GDPR stands for General Data Protection Regulation and refers to the new Data Protection rules which will come into force on 25 May 2018.
Now before you click away thinking “this does not apply to me” be aware that:
- If you are a landlord it DOES apply to you (even if you just have one rented property), and
- The fines for noncompliance are up to the larger of 4% of your turnover or 20 million Euros.
So if you get things wrong you could lose out big time.
The data in question is personal data. Information about people which if it got into the wrong hands could cause them untold damage. If you hold people’s data you are expected to look after it.
The new rules are a lot more onerous than the old and the deadline is creeping up on us. So if you are a landlord or a letting agent and have not started your preparation yet, here is a plan of action to help you.
1. Make sure you are registered
If you are a landlord or letting agent – you should already be registered with the Information Commissioners Office. The Information Commissioner enforces the Data Protection rules.
Everyone who holds and processes (ie uses) data electronically needs to be registered. There are very few exceptions and they probably won’t apply to you. If you are not registered, you need to get this done asap – check the ICO website here.
2. Do a list of the type of data that you hold
So, for example, if you are a landlord or letting agent:
- You will hold personal details about your tenants.
- If you are a letting agent you will have details about your landlords.
- You may also hold details about ‘prospects’ eg your mailing list, for example, if you regularly send information or promotional emails or letters out to prospective landlords or tenants
3. Do a list of the places where it is held
For example, if you are receiving this post via email, then I will hold some details (your email address and maybe your name) on Aweber which is the software used to send most of the blog post mailings. Or, if you have been subscribing for a long time, on Feedburner.
There will probably (particularly if you are a letting agent) be more than one place where you hold data – for example, your Customer Relationship Management (CRM) software, any separate service used to send out newsletters (e.g. Constant Contact or MailChimp), your accounts software, etc.
4. Check that those places are GDPR compliant
If data is held online it should be on a secure site and be password protected. However, there is more to it than that. You need to contact your service to find out what they are doing.
Most of these services are fully aware of the new rules and should have a policy statement somewhere. Find out where it is and keep a record of it. Most reputable services will ensure that they are compliant by the deadline of 25 May.
But remember – if you input people’s data onto these services YOU are responsible for its safety as well as the service company.
5. Check that you have permission from people to use their data in the way that you are using it.
For example, if Mrs A gave you her email address in connection with her application for a tenancy that does not necessarily mean that she gave her permission for you to send marketing mailings to her.
If you are using data from a purchased list to send out marketing emails you need to be very careful. Even if you created your mailing list in-house, it may be best to start again from scratch so you can be sure that you have everyone’s permission. This is what I am doing here.
Remember that it has to be an active ‘opt-in’. One of the purposes of the new rules is to reduce spam and unwanted mailings – so make sure that you can show that everyone on YOUR list has actively consented to get your mailings.
Note however that you do not need specific permission to ‘process’ your tenant’s data if you are using it in connection with their tenancy (such as writing to tenants about property inspections or arranging for essential repair work to be done) or if you are under a legal obligation to retain data, for example for tax reasons or under the right to rent rules.
6. Do a ‘privacy notice’ or have a ‘privacy page’ on your website
A privacy page needs to set out in detail what you do with people’s data and inform people what they can do if they want to unsubscribe or get their data deleted.
My privacy page (still a work in progress) is here. Take a look also at the ICO privacy notice page here.
Once you have this set up you should link to it from all your mailings, particularly any automatic mailings.
If you don’t have a website, or when dealing with tenants, I suggest you have a printed notice which you hand it out to tenants, for example when you take their details when they apply to rent your property.
We have privacy notices which I have drafted for landlords and letting agents on my Landlord Law service.
7. Appoint a Data Protection Officer
If you are a small firm or one-man band – this will probably be you!
The Data Protection Officer’s job is to monitor compliance, ensure that your employees are informed of their duties under the regs, and to be the first point of contact for members of the public contacting you about data protection issues, and also the authorities (i.e. the ICO). Generally, the Data Protection Officer will be responsible for compliance within your organisation.
They should be someone of reasonable seniority and have the authority to make any necessary charges.
If your organisation is quite large (or even if it is not), you should arrange for your Data Protection Officer to have suitable training.
Other things
Here are a few other suggestions.
Keep a diary or record of actions taken
Use this to record any work you do preparing for the GDPR so if the ICO contact you about a breach you can show them that you are taking it seriously.
Answer the ICO GDPR checklist.
You will find this here. Keep a record of your answers and review it from time to time. Maybe keep your answers as part of your diary. Again it will go to show the ICO that you are preparing as best you can.
Needless to say, take any action which is flagged up by the ICO checklist – do not assume that my checklist is the final answer! It is only a starting point.
Make sure that your tenancy agreements include suitable Data Protection clauses.
