What are the GDPR requirements for landlords?

In May 2018, the General Data Protection Regulation (GDPR) came into effect country-wide, replacing the 1995 Data Protection Directive. GDPR is the toughest and most detailed security law in the world, affecting businesses across Europe. There have been many high-profile cases of personal data and privacy breaches over the years, and those who violate the GDPR privacy and security standards can incur pretty big fines.

Although GDPR wasn’t designed with landlords in mind, the legislation applies to more or less every single sector so a basic understanding of the rules is vital. There are certain landlord GDPR requirements and standards that you must uphold. A non-compliance can result in a fine of up to 4% of your turnover.

How does GDPR affect landlords?

GDPR affects large businesses in enormous ways, however the requirements do filter down to much smaller businesses too – even landlords with one or more rental properties.

As a landlord, it’s extremely likely that you use and store your tenants’ personal information; be that names, email addresses, phone numbers and financial information. If that’s the case, you will need to store and process this information transparently.

You must only use this information for the purpose for which it was provided. For example, if a tenant provided you with their email address because they want to rent a home from you, you cannot then email them using this address with information about something completely unrelated.

Personal information vs sensitive information

As a landlord, you may also find yourself obtaining personal sensitive information about your tenant. This could be any of the following:

• Race/ethnicity
• Political opinions
• Religious belief
• Sexual orientation
• Trade union membership
• Physical health condition
• Mental health condition
• Criminal history.

Processing (which relates to sharing, storing or deleting) any data relating to the above is prohibited, except in very limited circumstances.

Third-party data processing

If you use a letting agent or property manager, you may need to share or process your tenant’s personal data with them. You may also need to share data with maintenance contractors such as plumbers or electricians, referencing or credit check agencies and legal professionals such as solicitors. Although it’s often necessary, landlords should limit the amount of tenant data shared with third-parties and only do so when it is needed.

In these instances, it’s a landlord’s responsibility to ensure that GDPR compliance is maintained. For this reason, landlords are considered ‘data controllers’. They control the data, as it were. The third-party in question is considered a ‘data processor’, as they process the data on behalf of the landlord following their instructions. They could also be considered a ‘joint controller’ if, like in the instance of a letting agent handling references, they have a role in determining the data’s purpose.

So, how exactly does a landlord ensure that third-party data processors remain GDPR compliant? They must ensure that the third-party in question has the necessary security measures and policies in place to protect tenant data. They must also have a Data Processing Agreement (DPA) in place with the third-party which includes:

• The purpose of data processing
• Categories of data being processed
• The obligations and rights of the data processor
• Security measures to protect the data
• Instructions on how to handle data breaches.

GDPR and landlords – what’s required?

Firstly, you should always notify tenants on what personal information you’ll be collecting and storing from them and why. Inform them of exactly how you might use this information and who else could potentially see it. Let them know how long you’ll be keeping the information for and how you’ll dispose of it. It’s good practice to present this information within a privacy notice.

Privacy notice

In the early stages of the tenancy, it’s a legal requirement to provide your renters with a privacy notice, otherwise known as a privacy policy, privacy statement, Fair Processing Notice (FPN) or a Data Protection Notice.

This should include:

• The identity of the data controller (the landlord) such as name, address and contact details
• The purpose/s for which the data will be processed
• The identity of anyone else who may see the data
• How long the personal data is expected to be held.

The privacy notice should also set out the tenant rights under GDPR and how your tenant can get free legal advice before taking the tenancy. Ensure that you retain a signed copy of this privacy notice on file.

ICO registration

Landlords are also required to register with the Information Commissioner’s Office (ICO) to be fully compliant with GDPR. The ICO is the independent body responsible for regulating the Data Protection Act. It promotes good practice and gives information to individuals and organisations, along with being responsible for taking enforcement action in the event of a breach.

There is a fee required to be compliant and you’ll need to provide your name, address, trading name, number of employees and turnover. If you only process data manually, then you aren’t required to register with the ICO. However, as most landlords use a PC, mobile phone or tablet to process data, ICO registration is required.

Managing tenant’s data securely

So, how exactly do you keep your tenant’s data safe? Map the process of your tenants data as much as possible. Consider the following:

• What it is
• How personal it is
• Who it is shared with
• How long it is shared for
• How it is disposed of.

Whether you hold data digitally or physically in files and folders, ensure that you keep them safe and locked away.

Digital safety is very important when it comes to phones and laptops, especially as this is where the majority of landlords will store their tenants data. Make use of password protection and ensure that your WiFi network is password protected and secure. When a tenancy ends and a tenant no longer is your tenant, make sure that you thoroughly delete all information that you have that relates to them.

You may hold tenant’s data on services such as MailChimp or Constant Contact. Most of these services will be fully aware of GDPR rules and should have a policy statement available. But remember – if you input people’s data onto these services, you are the one responsible for its safety as well as the service company.

Consent is a major part of landlord GDPR compliance. Ensure that you are explaining clearly why information is being collected and how it will be used. It is advised to get a signature from your tenant to prove that they are fully informed and consent was freely given. Additional consent will be required if the data is to be passed to a third-party.

If you are unsure of GDPR for private landlords, please seek professional guidance from the ICO. Along with protecting your tenants data, be sure to protect yourself and your investment with landlord insurance. Get a quote online today or request a callback. Alternatively, you can contact us via our website or give us a call on 01788 818 670.