GDPR: The Lowdown for Landlords
Published on June 12, 2018 by Sarah Mac
The General Data Protection Regulation (GDPR) was introduced on 25th May 2018. If you are a landlord, GDPR applies to you, regardless of how many properties you rent out. Fail to comply with GDPR, and you could face a fine of up to 4 per cent of your annual global turnover, or 20 million Euros, whichever is most.
GDPR is all about the protection of personal data. As a landlord, you process personal data every time you take on a new tenant. In addition, in deciding how, why and when personal information is processed, you are classed as a ‘data controller’. With this responsibility comes a raft of procedures you must adhere to. Let’s take a look at those.
ICO Registration
First of all, you need to be registered with the Information Commissioner’s Office (ICO). This is the body that enforces data protection regulations. It is a legal requirement and it DOES apply to landlords, so if you haven’t already, be sure to register straight away.
Data Audit
Your next job is to compile a list of the data you hold. This will be personal data on your tenants, and possibly details of prospective tenants that you may contact from time to time with promotional material.
Your list should include the type of data you hold and the locations in which it is held. For example, ‘personal information’ would include name, address, date of birth, email address, National Insurance number, car registration number, passport number, etc. ‘Sensitive personal information’ would be things like an NHS number and details of any requests made to customise a property for disabled use. If you find that you are collecting sensitive personal information then you will be subject to special restrictions, so you should try to only take this information where it is absolutely necessary.
Locations for your data may be an Excel spreadsheet, and/or an online accounting system such as QuickBooks. In addition you may hold data in a marketing platform such as MailChimp. Log all the places the different types of data are held.
Compliance Audit
If you hold data in an online system then you should read the privacy and security notices of the providers to ensure they are GDPR compliant, and keep a record of them. Do remember however that no one is responsible for the safety of personal data other than you.
If you hold data in other ways, such as on a spreadsheet or in a paper-based filing system, you will need to check that you are compliant with GDPR rules on data security. Generally, you will need to ensure you have virus protection and firewalls to safeguard the devices on which you hold and access your data. Physical security measures will also need to be in place.
If there is a data breach, for example if personal data belonging to tenants is lost or stolen or held to ransom, or accidentally deleted, then you will need to provide evidence to the ICO that you took adequate steps to prevent such an occurrence.
Permissions Audit
Do you have permission to use your tenants’ data in the way in which you are using it?
For example, if you took email addresses for tenants whilst processing an application for a tenancy then that does not give you an automatic right to send them emails in connection with marketing.
GDPR requires express, positive consent where non-transactional communications are concerned. This means that you may NOT hide a pre-ticked opt-in box somewhere in your small print. It must be clear for tenants to see precisely what they are opting into and if they do, how they can opt out should they change their minds.
Once you do gain permission, you must keep records of it as you may be asked to provide evidence in the case of a complaint.
You do not need permission to process data when it is necessary for the management of their tenancy.
Policy Preparation
You’ll need to have a privacy notice in place. If you have a website, you’ll need an electronic version that specifically covers the use of your site and includes information about your use of cookies. If you don’t have a website then you’ll still need an offline privacy notice which you can provide to tenants in hard copy form or as an email attachment.
Your privacy notice should provide details of how you process and store data and how tenants can request a copy of the data you hold on them. It is important to be aware that you are no longer able to make a charge when tenants request a copy of their data. You should also note that GDPR states that you cannot retain data for longer than is necessary so, once you no longer need information on a tenant, you should have a process in place to delete it.
Further Assistance
This article is merely an overview of your responsibilities as a landlord under GDPR. You are strongly advised to take tailored, professional advice should you have any doubts as to what you must do in order to comply.
The ICO website provides more comprehensive guidance for data processors and data controllers and it is highly recommended that you read all of the information thoroughly, because GDPR is for landlords!