The final countdown!

It's been loitering on the horizon, but there's no avoiding it now - GDPR is hurtling towards us at an unstoppable pace, with it's introduction coming on 25TH May (THAT'S NEXT WEEK!) - so, we're on the final countdown, are you ready?

Wait, what? that's come round quickly!

It may seem that way, but these changes have been bubbling for quite some time. The General Data Protection Regulation (GDPR) is the biggest change to data handling that has been since the introduction of the current Data Protection Act, so it's been on the radar for a while. However, it's certainly true that it is still coming as a shock to many!

Don't panic though, it needn't be the end of the world. Although you must comply with the new regulations, you're not alone. Every business in Europe (GDPR is an EU regulation) is having to toe the line with GDPR too. And although the regulation has come from Brussels, GDPR is Brexit-proof, so there's no burying our heads in the sand for a year until post-Brexit and hoping it goes away...

Choosing your bases

One of the most important elements of GDPR is understanding the legal bases for processing.

There are six legal bases for processing. As a landlord, the process you follow to let your property will touch upon some of these more than others so it is important to identify the ones that will be most relevant to you, clearly make note of them in your privacy policy, and ensure your tenant is aware of them.

It is very bad practice to switch from one legal basis to another part wa through processing, so it is important to identify the correct basis at the start of proceeding.

You should decide the best bases for YOUR business - every process is different, and therefore your plan may be different to other landlords you know. Walk through your letting process from tart to finish, note down every task - from viewing to check out, and try to match the most suitable basis to each procedure.


Consent to collect and process an individual’s data must be properly documented, and easily withdrawn: either provided by a statement or by a clear affirmative action (such as a clear Yes/No tick box). Silence or inactivity DOESN’T MEAN CONSENT.

You can gain consent a number of ways:

  • Signing a consent statement on a paper form
  • Ticking an opt-in box on paper or electronically
  • Clicking an opt-in button or link online
  • Selecting from equally prominent yes/no options
  • Responding to an email requesting consent (Building a paper trail via email is a great idea wherever possible!)
  • Answering yes to a clear oral consent request
  • Dropping a business card into a box
Consent cannot be considered a ‘safe option’. Remember that it can be withdrawn, and therefore may not be the most appropriate basis for processing.

If you are relying on consent and are asking your tenants to sign a consent form, or sending them and email requesting a positive response, you must make sure include clear details on the followings:

  • Your name/the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations (referencing/maintenance etc) isn’t enough
  • Why you want their data
  • What you will do with their data
  • How they can withdraw their consent for it to be processed (passed on)


The ICO website states that this basis can be relied upon to process someone’s personal data to fulfil your contractual obligations to them or because they have asked you to do something before entering into a contract.

The processing must be necessary to deliver your side of the contract with this particular person. If you could carry out proceedings without processing their personal data, this basis will not apply. If the processing is only necessary to maintain your business model generally, this lawful basis will not apply.

Legal obligation

The ICO website states that this basis can be relied upon if you are reliant on processing the data in order to comply with common law or statutory obligation. However, this does not apply to contractual obligations.

The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply. You should document your decision to rely on this lawful basis, and be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation, and ensure that you can justify your reasoning.

Legitimate Interest

The ICO website states that this is the most flexible basis for processing, but not always the most appropriate. If you choose to rely on legitimate interest, you are taking on extra responsibility for considering and protecting people’s rights and interests.

Legitimate interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required and make sure to include details of your legitimate interests in your privacy notice.

Vital interests

The ICO website states that this basis can be relied upon to if you need to process the personal data to protect someone’s life, and you must be able to justify your reasons for this choice

Public Task

The ICO website states that this basis can be relied upon to if you need to process personal data:

  • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
  • to perform a specific task in the public interest that is set out in law.

Your underlying task, function or power must have a clear basis in law, and if you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply. It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. This is unlikely to apply to may individual landlords.

What about the shoebox of information I've got on old tenants?

The does need some attention!

Auditing the data that you already hold is a great idea, and getting it prepared for the introduction of GDPR in May will put you in good stead. An information audit will help you get your files prepared, an give you an overview. You should understand:

  • What personal data do you hold?
  • Where did it come from?
  • Who have you shared it with?
  • Is it all still accurate?
  • How you would delete that data if required?

If you do not have consent to use your existing tenant’s data, you should gain their consent in line with the consent process. You should serve your existing (and new) tenants with a Privacy Notice, which will give them details about how their data is used, stored and deleted, and how to contact you with regards to opting out of processing.

I keep hearing about privacy notices, what are they?

A Privacy Notice is THE data document that you need to be concerned with. It only needs to be a simple document, laying out clear, easily understandable facts surrounding your data management process. You should include:

  • Type of data that is being collected – name, date of birth etc
  • Who is collecting it
  • Legal basis for collecting data
  • Who has access to it – You, any third party data processors (refer to their Privacy Policy)
  • What will be the effect of sharing to these organisations have this on the individuals concerned?
  • How is it collected – email/digital form/in person etc
  • Why is it being collected – are there different types of potential processing?
  • How will it be used – what are you planning to do with it?
  • How it WON’T be used – what will you NOT do with it
  • How data will be stored/protected – Cloud storage, how long will you store it etc
  • How you would manage a data breach
  • The potential consequences of choosing to not provide data (not being able to issue a tenancy agreement, for example)
  • Provide a clear way to contact you to stop processing of their data completely, or stop aspects of processing

It’s useful to issue a privacy notice separately to your tenancy agreement (rather than including it), if you have to make any changes, you can reissue without having to change the entire agreement.

How do I manage data breaches?

One of the requirements of GDPR is to make sure you have the correct procedures in place to detect, report and investigate a personal data breach.

You must notify the ‘relevant supervisory authority’ of any data breach that could result in a risk of rights and freedom of individuals, including discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. In addition, you would also have to notify the person who’s data had been breached.

Anyone handling data is required to be registered with the Information Commissioner's Office (ICO), and one of the benefits of registration is that the ICO offer support and advice.

An annual registration of the ICO is £40


What if I don't get things in line by the 25th?

In an ideal world you'll have the basics in place by the 25th (at least being registered by the ICO)! - but data management is an ongoing job. You should try and build a strategy in to maintain your procedures on an ongoing basis to ensure that you are keeping on top of things moving forwards.

Although there are some hefty fines being mentioned (€20 million is the top figure!) you'd have to be very unlucky to receive that! More of a concern for landlords is the potetnial for your tenant pursuing you for damages if they are subject to a breach.

If your tenant is subject to a data breach and it is considered that your mishandling of their data has played a part, they are also able to pursue you for damages. Depending on the impact the breach has had on them, these costs could be significant. It is worth considering the potential ramifications of this

SO, in a nutshell, what do I have to do to get ready?

  • Create a privacy policy (and consent form if required)
  • Review your process on how you ask for customer data
  • Create a process for the secure storage, and deletion of data
  • Audit the data you already hold – make sure everything is current, correct and consenting!
  • Contact Data Processors that you regularly transact with (agents, property managers, referencing agencies, maintenance companies etc), gather their full contact details and ask about their GDPR data management policy
  • Register with the ICO! (This is really important!)

Let my property online from

£99 inc VAT

Let your property

FREE Instant Online Valuation

Instant Valuation

Back to top