Landlord Data Protection (GDPR)
What is GDPR? And what do landlords need to know about it?
Welcome to our guide on data protection and GDPR for landlords. Landlords are data controllers under the GDPR (General Data Protection Regulations), which came into force in 2018. As data controllers, landlords must register with the Information Commissioner’s Office (ICO) and ensure they comply with the regulations.
How can Purple Frog help?
We can register you with the ICO, and provide you with the rights to use our data protection policies to help you become compliant.
What is GDPR?
The General Data Protection Regulation (GDPR) is a Europe-wide regulation that ensures that individuals personal data is handled correctly by companies. As well as giving individuals more control in how their data is handled, it places extra responsibilities on those who handle that data.
As a landlord, you will handle tenants’ personal data.
The regulation came into force on 25 May 2018. While it is intended mainly for larger companies, all businesses, including sole traders, must comply. Although the UK has left the EU, the law was formally adopted by the UK government during Brexit and, as such, still applies across the UK.
In its essence, GDPR requires that companies and individuals that hold information on others:
- Only collect the data that they actually need
- Only use that data for its intended purpose
- Keep it safe at all times, especially when shared with third parties
- Tell the authorities immediately if it gets lost or stolen
- Delete the data when they no longer need it
Is it different from general data protection rules?
Yes, GDPR is different from existing data protection rules.
The GDPR rules are interested in improving current rules as to how businesses (known in the regulations as data controllers) look after people’s data.
It also places greater responsibility on data controllers for the actions and policies of data processors they employ. Data processors are individuals or organisations that hold or manage data on a data controller’s behalf. ‘Data processors’ are companies such as tradespeople to whom you pass information so they can conduct work for you; for example, providing a tenant’s phone number to a contractor to arrange access for maintenance.
Are landlords data controllers?
Yes, landlords are data controllers.
The definition of a data-controller is anyone, either alone, jointly or with other persons, who determines the purposes and manner in which personal data are processed.
That means if you obtain personal information from a tenant, whether in a digital format or as a hard copy, you are viewed as a data controller.
What are a landlords' responsibilities as a data controller?
Landlords are responsible for ensuring that the information they hold about their tenants is safe and secure.
Importantly, landlords can only use information for purposes they have a legal right to carry out. A quick example would be that you couldn’t use data you’ve obtained as a landlord to sell your tenants unrelated services from a business you manage.
GDPR means you have the responsibility to determine the type of data you collect, why you need it and who and how other organisations should handle this data. This means you need to consider:
- What personal data do you need to collect? GDPR requires you to collect the minimum amount possible. For instance, you would not need a tenant’s marriage certificate to supply them with a tenancy.
- What legal basis do you have for collecting the data (see below)
- How you will use the data you’re collecting
- How long do you need to keep the data – GDPR forbids data controllers from holding data indefinitely.
- Whether you need to pass data to a processor (for instance, a credit ratings agency)
What does lawful basis mean?
GDPR defines six different lawful bases that you can use to collect and process data.
It is the data controller’s responsibility to select and document which legal basis covers the collection of data.
There is no right answer, as several bases might apply, depending on the situation and the data collected. Importantly, data cannot be used other than under the legal basis it has been collected unless this is also made clear to tenants.
Not all bases will apply, but you may find that several fit different parts of your business. Looking at the data and the situation, it is up to you to select the most appropriate legal basis.
Again, you cannot tell tenants you are collecting the data under one basis and then use it for something else.
What are the six legal bases for collecting data?
For landlords, this will probably be the most common reason to collect and process data.
Simply put, you are collecting the data to comply with your obligations as part of a contract, for instance, an assured short-hold tenancy.
This legal basis also applies before a contract is established, so you can gather the necessary information with which to reach the agreement. An example of this would be referencing.
2) Legal obligation
This means you need to collect the data in order to fulfil a law or regulation imposed upon you. The clearest example of this is collecting ID in order to fulfil your legal obligations under England’s Right to Rent laws.
To use consent as your legal basis, the subject must have given their express permission to you so that you can process their data. The most common example is signing up for an email newsletter.
The regulations forbid using consent as a precondition of service. This means that if consent hampers the effective data processing, then perhaps another legal basis is required.
A rule of thumb is that if the action you will perform is outside what a tenant would expect, you should probably ask their permission first. Consent must be freely and actively given. This means that companies cannot rely on ‘soft opt-ins’ (Click here if you do not want to receive information) for consent.
