What is GDPR, and does it apply to landlords?
Landlords need to be aware of and if its applicable they need to comply with the data protection legislation. All landlords must familiarise themselves with the GDPR legislation.
Landlords are known as “Controllers” for the purpose of GDPR legislation and have legal obligations under the GDPR legislation. Also, unlike the old legislation processors, they now have statutory duties in their own right under the GDPR.
Individuals (includes tenants) and supervisory authorities like the ICO can hold both controllers and processors responsible if they fail to comply with their responsibility under GDPR. Any landlord not complying with the GDPR legislation could face a hefty fine.
The GDPR legislation also includes some specific requirements which are directed at joint controllers. The full list is accessible on the ICO website (link below) should you wish to read it.
Landlords & Personal Data
The ‘GDPR data controller’ is the organisation (like a landlord) that decides how and why tenants personal data is processed.
Under GDPR Data Controllers are legally obliged to: Protect personal data against compromise or loss. They need to implement adequate technical and organisational measures to secure data.
To let property a landlord needs the tenant’s consent to carry out credit checks etc. The landlord (processor) needs to ensure they comply with GDPR during the letting process.
Review the GDPR provisions, if you choose a lawful basis for processing, then you will need to document your rationale for your actions or inactions.
Note: If you choose “consent” as your lawful basis, there are extra obligations that you must adhere to. These include giving data subjects (tenants) the ongoing opportunity to revoke consent.
To process personal information, landlords must have a “lawful basis” to process the data.
Landlords who store, use, or delete tenants personal information (such as name, email, telephone, etc.) using an electronic device (mobile phone, computer, etc.), then they should be registered with the ICO.
Documenting Processing Activities
One of the essential first steps to complying with GDPR is to document processing activities. By doing this, you will be able to establish what personal information you hold, who it is shared with and how long it is retained.
Landlords will need information from a prospective tenant for the purpose of pre-tenancy consideration, during and after the tenancy has ended. It is vital landlords obtain tenants written consent, so it enables them to receive relevant information from 3rd party sources before granting a tenancy.
This information can be obtained via a tenancy application form. The tenancy application should contain relevant text to deal with:
- Pre-tenancy credit & reference checks.
- Managing the tenancy, consent to enable the landlord to speak to the council, utility companies etc.
- Post tenancy – to disclose information to the utility companies, the council, tracing companies (if the tenant has left a debt and not given a forwarding address) such like.
The tenancy application is the pre-tenancy stage and almost the first real contact with the prospective tenant. So, it is best to obtain consent to deal with privacy and to put them on notice how the data is going to be used.
All residential tenancy agreements should ensure it contains relevant clauses to enable the landlord to deal with various common issues. The tenancy should include text that would enable the landlord to deal with the tenants:
Housing Benefit – to be able to freely speak to you about payment of rent to the tenant or you directly.
The British Landlord Association 2020 tenancy includes clauses for GDPR.
Source: British Landlords Association
Author: Amanda Goldsmith [email protected]
Date: 1st of November 2020