The Landlord Law tenancy agreements have a separate Data Protection section for this.
Develop a Privacy Information Notice
You should also give your tenants a privacy notice which sets out how you use their data. We have one for Landlord Law members which landlords can use.
Note by the way that you do not need tenants consent to ‘process data’ for the purpose of their tenancy as you are in a contractual relationship with them so can do this as of right. Your privacy notice should explain this to them.
Find out more
For example, Landlord Law Members should also watch David Smith’s excellent Landlord Law training webinar which you will find here. (Part of our regular Landlord Law members webinar training program)
This has far more information and guidance than I am able to give here. Plus we also have articles and FAQ on data protection issues. Find out about Landlord Law membership here.
A few extra notes
- You can no longer make a charge when people request a copy of their data, but you may be able to refuse in some circumstances (but check the law before you do so).
- Although people will now have a ‘right to be forgotten’ they cannot require you to delete your data about them if they are a customer (where you will need to hold data for legal reasons)
- Save where you need to retain information (eg for customers) y.o.u should make a practice of deleting information if it is no longer being used.
For more information
Please see the ICO website. My tips above are just a general guide and do not cover everything.
There is also further guidance for landlords and privacy notices for you to us on my Landlord Law online service.
NB A version of this article was first published in the Landlord Law Newsletter.
So as a landlord of one property, which is managed by a letting agent, I am usually sent the names of tenants and an idea of their job. Sometimes, but not always, I receive their email address and phone number. That’s about it. I receive this information via email (password protected) and any documents (e.g. tenancy agreements) are stored on my laptop (password protected). Do need to register with the ICO? What do you mean by “you need to contact your service to find out what they are doing” under point 4 above? How long do I need to keep information about previous tenants?
Please note that I am not myself a Data Protection specialist. This post is just intended to be helpful and to warn people about the new rules coming.
I don’t know whether in your particular circumstances you need to register – you need to ask the ICO
As regards contacting your service – I don’t know what service you use. But if, for example, you store customer data on Dropbox, you need to contact Dropbox to satisfy yourself that they are compliant. Although I contacted them myself and they told me it was this page: https://www.dropbox.com/security/GDPR
Keeping information about tenants – at least 6 years after the tenants vacate to protect yourself against tenant claims (ie you will be in a bit of a pickle if they sue you for something and you have no records). However, you will probably need to keep it at least as long as that also for tax reasons.
I am a landlord and not currently registered with ICO. I use letting agents to manage my properties. I get an email each month for each property that I check for any unexpected expenses. From the emails I collect the data I need to do my accounts each year, Accounts and record keeping is one of the uses that is exempt. I don’t know the name of most of my tenants, though I could find out.
I have found multiple sources saying that GDPR does not require registration, but the UK’s Digital Economy Act does – “The Secretary of State may by regulations require data controllers to pay charges of an amount specified in the regulations to the Information Commissioner.” Draft regulations were published last monthand include a similar exemption to the one I have been relying on. – http://www.legislation.gov.uk/ukdsi/2018/9780111165782/pdfs/ukdsi_9780111165782_en.pdf –
(f) subject to sub-paragraph (4), for the purposes of—
(i) keeping accounts, or records of purchases, sales or other transactions,
(ii) deciding whether to accept any person as a customer or supplier, or
(iii) making financial or financial management forecast, in relation to any activity carried on by the data
controller;
Of course registration is separate from complying with GDPR
It’s up to you of course but for small organisations registration is not expensive at £40 pa (which I think is the new fee). My view is that it’s better to register and be sure that you are compliant.
But if you don’t think you need to register, please at least check this out with the ICO first.
I would add that I have always found the ICO to be really helpful and I know that I used their support service when I registered myself (although that was over 20 years ago!).
There is no real point in checking until the draft becomes final, but as written it is pretty clear. I keep records of transactions, I process those records only for my accounts and for financial management. Everything else is managed by my letting agents. Anyway the ICO have a warning on their website that they are currently getting a high volume of calls.
If I needed to register I suspect it would cost £80 – £40 for the properties in my own name and £40 for those my company owns (minus 19 or 20% tax). As it is I suspect that I will spend more time figuring out what to do about GDPR than on any other aspect of my business this year.
In February 2016, I was told by the ICO that I did not need to register if the only data I have is needed for administration of my business i.e. tenants details for inclusion in the contract, prescribed information or accounts and right-to-rent check etc.
If I take a reference or am sent anything more than a pass or fail by a referencing agent then I need to be registered.
The majority of landlords are not registered as there are 524845 people/organisations (not just landlords) registered today and there were an estimated 2,000,000 private landlords in 2014 (Paragon estimate) (a figure that I think has gone up rather than down).
Oh no! Not £80!
