I think most of our calls and emails recently have been about the General Data Protection Regulations (GDPR)!

This article hopes to be a one stop visit to get our landlord subscribers GDPR ready. Hopefully, as you will see, we’ve done most of the work for you.

We have already produced some fairly detailed guidance about GDPR and that should be consulted in the first instance to get you up to speed with the new phrases and principles about GDPR.

This article is aimed at landlords but agents may find its contents useful. Specifically for agents, Training for Professionals (who we work closely with) have new GDPR privacy notices specifically aimed for letting agents.

Contents

Registration

There is absolutely no change whatsoever to the rules about registering for landlord’s. If you store, use or delete tenant personal information (such as name, email, telephone etc.) using an electronic device (mobile phone, computer etc.) then you should be registered. That is regardless of GDPR.

Registration costs £35.00 per year (including the direct debit discount) and is very quick and easy to do.

You can quickly check if you need to register by using this tool on the ICO website.

Documenting Processing Activities

One of the first steps to complying with GDPR is to document processing activities so you can establish what personal information you hold, who it is shared with and how long it is retained. The document should list categories of people you process data for.

We have conducted an audit of processing activities for our own tenancy portfolio (if you didn’t know, we are a landlord as well us running the Guild). We have found four main categories of tenant:

  • enquiring tenants (e.g. let them know if a two bed flat becomes available)
  • prospective tenants (after viewing a property have expressed an interest)
  • actual live tenants
  • ex-tenants

The audit should detail how their personal information is used, who shared with and how long it is retained. It should also refer to any privacy policy informing them of how their information is used and shared.

Our GDPR audit is available here and is in Excel spreadsheet format. You will need to amend to match the data you personally use and our audit is in its early stages and may be amended as we consider what further information should be contained in the audit. However, it should provide a good start for you if nothing else.

Further guidance about documenting processing activities is available on the Information Commissioners Office (ICO) website.

Lawful basis of processing

In order to process personal information, landlord’s must have a “lawful basis” to process the information. Processing includes storing, using, sharing and deleting the information.

We have detailed these processes in detail in our earlier article but to summarise, for landlord’s, the main bases for processing will be:

  • legitimate interest (where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing which can include a commercial interest)
  • contractual fulfilment (where you use their data for fulfilling the contract for example passing details to a contractor to carry out a repair)
  • legally required (often landlords are legally required to process data for example in deposit prescribed information, right to rent checks etc.)
  • consent (not commonly used for landlord’s but would include for example speaking with housing benefit or Universal Credit).

Privacy policies

Following from the audit and understanding the lawful bases you are allowed to process the information, you then need to inform the tenants how you will use the information.

We have updated all our relevant forms with new GDPR privacy policies and these are listed below. This means if you use our forms, you shouldn’t need any additional privacy policies except the enquiring tenant one (see in a moment).

The following landlord forms and templates have been updated over the last few weeks to today with GDPR privacy notices:

In addition to the adding of GDPR privacy notices, most agreements have had other changes made just whilst we were editing but nothing else too significant.

In the previous versions of our residential tenancy agreements, there was a clause that the tenant gave their consent to speak with Housing Benefit departments. The new GDPR guidance says that anything which requires consent should not form part of a main contract but instead be a separate consent that can be withdrawn as easily as consent was given.

Therefore, we have now produced a separate consent to speak with housing benefit or Universal Credit. This document is automatically emailed with the tenancy agreements from the Tenancy Builder so you should never need to go to the forms section for that consent form.

Finally, we have produced the tenancy agreement privacy notice as a separate download although if you’re using our Tenancy Builder, you should never need it.

The only privacy notice yet to be produced is for enquiring tenants but we have already provided suggested wording in our other article if you want that now.

Existing tenancies

There is absolutely no need whatsoever to do any new tenancy agreements for the GDPR. Our old agreements still had privacy notices in them at the back which although weren’t as detailed as now, they were in our view sufficient to carry on the remainder of the tenancy. As new tenants take over properties, they will soon disappear over time.

If you really want to be belt and braces, you could send the new tenancy privacy notice to your existing tenants with a note that your privacy policy for using their information has been updated.

Processing personal information

Crucially, as long as you’re processing the data under one of the lawful bases (legitimate interest, contract fulfilment, legally required etc.) then you should be just fine. There is a lot of fuss at the moment but really it’s the lawful basis of “consent” which has significantly changed. Consent is mainly required for sales and marketing which is why you’re getting a million emails about it. However, landlord’s generally don’t need consent under the new GDPR rules because they have a legitimate interest, are fulfilling duties under the contract or are legally required to be processing the data.

Other

It is worthy of a quick mention that under the GDPR, tenants will have the right to be sent any information you hold about them. You should have a procedure available should this happen and how you will be able to respond to such a request.

In addition, there is the “right to be forgotten” whereby a request can be made to remove all information you hold. Where you are legally required to process information (such as right to rent) there is no right to erasure. Please see our other article for more information.

Guild of Residential Landlords

Whilst we’re talking about GDPR, we thought you might be interested in the Guild and what we’ve done.

Actually, there wasn’t much needed! All our emails have always been opt-in and you have always been able to opt-out of emails as easily as you opt-in (just click the link at the bottom of every email).

We have made small adjustments to our privacy policy but it was okay to begin with and quite in-depth.

We will be doing an update to our membership handling software which will incorporate a few technical changes but this should be frictionless from your viewpoint. This will allow us to save privacy policy information on a per user basis and a new feature of you being able to delete all information will be available to you (the right to be forgotten). This was done by request previously.

Time off

Finally, as a little note to end with, we’re going to try to take a little break for a week starting this evening (18 May). GDPR updates have been our priority and glad to see it’s (almost) done! The Guild will be running as normal whilst away but if any questions can wait until the week commencing 29 May, we’d be super grateful.