GDPR : Your questions answered

GDPR is coming, but are you ready for the impact it will have on you as a landlord?

Chris Norris, Director of Policy and Practice at the NLA, and Polly Rivers, Marketing Director at Urban.co.uk covered this complex topic in a busy webinar this week. They discussed a landlord’s obligation as a data controller under the new regulations, how to manage existing and potential tenant’s data, how to handle a data breach and provide a simple checklist of how to get ready for the introduction on May 25th 2018.

Listen back here:

Q. If we use a letting agent should we ensure that they are compliant and allow them to pass the tenants details to me as the Landlord/owner?

A. As a Data Controller, you hold the overall responsibility for the safe handling and security or your tenant’s data, so it is a very good idea to make sure that any processors that you engage with are compliant with GDPR. Every business in Europe is having to comply with the regulations, so your agent will be well aware by now of the changes. Ask for a copy of their data handling policy and keep this safely on file – if they are reluctant to share, or do not have one in place, maybe consider if they are the safest pair of hands to be looking after your tenant’s data!


Q. Should I write to existing tenants where the tenancy agreement does not cover DPA?

A. By virtue of having a contract with the tenant, and performing your part in enforcing that contract you have legal justifications for holding and processing data, but you should document this basis and ensure that your tenants have sufficient information about the way in which you will use their details.

If you do not have consent to hold existing tenant’s data, you may choose to gain retrospective consent in readiness for GDPR. It would be wise to serve your existing tenants with a copy of your privacy policy, and if you are doing this you could consider asking them to sign a retrospective consent form at the same time. It’s also an ideal opportunity to check that all data you are holding is correct (phone numbers etc) .


Q. For how long can we hold personal data and what data do we need to delete i.e. is there data we can keep e.g. name?

A. Personal data is anything that can identify an individual. As a landlord you will have the details of the person’s address (your property!) and you are likely to have their name, with these items of data alone it could be possible to identify a person. With this in mind, you need to consider how to handle this sensitive information. If you do not have a valid reason to keep someone’s personal data, you should destroy it under your deletion policy. However, if you have a legal contract with someone (ie a tenancy agreement) or you need to keep details of financial transactions for auditing purposes, you are allowed to retain details. If you have a contract with an individual, you can retain information for six years after the end of the contract – the length of time someone can launch legal proceedings against you. For auditing purposes, you can retain data for seven years, the amount of time HMRC may be interested in your accounts!


Q. We let to students, how will GDPR will affect us?

A. There are no differences whether you are letting to students, or standard private tenancies. All the same rules apply.



Q. Will we need to get a special licence to keep hold of tenants data? It all seems a little over the top especially when a lot of people have no problem splashing their personal lives all over social networking sites!

A. You are not going to need to get a licence as such, but you should be registered with the Information Commissioners Office (the ICO). Given what is in the news about Facebook at the moment, it looks like they are going to be subject to a lot more scrutiny too!


Q. We are already Registered under the old DPA. How different are the new regulations?

A. Not massively. Nothing about your registration will change as the ICO will remain the body responsible for monitoring data protection in the UK. The Data Protection Act was introduced in 1998, and the way we used, manage and store data has changed significantly in 20 years. The new regulations reflect these changes, with more concentration on the management of digital data, as well as paper record keeping.


Q. Are there fines for non compliance/data breaches etc?

A. Afraid so. The biggest fine is one of 20 million Euros, or 4% of your annual turnover. Whilst it is unlikely that you are likely to be hit with a fine this hefty, a fine is a very real consideration should you be found to be not complying. Another concern is that, should the worst happen and your tenant be subject to a data breach, they would have the ability to sue you for damages – and there is no maximum amount for this!


Q. How do you share your Privacy Notice if you don't have a web site, should you give tenant hard copy and ask them to sign to prove delivery?

A. There are several ways you could choose to deliver your privacy notice. Most organisations host them on your website, but you could hand deliver or post a hard copy, or even serve it via email. If you can gain a signature (paper or electronic) from your tenant confirming receipt this is a great bonus.


Q. Is using storage such as Dropbox sufficiently safe to store documents regarding properties, financing, management and tenants?

A. There is a section within GDPR that addresses the security of cloud storage systems such as Dropbox. If you choose to use cloud-based storage system (as many people do) you must confirm that you are able to clarify the following points:

  • You know the location where the cloud supplier is processing or storing data.
  • You take adequate security measures to protect personal data from loss, alteration or unauthorised processing (password protection etc).
  • You enter into a data processing agreement with the cloud supplier.
  • You can ensure the cloud supplier complies with GDPR requirements
  • You only collect ‘necessary’ data and limit the processing of sensitive data.
  • You do not allow cloud suppliers to use personal data for other purposes.
  • You ensure that the data is erased by the cloud supplier when you stop using it.



