How to Comply with GDPR - A landlord Guide
We have already produced some reasonably detailed guidance about GDPR, and that should be consulted in the first instance to get you up to speed with the new phrases and principles of GDPR.
This article is aimed at landlords, but agents may find its contents useful.
Specifically for agents, Training for Professionals (who we work closely with) has new GDPR privacy notices aimed explicitly at letting agents.
There is absolutely no change to the rules about registering for landlords. If you store, use or delete tenant personal information (such as name, email, telephone etc.) using an electronic device (mobile phone, computer etc.), then you should be registered. That is regardless of GDPR.
Registration costs £35.00 per year (including the direct debit discount) and is very quick and easy to do. You can quickly check if you need to register by using this tool on the ICO website.
Documenting Processing Activities
One of the first steps to complying with GDPR is to document processing activities, so you can establish what personal information you hold, who it is shared with and how long it is retained. The document should list categories of people you process data for.
We have conducted an audit of processing activities for our tenancy portfolio (if you didn’t know, we are a landlord as well as running the Guild).
We have found four main categories of tenants:
- enquiring tenants (e.g. let them know if a two-bed flat becomes available)
- prospective tenants (after viewing a property have expressed an interest)
- actual live tenants
Our GDPR audit is available here and is in Excel spreadsheet format. You will need to amend it to match the data you use, and our audit is in its early stages and may be amended as we consider what further information should be contained in the audit.
However, it should provide a good start for you, if nothing else.
Lawful basis of processing
To process personal information, landlords must have a “lawful basis” to process the data.
Processing includes storing, using, sharing and deleting the information. We have detailed these processes in detail in our earlier article, but to summarise, for landlords, the main bases for processing will be:
- legitimate interest (where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing, which can include a commercial interest)
- contractual fulfilment (where you use their data for fulfilling the contract, for example, passing details to a contractor to repair)
- legally required (often landlords are legally required to process data, for instance, in deposit prescribed information, right to rent checks etc.)
- consent (not commonly used for landlords but would include speaking with housing benefit or Universal Credit).
Following the audit and understanding the lawful bases, you are allowed to process the information; you then need to inform the tenants how you will use the information.
We have updated all our relevant forms with new GDPR privacy policies, which are listed below.
This means if you use our forms, you shouldn’t need any additional privacy policies except the enquiring tenant one (see in a moment).
The following landlord forms and templates have been updated over the last few weeks to today with GDPR privacy notices (links require an active subscription):
- Application for accommodation (online application)
- All versions of the assured shorthold tenancy agreement
- Contractual tenancy agreement (incorporated into the Tenancy Builder)
- Lodger agreement (excluded licence agreement) (integrated into the Tenancy Builder)
- Garage letting agreement
- Storage letting agreement
- Car parking space agreement
In addition to the adding of GDPR privacy notices, most agreements have had other changes made just whilst we were editing, but nothing else too significant. In the previous versions of our residential tenancy agreements, there was a clause that the tenant gave their consent to speak with the Housing Benefit departments.
The new GDPR guidance says that anything which requires consent should not form part of the main contract but instead be a separate consent that can be withdrawn as quickly as permission was given.
Finally, we have produced the tenancy agreement privacy notice as a separate download, although if you’re using our Tenancy Builder, you should never need it.
There is absolutely no need whatsoever to do any new tenancy agreements for the GDPR. Our old contracts still had privacy notices in them at the back, which weren’t as detailed as now and were sufficient to carry on the remainder of the tenancy.
Processing personal information
Crucially, as long as you’re processing the data under one of the lawful bases (legitimate interest, contract fulfilment, legally required, etc.), you should be just fine.
It is worthy of a quick mention that under the GDPR, tenants will have the right to be sent any information you hold about them. You should have a procedure available should this happen and how you will be able to respond to such a request. In addition, there is the “right to be forgotten”, whereby a request can be made to remove all information you hold. Where you are legally required to process data (such as the right to rent), there is no right to erasure.
Guild of Residential Landlords
Whilst we’re talking about GDPR, we thought you might be interested in the Guild and what we’ve done. There wasn’t much needed! All our emails have always been opt-in, and you have always been able to opt out of emails as quickly as you opt in (click the link at the bottom of every email).