How to Comply with GDPR - A landlord Guide

We have already produced some reasonably detailed guidance about GDPR, and that should be consulted in the first instance to get you up to speed with the new phrases and principles of GDPR. 

This article is aimed at landlords, but agents may find its contents useful. 

Specifically for agents, Training for Professionals (who we work closely with) has new GDPR privacy notices aimed explicitly at letting agents.

Registration

There is absolutely no change to the rules about registering for landlords. If you store, use or delete tenant personal information (such as name, email, telephone etc.) using an electronic device (mobile phone, computer etc.), then you should be registered. That is regardless of GDPR. 

Registration costs £35.00 per year (including the direct debit discount) and is very quick and easy to do. You can quickly check if you need to register by using this tool on the ICO website.

Documenting Processing Activities

One of the first steps to complying with GDPR is to document processing activities, so you can establish what personal information you hold, who it is shared with and how long it is retained. The document should list categories of people you process data for. 

We have conducted an audit of processing activities for our tenancy portfolio (if you didn’t know, we are a landlord as well as running the Guild). 

We have found four main categories of tenants:

  • enquiring tenants (e.g. let them know if a two-bed flat becomes available)
  • prospective tenants (after viewing a property have expressed an interest)
  • actual live tenants
  • ex-tenants

The audit should detail how their personal information is used, who shared with and how long it is retained. It should also refer to any privacy policy informing them of how their data is used and shared. 

Our GDPR audit is available here and is in Excel spreadsheet format. You will need to amend it to match the data you use, and our audit is in its early stages and may be amended as we consider what further information should be contained in the audit. 

However, it should provide a good start for you, if nothing else. 

Further guidance about documenting processing activities is available on the Information Commissioners Office (ICO) website.

Lawful basis of processing

To process personal information, landlords must have a “lawful basis” to process the data. 

Processing includes storing, using, sharing and deleting the information. We have detailed these processes in detail in our earlier article, but to summarise, for landlords, the main bases for processing will be:

  • legitimate interest (where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing, which can include a commercial interest)
  • contractual fulfilment (where you use their data for fulfilling the contract, for example, passing details to a contractor to repair)
  • legally required (often landlords are legally required to process data, for instance, in deposit prescribed information, right to rent checks etc.)
  • consent (not commonly used for landlords but would include speaking with housing benefit or Universal Credit).

Privacy policies

Following the audit and understanding the lawful bases, you are allowed to process the information; you then need to inform the tenants how you will use the information. 

We have updated all our relevant forms with new GDPR privacy policies, which are listed below. 

This means if you use our forms, you shouldn’t need any additional privacy policies except the enquiring tenant one (see in a moment). 

The following landlord forms and templates have been updated over the last few weeks to today with GDPR privacy notices (links require an active subscription):

In addition to the adding of GDPR privacy notices, most agreements have had other changes made just whilst we were editing, but nothing else too significant. In the previous versions of our residential tenancy agreements, there was a clause that the tenant gave their consent to speak with the Housing Benefit departments. 

The new GDPR guidance says that anything which requires consent should not form part of the main contract but instead be a separate consent that can be withdrawn as quickly as permission was given. 

Finally, we have produced the tenancy agreement privacy notice as a separate download, although if you’re using our Tenancy Builder, you should never need it. 

Existing tenancies

There is absolutely no need whatsoever to do any new tenancy agreements for the GDPR. Our old contracts still had privacy notices in them at the back, which weren’t as detailed as now and were sufficient to carry on the remainder of the tenancy. 

As new tenants take over properties, they will soon disappear over time. If you want to be belt and braces, you could send the new tenancy privacy notice to your existing tenants and note that your privacy policy for using their information has been updated.

Processing personal information

Crucially, as long as you’re processing the data under one of the lawful bases (legitimate interest, contract fulfilment, legally required, etc.), you should be just fine. 

Other

It is worthy of a quick mention that under the GDPR, tenants will have the right to be sent any information you hold about them. You should have a procedure available should this happen and how you will be able to respond to such a request. In addition, there is the “right to be forgotten”, whereby a request can be made to remove all information you hold. Where you are legally required to process data (such as the right to rent), there is no right to erasure.

Guild of Residential Landlords

Whilst we’re talking about GDPR, we thought you might be interested in the Guild and what we’ve done. There wasn’t much needed! All our emails have always been opt-in, and you have always been able to opt out of emails as quickly as you opt in (click the link at the bottom of every email). 

We have made slight adjustments to our privacy policy, but it was okay to begin with and quite in-depth.

View Related Handbook Page

Record Keeping and Data Protection

It is essential that landlords have a good system of record keeping. A file should be kept for a property and then each time a new tenancy is given to a new tenant