As a landlord, you’ll have a lot on your plate – but that doesn’t mean that you can neglect your responsibilities when it comes to the data you have about your tenants. If you don’t hit the mark with your data processing and security, the consequences can be costly – so it’s worth getting up to speed on!
General Data Protection Regulation (GDPR) was introduced in 2018 and is the toughest privacy and security law in the world. Drafted by the European Union (EU) but applying to people across the world who have data about people within the EU, GDPR protects individual’s personal data and their right to privacy.
Personal data encompasses any information relating to an individual which can be used to directly or indirectly identify them. This includes things such as, but not limited to: names, email addresses and other contact details, gender, ethnicity, religion, political opinions, location, biometrics and pseudonymous data.
The UK introduced The Data Protection Act 2018 as its implementation of GDPR. This act ensures that personal data is used fairly, that the data is accurate, used for explicit and relevant purposes, and among other things, kept for no longer than is absolutely necessary.
Now that we’ve briefly explained the basics of GDPR, it’s time to consider GDPR and landlords, including if landlords need to register for GDPR and the consequences that landlords could face for breaching GDPR.
Does GDPR apply to landlords?
If a landlord stores information about their tenants such as their name, phone number or email address, then they will need to comply with GDPR. The likelihood of this information being collected and stored is incredibly high if not certain, so GDPR will almost always apply to landlords.
Most of this data will be sourced from tenancy applications, including additional information such as bank account details, current address, personal income and more. Data protection for landlords includes not only what information is collected, but how it is collected, stored and processed.
Landlords should make sure that they are up to speed with data protection, accountability and data security to ensure they are always working within GDPR guidelines.
GDPR and landlords
Now that we’ve established that landlords should be up to date with and on top of GDPR for their tenants, it’s time to answer some of our most frequently asked questions about GDPR and landlords.
Do landlords need to register for GDPR?
Landlords and every UK-based organisation or sole trader that processes and stores personal data about EU citizens will need to register with the Information Commissioner’s Office (ICO) and pay a yearly fee. However, some people are exempt from this; you can find out on the ICO website if you are required to pay a data protection fee to the ICO.
GDPR should never be an afterthought, especially for landlords who can get distracted with their day–to-day landlord responsibilities. There can be serious – and expensive – consequences for breaching GDPR, which we will discuss later in this blog.
GDPR compliance for landlords
In order to ensure that as a landlord you comply with GDPR, there are some important steps to take to protect your tenants’ personal data.
- Get permission from tenants to store their personal data. Securing written permission that a tenant is happy with you storing and processing their personal data is an absolute must. For landlords, this consent is often assumed from a signed contract, where the personal data is obtained from the contract.
- Only ever use data for the intended purposes. As a landlord, tenants provide personal data so that their suitability to rent can be assessed, and that you can contact them about important information relating to their tenancy. Using their data for anything other than what they have agreed to is a breach of GDPR.
- Keep tenant personal data safe and secure. Whether you use a traditional paper filing system or the cloud, data security is absolutely essential. Keep all records safely behind lock and key – literally or with secure passwords.
- Only keep personal data for the necessary amount of time. Once the tenant’s personal data is no longer needed, you should destroy it. It is important to let the tenants know how long you will keep their personal data for, as well as how you will destroy it.
It is important to consider how you would like your personal data to be treated by companies you interact with and act in a responsible and considerate way. You have a duty of care to your tenants, which includes ensuring their personal data is protected.
What are the consequences of breaching GDPR for landlords?
The consequences of breaching GDPR can be hugely costly for businesses and organisations. Under GDPR, there are two tiers of fines that can be imposed on businesses or traders depending on the severity of the infringement.
For less severe infringements of GDPR, a fine of ‘up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher’ can be imposed. This includes breaches of articles that relate to organisations that collect personal data, companies that process personal data, certification bodies and accreditation bodies.
More severe infringements dispute the very right of a tenant to privacy and can include how data is collected and stored, the purposes it is stored for, whether consent to use personal data was obtained and the transfer of personal data. If these basic principles of privacy and data security are not met, then the company or sole trader could be met with a ‘fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher’.
While reading the whole of the GDPR and becoming familiar with your responsibilities may take some time, it will be time well spent in order to avoid a costly fine. We always recommend seeking legal advice if you are unsure of how GDPR can impact you and your tenants.
Discover our landlord services to help make managing your properties easier at Stanfords.