4) Legitimate interest
Legitimate interest is the most appropriate when using data that people would reasonably expect. For instance, the data is already in the public domain. However, the data controller must be able to prove that processing has to take place and that legitimate interest passes three tests:
- Purpose test: identify a legitimate interest
- Necessity test: show that processing is necessary to achieve it
- Balance test: do the individual’s interests, rights, and freedoms override the legitimate interest?
These tests need to be documented, and data controllers must be able to show that any activities have the minimum number of privacy issues.
5) Vital interest
This would apply if processing the data is necessary to protect ‘the essential interests’ of an individual. It’s unlikely this would ever apply to a situation in the property market, as it covers such things as offering medical assistance.
6) Public task
Again, this is unlikely to be relevant to you as a landlord, as it relates to public authorities using data as part of their official duties.
What should landlords do when collecting data?
You are bound to find yourself in a situation where you need to collect data. For instance, or a new tenancy. This is especially true if you have a let-only arrangement with Purple Frog; even if you are a fully managed client, you still have access and control over tenant data.
You will need to make the tenant aware of the legal basis you are using to collect the data. You must explain this clearly and keep a record that this has happened.
When you ask for the data, you must ensure that you give the tenants the following information:
- Your name (and company name, if applicable)
- The name of any company who will be carrying out work for you and who you will share the data with
- Your legal basis for collecting the data
- What the data will be used for (for example creating a tenancy)
- How they can withdraw consent for the information to be processed (there are limits to withdrawing consent, if the lawful basis is not legitimate use or consent)
- You will also need to think about what personal data you already hold. For instance, current or ended tenancies.
Make sure you are familiar with what personal data you hold, where it came from and whether you should delete it.
As I mentioned above, GDPR states that you cannot hold data forever. However, the regulation does not give an exact time. Thinking about things like tax returns or proof of use, under Article 4, will help you get a sense of how long you can legitimately hold onto a piece of information.
You will need to document this reason, as well as the timeframe.
If you think that some of your data needs consent, but you are unsure if you have it, you will need to get consent again. Remember, consent needs to be actively given, so you can’t send a message that says ‘to give consent, do nothing’.
It is important to ensure you keep records of when consent was given and to what.
What happens if I ignore GDPR?
Unfortunately, ignoring the GDPR regulations is not an option.
The new regulations give consumers some new rights, which all data controllers must adhere to.
- The right to access the personal data processed about them, along with the purposes of the processing and information on any transfer of their personal data to any third countries.
- The right to have personal data rectified or completed if incomplete
- In some instances, the right to have their personal data deleted early
- In some instances, the right to restriction of processing of their personal data, so it can be stored but not used.
- The right of data portability of some of their personal data, which means you would securely send data to another data controller.
- Under certain circumstances, the right to object to processing of personal data. This is especially the case for legitimate use.
- The right to withdraw consent at any time.
This means that individuals can complain if your data policies don’t comply.
The regulations also stipulate that data breaches need to be reported both to the ICO and the subject of the data breach.
That means that it’s important to ensure data is kept safely and in compliance with the regulations.
There are incredibly punitive fines for not complying. The maximum fine is €20,000,000, or 4% of worldwide turnover, which would ruin Christmas for many decades to come.
While it’s unlikely that a landlord would face the maximum penalties, there is a possibility to face fines of a size commensurate with that of the business.
The ICO has gone on record to say its initial response will always be carrot not stick, that said, this is based on whether an errant company is trying to comply or is simply ignoring the regulations.
What can landlords do to comply?
Register with the ICO
The Data Protection Act 1998 requires every data controller (including sole traders, such as landlords) who is processing personal information to register with the ICO.
GDPR’s increased emphasis on getting data right means that it will be worth joining , if you haven’t already.
It costs £40 a year to be a member, but this will also give you access to help and advice. If you’re not sure whether you need to join or not, you can do their self-assessment quiz to make sure: https://ico.org.uk/for-organisations/register/self-assessment/.
Purple Frog can make the application for you and provide access to our GDPR policies.
Adopt Data Protection Policies and share them with your tenants
- Landlord Data Protection Policy
- Landlord Privacy Notice
- Landlord Security Access Policy
- Landlord Disposal of Removable Storage Media Policy
We provide these policies for our clients to adopt; links are provided to tenants as part of the tenancy sign up process.
Check that your suppliers / other data processors are able to comply with GDPR regulations.
If you provide information to suppliers and contractors, you must ensure they are compliant with GDPR regulations so ask to see their policies before you provide them with any tenant information.