Q. Will this new regulation apply to all demographics?

A. Yes.


Q. Please explain impact for Scottish landlords as well if different.

A. There is no difference in Scotland.


Q. How are HMOs affected?

A. In exactly the same way. You should treat each tenant as an individual data subject.


Q. I accommodate 'Looked After' children from Social Services and also deliver a support service to them. How would the changes affect my business and safekeeping of data?

A. If you are collecting and holding the data of anyone under 18, you must have systems in place to verify individual’s ages and obtain parental or guardian consent for any data processing activity. It is unlikely that this will apply for many landlords, but it is worth noting.


Q. In the application for registration with the ICO, what questions does the ICO raise and require answers to, and is online registration the only means of registering?

A. You will be asked questions such as whether you are a sole trader or limited company, the company name, and function. These details are stored on a public register of registered data controllers. You will also be asked to provide the contact details of a relevant member of staff.

Some information is mandatory, some is voluntary, but it is made clear within the application which is which. You can apply here: https://ico.org.uk/registration/new


Q. I currently have an ICO subscription. Is this enough to comply?

A. It’s a very good start! You have already ticked off one of points in Chris’ six point ‘getting ready checklist. Preparing a Privacy policy (or downloading from the NLA website), auditing your existing data and disposing of any you no longer have a valid reason to keep, creating a consent procedure, creating a deletion and storage procedure (and sticking to them!) and contacting all of your processors to discuss their data handling policies should get you completely up to speed.


Q. As a small landlord do I need this seminar?

A. Afraid so, even as a landlord with one property, you are a business holding tenants’ data – which means GDPR will impact you.


Q. I am a private landlord and my properties are all managed by a reputable letting agent. How does this legislation impact upon me? The only data I believe I hold is contact info.

A. If you hold your tenant’s contact number, you have their name, and you have their address (it’s your property!) so you have enough data to be able to identify them. GDPR still applies to you.



Q. As housing is a devolved responsibility in Wales, does the legislation cover Wales?

A. Yes, there is no difference in Wales.


Q. Should I protect PDF file which have scanned information on them? I can password protect excel and word files.

A. Definitely. Any document that contains personal information should be stored as securely as possible in line with your data storage policy.


Q. Are the tenants I see a similar obligation to protect our data, such as bank details?

A. No, GDPR only applies to business’s handling individual’s data. You are a business, whereas your tenant is not. Therefore, they do not have to apply the principles to you.


Q. Is the NLA working on a draft Privacy Policy for Landlords?

A. Yes. It will be available to download within the documents section of the website.


Q. I always use an agent to find, credit check, ID check etc, but hold a photocopy of the passport, do I need their consent?

A. You need a legal justification for holding and processing the information. Consent is one of these but as you are required to check immigration details you also have a statutory obligation and legitimate interest in (securely) holding a copy of their passport.



Q. Does the GDPR only apply to EU citizens?

A. The nationality of the citizens is irrelevant with regards to GDPR. You, as a European business, must comply and treat every data subject with the same rules.



Q. I have one property I manage (my 3 others I have an agent). What is the maximum amount of data I can hold on my tenant before I need to register with ICO. Currently I have his name, e-mail address and phone number plus the signed contract.

A. That is more than enough! Any amount of data that can be used to identify an individual is enough to mean that you have to comply.



Q. Is this affecting all areas of the UK next month?

A. It is affecting all of Europe! And this is a Brexit-proof regulation, so there is no chance of it being amended in a year or so.


Q. Can a privacy policy and a data protection policy be merged together?

A. Yes.


Q. Will there be downloadable materials to go with the webinar? Hard copies would help with comprehension and accessibility.

A. A Privacy policy will be available to download from the National Landlords Association, and all of the slides are available here.



Q. How much time and cost will this process of GDPR involve?

A. It doesn’t need to be a costly process, registration with the ICO is £40 a year, but with regards to time, that depends on how much data you are holding that needs auditing, and how long you need to take to get your policies in line.


Q. It will be helpful if you could ensure that the 6 reasons for processing are all covered equally For many Landlords I would have thought that (b) Contract (c) Legal Obligations are more appropriate than Consent.

A. We have covered consent as the option that we would recommend, however the basis for processing that you choose is entirely at your discretion, and you must choose the best fit for your business. The other bases for processing are:

Contract; The ICO website states that this basis can be relied upon to process someone’s personal data to fulfil your contractual obligations to them or because they have asked you to do something before entering into a contract. The processing must be necessary to deliver your side of the contract with this particular person. If you could carry out proceedings without processing their personal data, this basis will not apply. If the processing is only necessary to maintain your business model generally, this lawful basis will not apply.

Legal obligation: The ICO website states that this basis can be relied upon if you are reliant on processing the data in order to comply with common law or statutory obligation. However, this does not apply to contractual obligations. The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply. You should document your decision to rely on this lawful basis, and be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation, and ensure that you can justify your reasoning.

