the personal data of tenants as part of the letting out process and are therefore classified as data controllers. As a Landlord, you are responsible for handling your tenants’ personal information in a way that you ensure your tenants’ data is kept safe and secure and is only used for lawful purposes.

In some cases, landlords will find themselves working with agents for the management of their properties, or third-party organisations that require tenant details during the course of a tenancy agreement (i.e. reference checks). In these circumstances it is important to ask for evidence of compliance with GDPR before engaging in their services.

Evidence could be one of the following documents:

  • Data management policy
  • Privacy policy
  • Data processing policy
  • Privacy agreements

As agents act on behalf of landlords, legally they are classified as data processors. Data processors have legal liability for a breach, and as such they are required to always maintain records of personal data and processing activities.
To demonstrate best practice in ensuring compliance with GDPR, agents should provide the landlord with evidence of compliance e.g. privacy policy, privacy notices and privacy processes.

Compliance with the GDPR can be broken down as a multi stages process:

  1. Check if you need to register with the ICO

    If you store, use or delete tenant personal information (such as name, email, telephone etc.) using an electronic device (mobile phone, computer etc.) then you should be registered. The best way to make sure if this applies to you is to complete ICO’s self-assessment form.

    Please note: there is a small registration fee to pay every year.

  2. Prepare a data audit

    List the data you hold and where you have sourced it. You should be transparent about what information you collect about someone and why. A responsible landlord should audit the organisation to map as accurately as possible all the different ways that personal information streams into the business:

    • What that personal information is
    • Whether it is sensitive personal information
    • How it is held
    • Who it is shared with?
    • How long it is held for
    • How it is disposed of

    This information can be logged on a spreadsheet for your record.

  3. Get yourself a GDPR compliant landlord privacy policy


    Preparing a data audit is a very important step towards drafting your own GDPR compliant privacy policy.

    A landlord privacy policy is a very important document which you are required to provide all your new tenants. A good privacy policy should inform the tenant as clearly and accurately as possible how their data is collected how it is protected during the tenancy cycle.

    Below are a few important sections you should include:

    • The kind of Information you are holding about your tenants (i.e. Passport details, Salary, National Insurance Number, Personal contact details etc.)
    • How is their personal data collected?
    • How will you as a landlord use their information? (Specify under what circumstances their data will be used)
    • What will you do if they fail to provide personal information?
    • Data sharing
      • Sharing information with third-parties: specify under what circumstances you might share their information with third-parties service providers
      • How secure is their information with the third-parties service providers
    • Data Retention:
      • How long will you use your tenants' information for?
      • How will you treat your unsuccessful applicants' data?
      • How will you treat your former tenants' personal information?
    • Data security: this is where you will specify what measures are in place to protect the security of your tenants’ information
    • Rights of access, correction, erasure, and restriction: In this section you will clearly specify your data subjects’ rights in connection with their personal information
    • Rights to withdraw consent: in this section you will be affirming your data subjects’ rights to withdraw their consent to the collection, processing and transfer of their personal information at any time. This is where you will be specifying the modality for withdrawing consent according to your company's policies.

    You can link your personal landlord privacy policy to your website if you have one. Otherwise it is best practice to include a copy of your privacy policy within the Tenancy Agreement.

    A template of a privacy policy for landlords can be downloaded from the RLA website and adapted to your specific organisation.

  4. Handling and protecting your tenants’ data

    A common-sense approach should ensure that GDPR is adhered to when handling personal data:

    • Physical Safety

      Keep data in a locked cabinet or safe. Paperwork, external hard drives, USB sticks and anything else that carries personal data.

    • Digital Safety

      Password protect your mobile phones, computers and other devices. Fingerprint scans are also available on many smartphones.

    • Organisation

      Keep track of each tenant’s data and permanently delete anything you don’t need. A previous tenant can ask you to delete all the information you have about them, however, be sure to comply with any legal requirements to keep the data – HMRC records, for example.

    The most important thing to remember, however, is to keep a written record of the actual consent – a signed document though a text message, email, fax, or digital log will be adequate.

Penalties for Data Breaches

Failure to comply with GDPR laws will lead to large penalties for data breaches. Sanctions may vary depending on the type of contravention, but fines are permitted equivalent to up to €20 million (equal to 4% of annual worldwide turnover).
The ICO (Information Commissioner’s Office) is the organisation responsible for ensuring people comply with GDPR and has the authority to test your systems at any time.