This article hopes to be a one stop visit to get our landlord subscribers GDPR ready. Hopefully, as you will see, we’ve done most of the work for you.
We have already produced some fairly detailed guidance about GDPR and that should be consulted in the first instance to get you up to speed with the new phrases and principles about GDPR.
This article is aimed at landlords but agents may find its contents useful. Specifically for agents, Training for Professionals (who we work closely with) have new GDPR privacy notices specifically aimed for letting agents.
Contents
Registration
There is absolutely no change whatsoever to the rules about registering for landlord’s. If you store, use or delete tenant personal information (such as name, email, telephone etc.) using an electronic device (mobile phone, computer etc.) then you should be registered. That is regardless of GDPR.
Registration costs £35.00 per year (including the direct debit discount) and is very quick and easy to do.
You can quickly check if you need to register by using this tool on the ICO website.
Documenting Processing Activities
One of the first steps to complying with GDPR is to document processing activities so you can establish what personal information you hold, who it is shared with and how long it is retained. The document should list categories of people you process data for.
We have conducted an audit of processing activities for our own tenancy portfolio (if you didn’t know, we are a landlord as well us running the Guild). We have found four main categories of tenant:
- enquiring tenants (e.g. let them know if a two bed flat becomes available)
- prospective tenants (after viewing a property have expressed an interest)
- actual live tenants
- ex-tenants
The audit should detail how their personal information is used, who shared with and how long it is retained. It should also refer to any privacy policy informing them of how their information is used and shared.
Our GDPR audit is available here and is in Excel spreadsheet format. You will need to amend to match the data you personally use and our audit is in its early stages and may be amended as we consider what further information should be contained in the audit. However, it should provide a good start for you if nothing else.
Lawful basis of processing
In order to process personal information, landlord’s must have a “lawful basis” to process the information. Processing includes storing, using, sharing and deleting the information.
We have detailed these processes in detail in our earlier article but to summarise, for landlord’s, the main bases for processing will be:
- legitimate interest (where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing which can include a commercial interest)
- contractual fulfilment (where you use their data for fulfilling the contract for example passing details to a contractor to carry out a repair)
- legally required (often landlords are legally required to process data for example in deposit prescribed information, right to rent checks etc.)
- consent (not commonly used for landlord’s but would include for example speaking with housing benefit or Universal Credit).
Privacy policies
Following from the audit and understanding the lawful bases you are allowed to process the information, you then need to inform the tenants how you will use the information.
We have updated all our relevant forms with new GDPR privacy policies and these are listed below. This means if you use our forms, you shouldn’t need any additional privacy policies except the enquiring tenant one (see in a moment).
The following landlord forms and templates have been updated over the last few weeks to today with GDPR privacy notices:
- Application for accommodation
- All versions of the assured shorthold tenancy agreement
- Contractual tenancy agreement (which has now been incorporated into the Tenancy Builder)
- Lodger agreement (excluded licence agreement) (which is now integrated into the Tenancy Builder)
- Garage letting agreement
- Storage letting agreement
- Car parking space agreement
In addition to the adding of GDPR privacy notices, most agreements have had other changes made just whilst we were editing but nothing else too significant.
In the previous versions of our residential tenancy agreements, there was a clause that the tenant gave their consent to speak with Housing Benefit departments. The new GDPR guidance says that anything which requires consent should not form part of a main contract but instead be a separate consent that can be withdrawn as easily as consent was given.
Therefore, we have now produced a separate consent to speak with housing benefit or Universal Credit. This document is automatically emailed with the tenancy agreements from the Tenancy Builder so you should never need to go to the forms section for that consent form.
Finally, we have produced the tenancy agreement privacy notice as a separate download although if you’re using our Tenancy Builder, you should never need it.
The only privacy notice yet to be produced is for enquiring tenants but we have already provided suggested wording in our other article if you want that now.
Existing tenancies
There is absolutely no need whatsoever to do any new tenancy agreements for the GDPR. Our old agreements still had privacy notices in them at the back which although weren’t as detailed as now, they were in our view sufficient to carry on the remainder of the tenancy. As new tenants take over properties, they will soon disappear over time.
