GDPR (General Data Protection Regulation) is embedded in UK law by the Data Protection Act 2018, and Brexit legislation will ensure that it continues to apply after March 2019.
GDPR is a step up from the Data Protection Act (DPA) 1998, but the Information Commissioner (the UK regulator for data protection) was keen to point out that compliance with the DPA 1998 was a good basis for compliance with GDPR. So, although some aspects are tougher, the basic data protection framework remains the same.
Personal data processed for domestic purposes is exempt
from data protection law. But, as a landlord, your activities with tenant data
are regarded as business activities and the law applies. So, what are the key points to review?
Security is a key principle of data protection. Personal
data should be secured against unauthorised access, amendment or
deletion/destruction. This splits down into: IT security, making sure you have
adequate virus protection and secure firewalls to safeguard data;
organisational security, ensuring that staff know how to keep passwords secure
and to avoid phishing and other online scams; and physical security for
offices, paperwork and portable data storage, and access devices, such as
tablets, laptops, mobiles and hard drives.
GDPR states that businesses are responsible for
compliance with the principles, including the security principle. It also
states that organisations should be able to demonstrate how they comply. This
means having appropriate policies and procedures in writing around IT security,
password management and access rights, office security, bring your own device,
and mobile working. It also means training staff about their responsibility for
data security, and signposting these policies and procedures.
Personal data breach reporting
A new requirement under GDPR is mandatory security
breach reporting. Before GDPR, businesses were encouraged to report data
security breaches, but it was a voluntary reporting scheme. GDPR sets out that
personal data breaches (that is an incident that puts personal data or subject
rights at significant risk) must be reported to the Information Commissioner
within 72 hours of becoming aware of the incident. In some cases, where the
individual can take action to protect themselves, for example, by cancelling a
debit or credit card, the security breach has to be announced to data subjects.
Having a personal data breach reporting procedure for staff to follow if a
breach occurs is strongly recommended.
2 Risk management and whether size matters
A key feature of GDPR is that it encourages
businesses to adopt a proportionate approach and put in place security
appropriate to the circumstances of the processing. This does not mean that
small businesses can opt out, but businesses that do not process very much
personal data, or which have little sensitive data, perhaps just email contact
details, name and job title, for example, can be less stringent in their
security set up.
If you take an honest view of the data
that your business processes as a landlord, you will discover that you hold a
lot of information, some of it sensitive, about tenants and possibly third
parties associated with them, such as guarantors and household members. So, the
fact that you might have a small business is irrelevant; it is the amount and
type of data that informs risk management.
Data minimisation is another data
protection principle, and it is worth considering what personal data you
actually hold and how much of it needs to be retained long-term. If you carry
out Know Your Customer checks, do you need to hold onto copies of passports and
birth certificates in all cases, or just record that you have seen them? Do you
need to hold onto those copies forever, just until the next audit, or until the
tenant gives up the tenancy? Your answer will vary depending on the financial
regulations and proving the right the live in the UK.
If an agent is used to manage the day-to-day
administration of the property portfolio, consider whether the landlord needs
any information that is personal data above the basic name and contact details
of individual tenants. As long as the agent has complete records, the landlord
needs minimal information. Data minimisation is the key to data protection
compliance, as it necessarily reduces the risk of holding personal data.
3 Changes to outsourcing arrangements
Under the Data Protection Act 1998, if
a business outsourced some of its activities involving data processing, it was
under a statutory duty to carry out security compliance checks and to have a
written contract in place. Under GDPR, both those compliance requirements carry
on, but the terms of the contract have been extended, so, if you use a mailing
house to send out rent invoices, or an agent to liaise with tenants, or a
payroll service to manage your staff payroll, you will need an update to the
4 Changes to subject rights
Most businesses are aware of the right
of Subject Access. That is the right of every one of us to access personal data
that relates to us that is processed by an organisation. That right continues
under GDPR, but the practical arrangements have been updated. A request
received electronically must be answered electronically, unless you can agree
otherwise with the data subject. Instead of 40 days in which to respond,
businesses now have one month and one business day in which to respond.
Importantly, the £10 fee for responding to a subject access request may no
longer be charged. To charge a fee for the exercise of any subject right is an
offence under GDPR, subject to the highest potential level of fine.
Other subject rights continue to apply:
the right to object to processing, the right to object to the use of personal
data for direct marketing purposes, and the right to object to automated
decision making. New subject rights have been introduced in certain
To allow data portability, where a data
subject decides to change from one online service provider to another;
Restriction of processing to require
organisations to lock down personal data or not to delete it if the data
subject requires it to be maintained;
Right to erasure of personal data that
is no longer required for the purposes for which it was being processed; and
Right to specific information about
what personal data is being held, the purposes for which it is processed, how
long the data will be retained etc. This is known as a privacy notice.
Another aspect of Accountability is the
requirement to appoint a Data Protection Officer (DPO) where:
The controller is a public body
The personal data is processed for monitoring
individuals on a large scale
The personal data includes a
significant amount of special category data relating to mental or physical
health, race or ethnicity, religious or philosophical beliefs, political
opinions, sex life or sexuality, TU membership, genetic or biometric data
The processing presents significant
risks to the personal data or rights of data subjects
Note that Property Management was an
activity requiring registration under the 1998 Data Protection Act, so it has
always been recognised that the activity is not without risk. The number and
type of properties being rented will impact on the decision of landlords to
appoint a DPO. In general, a big rental business is more likely to require a
DPO, especially if there is CCTV in multi occupancy premises, than a smaller
undertaking, where perhaps just a couple of properties are rented out.
There was a frenzy of activity around
the introduction of GDPR, with organisations seeking to obtain consent to
marketing. This was an ill-informed reaction to GDPR and mis-timed. The
requirement to obtain specific, positive consent to direct marketing from
individual consumers was introduced back in 2003. GDPR simply clarified for us
that consent is an informed, positive action, not to be hidden in terms and
conditions, not to be conditional to enter a competition or receive a service,
not to be a pre-ticked box or assumption of consent (for example: “By
continuing to use this website we assume that you consent to…”) Consent is
In general, landlords are not relying
on consent when they process personal data relating to tenants. There is a lease agreement with a tenant,
which is a form of contract. Processing necessary under the terms of a contract
is the appropriate grounds for processing tenant data. Pre-contract, the
grounds are that the processing is necessary prior to entry into a contract.
This would also be appropriate in relation to guarantors. If personal data
relating to household members of tenants is required, then the appropriate
grounds would be processing in the legitimate interests of the landlord to know
who is in occupation at the premises for health and safety, and fraud
So, GDPR expands on some of the
existing data protection requirements, but the basic framework of security,
keeping people informed and data minimisation are still key aspects of
compliance. As landlords, you are data controllers, and you will be expected to
have policies and procedures in writing. This is a critical part of your
defence, should there be a security breach or complaint investigated by the
Information Commissioner. Demonstrating accountability is a statutory
Em is the Content Marketing Manager for Just Landlords, with over five years of experience writing for insurance and property websites. Together with the knowledge and expertise of the Just Landlords underwriting team, Em aims to provide those in the property industry with helpful resources.
When she’s not at her computer researching and writing property and insurance guides, you’ll find her exploring the British countryside, searching for geocaches.
Just Landlords is a trading name of Arthur J. Gallagher Insurance Brokers Limited, which is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 7th Floor, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909
Website by Ampology Digital