The General Data Protection Regulation (GDPR) came into effect on 25 May, providing new privacy rights to consumers across the EU and in the UK (even post-Brexit).
This means new rules will apply to all businesses that handle customer data, including landlords.
So, if you rent out a property, the way you collect, use and store information about your tenants must be fully compliant.
1. All UK landlords must be GDPR compliant
Under GDPR, any business or sole trader who collects information is classified as a ‘data controller’. And since all landlords have to collect personal data, for example when checking tenants’ photo ID to ensure they have the ‘right to rent’, they’re data controllers too.
It doesn’t matter if you have one property or 100, GDPR applies. And if you breach GDPR rules, you could be fined up to 4% of your annual turnover or €20 million (whichever is highest).
2. You need a lawful basis to collect data
You must be able to prove you’re using personal data for one of the following reasons:
- Consent. You’ve explained why you have their data, and have their permission to use it. For example, if a prospective tenant has provided their email address to arrange a viewing for one property, you can't just add them to a mailing list for information about all your properties – you need their explicit consent to do this.
- Contract. You need the data to complete a request. For example, if you need to use their phone number to arrange agreed repairs.
- Legal obligation. The data is necessary to comply with the law. For example, asking for a copy of their passport to prove ‘right to rent’ eligibility.
- Vital interests. Using data to protect someone’s life. Hopefully you won’t need this one.
- Public task. You need the data for the public good, like repairing unstable external walls that threaten passers-by.
- Legitimate interests. You need their data to protect your interests, for example your property investment. However, this need must be balanced against any invasion of privacy.
3. Your data records must be up to date
All data controllers need accessible records of their data. This is so your tenants can:
- Request a copy of their data
- Find out why you’re holding it (your ‘data policy’)
- Stop you from using it
- Have the data deleted
For this to be possible, you need clear filing systems (both digital and physical), as well as open lines of communication and a plan in place to meet requests.
4. You’re responsible for security
You need security systems to prevent personal data being accessed or used by unauthorised individuals, and from being lost or damaged. Keep printed information under lock and key, with copies in an equally safe place. Ensure all digitally stored information is encrypted, password protected and backed up.
You’ll also need to prove that these systems are in place if requested by the Information Commissioner’s Office (ICO), which is in charge of GDPR in the UK. If any data is lost or stolen, you need to contact the ICO and your tenants within 72 hours.
5. Help is available
The ICO is your first port of call if you’re concerned about anything, whether it’s your rights, or how you can protect the rights of your tenants. And they have plenty of detailed documents to help you deal with specific issues.
But for a full, simple breakdown of the new rules and a full checklist to help you comply with every element, you can just visit our GDPR guide for small businesses.