If you really want to be belt and braces, you could send the new tenancy privacy notice to your existing tenants with a note that your privacy policy for using their information has been updated.
Processing personal information
Crucially, as long as you’re processing the data under one of the lawful bases (legitimate interest, contract fulfilment, legally required etc.) then you should be just fine. There is a lot of fuss at the moment but really it’s the lawful basis of “consent” which has significantly changed. Consent is mainly required for sales and marketing which is why you’re getting a million emails about it. However, landlord’s generally don’t need consent under the new GDPR rules because they have a legitimate interest, are fulfilling duties under the contract or are legally required to be processing the data.
Other
It is worthy of a quick mention that under the GDPR, tenants will have the right to be sent any information you hold about them. You should have a procedure available should this happen and how you will be able to respond to such a request.
In addition, there is the “right to be forgotten” whereby a request can be made to remove all information you hold. Where you are legally required to process information (such as right to rent) there is no right to erasure. Please see our other article for more information.
Guild of Residential Landlords
Whilst we’re talking about GDPR, we thought you might be interested in the Guild and what we’ve done.
Actually, there wasn’t much needed! All our emails have always been opt-in and you have always been able to opt-out of emails as easily as you opt-in (just click the link at the bottom of every email).
We have made small adjustments to our privacy policy but it was okay to begin with and quite in-depth.
We will be doing an update to our membership handling software which will incorporate a few technical changes but this should be frictionless from your viewpoint. This will allow us to save privacy policy information on a per user basis and a new feature of you being able to delete all information will be available to you (the right to be forgotten). This was done by request previously.
Time off
Finally, as a little note to end with, we’re going to try to take a little break for a week starting this evening (18 May). GDPR updates have been our priority and glad to see it’s (almost) done! The Guild will be running as normal whilst away but if any questions can wait until the week commencing 29 May, we’d be super grateful.
I just want to say a heartfelt thank you for your diligent hard work around GDPR. Without your guidance I would have had a much larger job to get GDPR ready and incidentally I subscribed to the guild because of this. Thanks
Thank you for your kind comments and welcome to the Guild!
It’s frustrating that I need to make my own address publicly available to comply with data protection law! The Information Commissioner’s Office advised that if I have an accountant, lawyer or PO number I could use their address instead on the public register. As a managing landlord with very few properties, I don’t need any of these. A tip to others in my position: the advisor at the ICO did say that I could drop the house number in my street in the public register as long as I include it in the contact information I give for the ICO’s own use.
Thanks for this – saved a lot of time for the audit document and the privacy policy. In common with the majority of landlords I also keep details of a number of tradespeople (plumbers electricians joiners etc ) – as good practice, should I send them a short message to say what information I’m keeping, why I’m keeping it and how its protected with an option for them to ask me to remove it. I really hope my regular plumber wouldn’t take me up on that last point ; )
We don’t think it’s necessary where you’re holding business information. You’re only using it for the purpose it was given i.e. to give them work.
Brilliant article as ever – thank you.Can you please confirm if my understanding is correct:
1. The landlord will always be a (in the eyes of GDPR) Data Controller and anyone who acts on his behalf, for example a letting agent or gas engineer will be a Data Processor for the landlord.
2. The landlord as a Data Controller is ultimately responsible for issuing a privacy notice to the tenant though he/she may use a letting agent to do this on their behalf.
3. Data Controllers (in this case landlords) need to register with ICO if they maintain personal data on electronic devices but Data Processors do not need to register with ICO unless they are also a Data Controller for some other data other than say the data processed on behalf of the landlord in which case they may need to register with ICO.
Does the Guild have a statement/notice that landlords/agents can give to contractors acting on their behalf that defines what is fair processing of personal data passed to them?
Not something we have currently but if anything is needed (it’s really for the contractor to have their own privacy policy) it would only need a single line saying that it’s agreed that the information is to be used solely for the purpose of making contact for the notified repair and no other use.