In part one of this article (https://senecarooms.com/2018/04/15/gdpr-for-landlords/), I covered the main elements of the General Data Protection Regulations and gave some explanations of the terminology and how it all relates to landlords. If GDPR is new to you, I suggest you go back and read part one to help you understand what it’s all about first. In part two here, I take a deeper dive into the three lawful bases that apply to data processing during the life of a tenancy, as well as give you a step by step guide on how to achieve compliance yourself.
I need to throw in a disclaimer here – I am not a lawyer so this article does not constitute legal advice. It is merely the actions I have taken as a landlord to achieve GDPR compliance, based on my own interpretation of the regulations, and with the guidance of a GDPR specialist lawyer. I recommend you also carry out your own analysis of the regulations, or speak to your own lawyer for advice.
The steps:
1. Your first step is to register with the ICO (if you haven’t already done so). I believe the cost has just gone up to £40 per annum, so it’s still small cheese. You can do this at www.ico.org.uk
2. Prepare a data audit. You will need to consider the following:
a) Each piece of data you collect and process. This will be things like the tenant’s name, phone number, email address, landlord reference, bank details, next of kin, previous addresses, rental payment records etc…
b) Make a note of where you get the data from. For example, from their application form, from their previous landlord, from a credit referencing agency, or they give it to you in order to arrange a viewing (name, phone number and email address).
c) Consider the reason why you collect it. For example, you collect the prospective tenant’s name and number in order to arrange a viewing, and also use it to communicate during the tenancy. You might also use it to pass to a debt collection agency in the event the tenant owes you money. You collect their landlord reference in order to determine whether they are suitable for a tenancy. You collect proof of immigration status in order to comply with your Right to Rent obligations.
d) Who it is shared with. I guarantee this will be more people than you originally think of! Your accountant, your Virtual Assistant, bookkeeper, the cloud management program you store the details in, your Xero or Quickbooks accounting software, any survey software you might use, contractors, letting and managing agents, the Deposit Protection company you use, the council, utility companies, debt collectors, any potential new owner of the property etc…
e) Are any of these third parties based outside the EEA? There are strict rules on transfers to third parties outside of the EEA. Check whether the country you transfer data to has an adequacy finding or, if the third party is in the United States, check they are certified under the Privacy Shield. You might have a remote worker based outside the EEA, or some of the software you use may be based in the US (like Xero for example). This information will need to be added to your Privacy Notice.
f) How long you need to hold it for. There is a requirement that you do not hold the data for longer than is necessary. Having said that, there are a few reasons why you should hold the data for specific time periods.
i) Tax records need to be kept for 6 years from the tax year end date in case HMRC decide to investigate you for any reason.
ii) Any records that relate to the contract you had with the tenant (which would include any communications and contact details, rental records etc) need to be kept for 6 years from the contract end date in the event there is a dispute over the contract for any reason.
iii) Immigration documents proving a tenant’s Right to Rent must be held for 12 months after the termination of the contract.
iv) Any other details that don’t apply to the above (e.g., people who contacted you for a viewing, but never entered into a contract) can be kept for an unspecified period of time, but not longer than is necessary. It’s up to you to decide whether that period of time is 1 day, 1 month or 1 year.
Putting it all into a spreadsheet will be helpful. It would look something like this:
| Where collected from | Why | Who shared with | In or out of EEA | How long for | |
| contact details (mobile & email address) | given by prospective tenant at viewing stage |
|
Shared with – DPS co, contractors, letting/managing agent, debt collectors, cloud management software, referencing agencies, other landlords, the council, utility companies | In | – hold for 6 years after termination of contract (length of time tenant’s are able to seek a claim against you for any reason) |
| employer / landlord / character ref | supplied by landlord / employer / character ref |
|
cloud management software | In | – hold for 6 years after termination of contract (length of time tenant’s are able to seek a claim against you for any reason) |
| immigration status (eg biometric residence card, visa docs) | given with application |
|
cloud management software, the home office | In | – hold for one year after termination of contract |
| rental records, tenancy agreements | created by me |
|
accountants, bookkeepers, hmrc, letting/managing agent, debt collectors, cloud management software, referencing agencies, other landlords | In and out | – hold for 6 years after the relevant financial year end (length of time HMRC are able to open an investigation against you for any reason) |
This is just a sample of what a landlord’s data audit would look like. Obviously, there’s a lot more detail that can and should go into this, but I’d suggest trying to strike a reasonable balance of thoroughness and simplicity. The information you come up with here is what will go into your Privacy Notice, so try to consider all reasons why you collect data and all persons/organisations you share the data with so this can be declared transparently to your tenants.