I have done the ICO online questionnaire and it tells me that I am required to register, because I have a property that is managed through an agency, but I have access to some details of the tenants. However, by registering on the database my private home address will then be on a public register for anyone to access – what about protection of my private data? This seems very contradictory – in order to fulfil the laws requirement to protect the private data of my tenants I have to put my own private details into the public domain. Is that correct, or am I missing some fundamental concept that makes this seemingly illogical situation logical?
It really is geared towards organisations. I can’t ‘add a privacy page to my website’, for example, because I don’t have one. I’ve tried to register with ICO as an overseas landlord but I have no ‘UK office’, nor any address in the UK I could use; without this, the system doesn’t allow me to proceed to registration. My understanding is that the requirement as a landlord is to comply with the legislation, not necessarily to register with the ICO. To this end, I have gone through the (scant) information I have received from letting agents about tenants and detailed where it is (securely) stored. I have also checked each of the different AST agreements that were drawn up by the letting agents and confirmed that each one states that the agent may pass tenant details on to me and/or third parties such as utility suppliers and reference agencies.
As a landlord you are already required to have an address in the UK at which notices can be served. Can’t you use that?
I called the ICO as I am also an overseas landlord and I use a lettings agency to manage my properties and tenants. As I am operating outside of the UK and EU, and because the agency deal with my tenants, the ICO said that I have no obligation to register with them.
That is exactly what I thought, Mel! Any sole trader’s name and home address is now available to all and sundry. How fair is that? Another half-baked idiotic idea coming out of Brussels!
As Peter says, all landlords need to provide an address to their tenancy anyway for service of documents and agents are obliged to disclose their landlords address if a request is made under s1 of the Landlord & Tenant Act 1985. https://landlordlawblog.co.uk/2014/05/29/a-tenants-right-to-know-his-landlords-address/
People can also find out who owns land by a search at the Land Registry.
I have now had a word with the ICO about the question of landlord’s having to put their private address on the ICO register. They tell me that it would be possible to register giving a PO Box address, which would give you more privacy.
It is possible that you may also be able to give the address of your lettings agency (but then you would need to remember to change this if you change agents).
I have successfully let a property for 5 years using a fully managed service with a very reputable national company. My most recent tenant left with £1600 in arrears. The agency now leaves the chasing of those arrears to me. I requested the agency send me any forwarding details and most importantly the Guarantor details as that will probably the most successful route. The agency refuse to give me any details citing the Data Protection Act. How can this possibly be right. Any ideas?
This often happens. I wrote about it back in 2010 here https://landlordlawblog.co.uk/2010/04/15/are-landlords-entitled-to-see-tenants-references-obtained-by-their-agents/
You could maybe suggest to the agents that they are refusing to release the information as they want to conceal their poor service. They won’t like that.
You could also mention that if you were to bring proceedings against them for compensation under the, for example, the Supply of Goods and Services Act 1982 for their poor service they would be obliged to disclose these documents at the ‘discovery’ stage and that you hope it won’t have to come to that.
But I suppose that may be a bit tactless. I do get very fed up with hearing about this agents excuse though – it is so self-serving if they have done a poor job.
Really, this appears to be more of a farce, the more I read about it. There must be tens or even hundreds of thousands of landlords out there who, like me, would expect that they don’t need to do anything as they are not a business or organisation.
In just asking a couple of other landlords I know about it, they too haven’t registered, as they are also just as confused. It appears no one will commit to saying whether an investor Landlord, not a business, it liable to register and produce a bunch of unnecessary paperwork, since they are not data protection experts. Not even the RLA’s report and summary about “what to do” doesn’t actually tell you what to do if you are an investor Landlord like me. My agent too, is rather dumbfounded by it all.
What about the other hundreds and thousands of email addresses I have collected over the years, for other purposes? What about protection of that data, which is not related to my investment as a landlord? I despair!
£40 a year? For what? It doesn’t cost any money if we are the one’s completing the registration.
I wish I hadn’t bothered to try to read about this all and instead continued on oblivious. I’m sure my tenants won’t care.
It’s up to individual landlords whether they register with the ICO or not, all this article is doing is providing some guidance. If you decide not to register that’s entirely a matter for you.
I have been registered with the ICO for over 20 years, and all it involves is a modest annual fee (after the initial bother of registering). I have not experienced any adverse consequences.
You may think, if you own a property which is rented out to tenants, that this is ‘just an investment’ and I realise that from a tax point of view that may be the case. But so far as the other authorities are concerned, you are providing a consumer service – homes for people to live in. It is an important and responsible service – which is why it is regulated and becoming more so.
It is incumbent on you, as the property /business owner, to ensure that the data held in connection with this service is treated in a proper and legal manner. This is one aspect of your legal obligations as a landlord.
The fact that other landlords may be breaking the law is not a justification for you to break the law too. Although I suspect that the ICO enforcement activity will not, at the moment, be aimed at small landlords.