Legitimate Interest: The ICO website states that this is the most flexible basis for processing, but not always the most appropriate. If you choose to rely on legitimate interest, you are taking on extra responsibility for considering and protecting people’s rights and interests.Legitimate interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required and make sure to include details of your legitimate interests in your privacy notice.

Vital interests: The ICO website states that this basis can be relied upon to if you need to process the personal data to protect someone’s life, and you must be able to justify your reasons for this choice

Public Task: The ICO website states that this basis can be relied upon to if you need to process personal data:

  • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
  • to perform a specific task in the public interest that is set out in law.

Your underlying task, function or power must have a clear basis in law, and if you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply. It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. This is unlikely to apply to may individual landlords, however could be used if the police ever approach you requiring information about a tenant.

Q. I am already registered with the ICO, would I need to 're register?

A. No, if you are registered you are ok!


Q. If you use a property agent for finding tenants and collecting rent, and a problem occurs because of the agent, is the landlord still liable?

A. As the data controller, you do have an overriding responsibility for the security of your tenant’s data, and that includes making sure that your processors (including your agents) are doing all they can to keep this data secure. If the worst happens and data is compromised your tenant could ask you to prove that you were doing all you could to ensure that you passed their data onto a secure processor.



Q. Do you need to also give a privacy notice to the Guarantor of the Tenant who you also hold their name and address?

A. Yes. A guarantor is another data subject, separate to the tenant, so you should apply all the same principles to them.


Q. Is a photograph on its own classed as data?

A. It is highly unlikely that you would have a photograph of your tenant without at least holding their name, and of course you will have their address! If you have this information, you will be having to comply with GDPR anyway as you will have identifying information, so an image is simply another piece of data in the chain.


Q. Does the privacy notice cover the written consent required?

A. No. if you are planning to rely on consent as your basis for processing data it is recommended that you request written or oral consent from your tenant as well as supplying them with a copy of your privacy notice.
If you rely on consent given verbally it is advisable that you thoroughly document the process, in case you should have to rely on it at a later date.


Q. What if I hold contact details for various subcontractors? does it matter if they are sole traders?

A. Contractors, even sole traders, would be classed as businesses, and therefore their data would not be covered by GDPR. If you are planning to send marketing communications to contractors, you should be aware of the Privacy and Electronic Communications Regulations (PECR), however as a landlord storing details of tradespeople, you should be fine!


Q. We currently have a clause saying they consent to us sharing their data with utility companies (Landlord TAP, etc) so is this now not valid?

A. Under GDPR you are required to identify the individual processors that you are planning to share tenant’s data with in order for them to give consent. A catch all ‘utilities’ is not enough. In your consent document, identify the organisations by name, giving the tenant the ability to opt out of their details being shared with certain organisations. It is also not permitted under GDPR for consent to be conditional, so including the consent requirement within your tenancy agreement would not be advisable, as your tenant could not sign the tenancy agreement – and therefore take the property – without giving consent. You could consider issuing a separate consent document prior to starting tenancy documentation, requesting clear consent for various processing methods.


Q. I sometimes use self-employed handyman to carry out work...do they have to be GDPR compliant?

A. As a company holding individual’s data, yes. It is your responsibility as a Data Controller to make sure that they are compliant before entering into a processing agreement with them. Of course this only matters if you share information with the third party.


Q. Is there a requirement to keep copies of passports for people who are unsuccessful in their application to rent from me for one year as well, to prove that I have checked, or is it just for actual tenants?

A. No, this is just a requirement for people who progress to a tenancy. It would be advisable to destroy any copies of passports (in line with your data deletion policy) that you hold of people who are not your tenants, as you have no legal basis to hold this data.


Q. Consent form - does this has to cover current event/matter and future matters. Or do we have to ask for consent on each occasion.

A. If you can, include as many details on your consent form as possible. If you work with processors regularly – such as your letting or managing agent, referencing agency, utility companies, gas safety engineer, regular plumber or electrician etc – make sure to include their details as processors that the tenant is likely to come into contact with. However, we all appreciate that you cannot pre-empt every eventuality and if your regular gas safety engineer isn’t available, you will have to contact another in order to comply with regulations. In this instance. If you need to pass your tenants contact details on to facilitate the appointment, contact the tenant (ideally in writing, email is fine) asking for consent to pass their details (specify which details will be passed on) to the individual concerned. Note why the details are being passed across, what they will be used for, why they need to be passed over, and how the tenant can remove consent. This timely consent can be done orally too in the case of an emergency.


This information is provided only as general guidance, based on the current understanding of GDPR. This information is not intended to replace independently obtained legal advice, and we would recommend you seek specific advice from a qualified professional or the ICO when dealing with specific situations.

If you have any further questions about GDPR, the NLA Advice Line is free for all members. For membership contact the NLA at 020 7840 8900.

Let my property online from

£95 inc VAT

Let your property

Sell my property online from

£795 inc VAT

Sell your property

Back to top