The GDPR came into force on 25 May 2018. The regulations specify how personal information is processed. Processing basically refers to any action performed on data such as collecting, recording, organising, storing, erasing and amending information. Personal information is simply information about the identity of an individual. Landlords hold personal information about their tenants for business purposes and therefore must be GDPR compliant – there can be large fines for non-compliance. GDPR applies to paper records as well as to electronic records. This article has been written with the smaller landlord in mind and as such, refers mainly to the landlord as the data controller – there are additional provisions which apply when other people are involved in data processing i.e. when there is a data processor.
Landlords in the UK must also register with the ICO (Information Commissioners Office) for which there is an annual fee. There is no requirement to register if you do not use any electronic equipment to process data but even the use of a smartphone or a call recording system comes under this category and therefore makes the user subject to registration.
According to an article in the landlordzone website however, if landlords who use an agent rely on the agent to handle all the private data around the tenancy, they would not need to register.
From the ICO website: “Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt.” Elsewhere organisations and sole traders are mentioned, but here it clearly states individuals as well as organisations. Currently the minimum fee is £40.
Here is a direct link to the ICO web page to register and pay the fee. There is also an online self-assessment where you can check whether or not you are required to register.
The ICO provides a comprehensive Guide to the GDPR. This sets out the principles of data protection, the implications of these principles for practice, summaries of requirements relating to each principle and checklists to assess whether the requirements are being met or not. There are then detailed explanations of each element and examples of how the principles can be upheld or where there would be a breach of data protection.
The Guide is geared to organisations of all types however and small private landlords would need to decide which sections apply and which don’t.
Landlords are advised to carry out an audit of the information that they collect, store and process so that they can develop the necessary procedures to ensure compliance.
The Key Principles of Data Protection in the GDPR (from the ICO website and the RLA website)
Lawfulness, fairness and transparency: there must be a lawful basis for the data processing; it must be processed fairly and transparently
Purpose limitation: it is collected for specified, explicit and legitimate purposes and is not processed beyond the original purpose
Data minimisation: personal data must be adequate, relevant and limited to what is necessary
Accuracy: the information is accurate and up to date
Storage limitation: storage is time-limited and not kept in a form which allows identification of the data subject for longer than necessary for the purposes for which it was collected
Integrity and confidentiality (security): it is processed in a way which ensures security against unauthorised processing, accidental loss, destruction or damage
Accountability: responsibility for complying with the principles, evidenced by processes and records that demonstrate compliance.
- Data must not be transferred to other countries outside the EEA without an adequate level of protection for the rights of data subjects.
The main lawful bases for holding personal information that apply to landlords include:
consent which must be obviously and freely given by the individual (“data subject”) whose right to withdraw consent at any time needs to be made clear. The consent to how the data will be processed must be specific, informed and unambiguous. It cannot be a “blanket” consent. The consent can be given in writing, online or verbally. It can also be inferred from the actions of the individual. However, consent may not be sufficient if it is deemed for example that there is a power imbalance – it could be argued that this applies in landlord / tenant relationships. It is better therefore to establish a different lawful basis.
for the performance of a contract (this would apply to the data necessary for the landlord to carry out his / her part of a letting contract)
where there is a legal requirement to do do (this would apply to “right to rent” checks and in Wales, the need to inform Welsh Water)
where there is vital interests (matters of life or death – unlikely to apply)
where there is legitimate interests (e.g. providing name to utility companies when this is mentioned in the Privacy Notice – discussed below; providing information to people carrying out repair works or to the guarantor; seeing references provided to letting agents).
There are special restrictions on holding sensitive personal information (e.g. anything to do with race, ethnicity, politics, religious affiliations, sexual orientation etc.) and it is advisable not to collect or hold any data of this kind.
The GDPR provides a number of rights for individuals including the right to be informed, the right of access, the right to rectification, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling.
The principle of Accountability (Principle 7) requires the landlord to have clear processes and records which demonstrate compliance. There needs to be evidence of how the principles are followed and this needs to be documented. The personal information that is collected needs to be specified and its lawful basis for collection and processing needs to be recorded (Principle 1). Principle 1 also includes the need for transparency which alongside the individual’s right to be informed forms the basis for providing a Privacy Notice (see below). The purposes for which the information is collected needs to be documented, alongside how the data collection is limited to what is relevant and necessary (Principle 2 and 3). Landlords also need procedures for ensuring that information is accurate and kept up to date (Principle 4). They need to ensure that there are procedures for deleting information that is no longer necessary which would involve specifying the length of time data will be held (Principle 5). They must have procedures in place for ensuring the security of the information at every stage of processing both for data held in a manual filing system and for data held electronically (Principle 6). This is not an exhaustive list of the ways in which the principles must be shown to be upheld but a summary of some of the main ways.
Privacy Notice / Privacy Information
It is the landlord’s responsibility as data controller to provide a Privacy Notice to anyone whose personal information they hold in a business capacity. Under their right to be informed, individuals have the right to be informed about the collection and use of their personal data and this is a key transparency action.
The Privacy Notice must include the identity and contact details of the data controller, the purpose of the processing of the information and the lawful basis for the specified processing. It must also include information about how the data will be stored and for how long as well as who it will be shared with, if it is to be shared. The individual’s rights in relation to the processing of their data must be set out (including their right to withdraw consent, if applicable).
The Privacy Notice must be given at the time the data is collected. If you collect personal data from other sources you must provide the privacy information within a month. The Privacy Notice must be concise, transparent, intelligible, easily accessible, and written in clear and plain language. You must regularly review your privacy information and update it where necessary. You must bring any new uses of an individual’s personal data to their attention before you start the processing. This is obviously not an exhaustive account of the implications of GDPR and readers are advised to look at other sources of information.
As an example, a helpful explanation of the Privacy Notice can be found here.