How to Comply with GDPR - A landlord Guide

We have already produced some reasonably detailed guidance about GDPR, and that should be consulted in the first instance to get you up to speed with the new phrases and principles of GDPR. 

This article is aimed at landlords, but agents may find its contents useful. 

Specifically for agents, Training for Professionals (who we work closely with) has new GDPR privacy notices aimed explicitly at letting agents.

Registration

The rules for landlord registration have not changed. If you store, use, or delete tenant personal information (such as name, email, telephone number, etc.) using an electronic device (mobile phone, computer, etc.), you should register. That is regardless of GDPR. 

Registration costs £35.00 per year (including the direct debit discount) and is quick and easy. You can quickly check if you need to register by using this tool on the ICO website.

Documenting Processing Activities

One of the first steps to complying with GDPR is to document processing activities so you can establish what personal information you hold, who it is shared with and how long it is retained. The document should list categories of people for whom you process data. 

We have conducted an audit of processing activities for our tenancy portfolio (if you didn’t know, we are a landlord as well as running the Guild). 

We have found four main categories of tenants:

  • enquiring tenants (e.g. let them know if a two-bed flat becomes available)
  • prospective tenants (after viewing a property, have expressed an interest)
  • actual live tenants
  • ex-tenants

The audit should detail how personal information is used, who it is shared with, and how long it is retained. It should also refer to any privacy policy that informs them of how their data is used and shared. 

Our GDPR audit is available here in Excel spreadsheet format. You will need to amend it to match the data you use. Our audit is in its early stages and may be amended as we consider what further information should be contained in the audit. 

However, it should provide a good start for you, if nothing else. 

Further guidance about documenting processing activities is available on the Information Commissioners Office (ICO) website.

Lawful basis of processing

To process personal information, landlords must have a “lawful basis” to process the data. 

Processing includes storing, using, sharing and deleting the information. We have detailed these processes in detail in our earlier article, but to summarise, for landlords, the main bases for processing will be:

  • legitimate interest (where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing, which can include a commercial interest)
  • contractual fulfilment (where you use their data for fulfilling the contract, for example, passing details to a contractor to repair)
  • legally required (often landlords are legally required to process data, for instance, in deposit prescribed information, right to rent checks, etc.)
  • consent (not commonly used for landlords but would include speaking with housing benefit or Universal Credit).

Privacy policies

Following the audit and understanding the lawful bases, you are allowed to process the information; you then need to inform the tenants how you will use the information. 

We have updated all our relevant forms with new GDPR privacy policies, which are listed below. 

If you use our forms, you should only need the privacy policy for the enquiring tenant (which we will discuss in a moment). 

The following landlord forms and templates have been updated over the last few weeks to today with GDPR privacy notices (links require an active subscription):

In addition to the addition of GDPR privacy notices, most agreements have had other changes made just whilst we were editing, but nothing else was too significant. In the previous versions of our residential tenancy agreements, there was a clause in which the tenant consented to speak with the Housing Benefit departments. 

The new GDPR guidance says that anything that requires consent should not form part of the main contract but instead be a separate consent form that can be withdrawn as quickly as permission was given. 

Finally, we have produced the tenancy agreement privacy notice as a separate download, although if you’re using our Tenancy Builder, you should never need it. 

Existing tenancies

There is no need whatsoever to do any new tenancy agreements for the GDPR. Our old contracts still had privacy notices at the back, which weren’t as detailed as now but sufficient to carry on the remainder of the tenancy. 

As new tenants take over properties, they will soon disappear over time. If you want to be belt and braces, you could send the new tenancy privacy notice to your existing tenants and note that your privacy policy for using their information has been updated.

Processing personal information

Crucially, as long as you’re processing the data under one of the lawful bases (legitimate interest, contract fulfilment, legally required, etc.), you should be just fine. 

Other

It is worth mentioning that under the GDPR, tenants have the right to be sent any information you hold about them. Please have a procedure available should this happen and how you will be able to respond to such a request. In addition, there is the “right to be forgotten”, whereby a request can be made to remove all information you hold. Where you are legally required to process data (such as the right to rent), there is no right to erasure.

Guild of Residential Landlords

While discussing GDPR, we thought you might be interested in the Guild and our work. Not much was needed! All our emails have always been opt-in, and you can always opt out of them as quickly as you opt-in (click the link at the bottom of every email). 

We have slightly adjusted our privacy policy, but it was okay to begin with and quite in-depth.

Last Reviewed

View Related Handbook Page