You may disagree with some of my reasons for holding the data, or who you share with, or for how long you will keep each item of data too – and that’s absolutely fine. So long as you come up with your own reasons for each of the sections above and keep that analysis on file, you will have demonstrated your compliance with the regulations in the event you are ever investigated.
3. The next step is to consider the lawful basis for holding each piece of data. I find it easier to think about the lawful bases in the following way:
a) legal obligation (data collected to fulfil a duty required of you by law)
– data collected on behalf of the home office (Right to Rent)
– using contact details to inform tenants about gas safety inspections
– data collected to pass to the Deposit Protection organisation you use
b) contract (data collected for the performance of a contract)
– data used in order to enter into the contract
– data used during the performance of the contract (contact details, rent payment info, any notes and communications both during the term of the tenancy and in relation to the tenancy)
c) legitimate interests (covers a few different situations).
– data collected in order to protect the legitimate interests of the business.
– data shared in order to protect the legitimate interest of the business.
– data shared during the typical course of business.
– communication with an existing customer (tenant). For this one, you need to balance your legitimate interest as a business against the rights of the tenant.
– data collected before the contract is formed to determine the tenant’s suitability for the tenancy
– contacting the tenant with further information, products or services relevant to renting from you (eg, info on other properties available and finder’s fees paid to tenants, cleaning services offered, room decoration services offered etc).
– passing data to a debt collection agency, to the utility company, council, data stored in the cloud management program…)
d) consent (you should not need to rely on the lawful basis of consent for any dealings with your tenants).
Due to the above, you will not need any opt-in tick box where the tenant gives their consent to you collecting and holding their data (this is only needed for the lawful basis of consent). However, you will need to explain your basis for collecting and sharing their data in your privacy notice.
4. Update your privacy notice (GDPR is more comprehensive than the Data Protection Act so your current privacy notice won’t be compliant). I recommend joining the RLA if you are not already a member, download the template privacy notice they are creating, and adapt it to suit your needs (you will use the results of your data audit to make the adaptations).
5. Assess how you store the data and make improvements where necessary. Eg, do you have paper files in a cupboard – decide whether to shred the paper files, or move the files to a lockable filing cabinet. Do you have any computer programs or mobile phones containing contact details or other data, that have no password protection – set up passwords.
6. Check your data processors are GDPR compliant. Contact all companies/individuals you work with that process your tenant’s data and ask for a copy of their processor agreement (eg, Xero, Quickbooks, ArthurOnline, Survey Monkey, your letting/managing agent, your contractors, your Virtual Assistant, the deposit protection organisation you use etc). I have contacted many of these myself, and no-one is really ready yet (as of April 20th). I know there is this deadline of May 25th, but as mentioned in my previous article, the ICO will not penalise you if your processor’s haven’t provided a processor agreement by the deadline. It’s not something you should let hang for too long though. At the end of the day, you are the data controller remember, and the data controller is ultimately responsible for making sure everything is up to scratch. A further note here, if you prefer to be in control of the terms of the processor agreement (as I do), I recommend downloading the GDPR pack by Suzanne Dibble which has all the legal docs you could possibly need regarding GDPR. There’s a link at the bottom of this article to her pack.
7. Review your processes periodically. Being a small business (less than ten employees) bi-annually or annually would be sufficient.
Is all of this really necessary?
What is the likelihood that the ICO will come knocking on your door? In all honesty, not very high, however, as individuals become more aware of their rights, there is a possibility that a disgruntled tenant or competitor could report you, triggering an investigation. If the ICO do investigate, and you are not able to prove you have carried out a data audit at the very least, then I suspect the ICO might be forgiving for a first offence, but as time passes, there will be a greater expectation that businesses have got data protection correctly in hand.
To make your life easier, join the RLA and download their Privacy Notice for Landlords.
And for landlords with a bigger operation (perhaps you also have a lettings/managing agency), or own a business in a different industry, there is a LOT more to GDPR than I have gone into in this article that will also relate to you, so I highly recommend purchasing the GDPR pack from Suzanne Dibble that I mentioned above. You can use this link to find out what’s included and to buy the pack https://jz993.isrefer.com/go/gdpr/Abagail