On 25th May this year, new ‘General Data Protection Regulation’ came into force which gives individuals greater rights over their personal data and control of their privacy. This will have an impact on the way landlords and agents can collect and hold tenants’ personal information. The new legislation has been introduced EU-wide and the Government has stated that it will continue to apply, even after Brexit.
The good news is that if we let and manage your property, we’ll take responsibility for making sure all the information we collect from your tenants meets the new standards. Even so, it’s important for you to know about the new rules, in case you hold any tenant data yourself – or in case you do so in the future. More importantly if you’re currently self-managing, it’s absolutely vital you know and understand your responsibilities under this new legislation.
What is GDPR?
The new rules mean that landlords and agents will have to be more selective about the amount of tenants’ personal data that is collected and processed and store the information more securely than they’ve had to until now. One of the biggest changes is that you’ve now got to get a tenant’s explicit consent to hold and use their personal information in specific circumstances.
That means you’ll have to provide your tenants with clear information about:
What information you need from them
Why you need it
Which other people/companies will also get that information
What those other people/companies will be doing with it/why they need it
For example, we use a credit-checking agency as part of our referencing process, so we provide prospective tenants with paperwork that explains this and access to our Privacy Notice that clearly states:
Exactly what personal information we need
Where and how we hold that information
Details of the agency we’re going to pass that information on to
That it’s for the purposes of checking whether they’ve ever been bankrupt or had a CCJ against them.
Six steps you should take now
- You will need to register with the ICO for which there is an annual fee based on the size of your business. Even if you are a landlord renting out just one property, if you manage it yourself, you should register. If you are in any doubt, the ICO have a helpful self-assessment questionnaire on their website.
- If you use a managing agent, ask them to confirm in writing to you that they are – or will be - fully compliant with GDPR, or ask to see their Privacy Notice. If an agent handles the tenant find, but then you manage your own property, you’ll need to speak to them to clarify who holds what tenant information. You’ll also need to check that the tenant has been properly informed of this.
- If you hold any tenants’ personal data yourself – email addresses, dates of birth, phone numbers, passport scans, bank details, etc. – you’ll need to complete an audit; i.e. You will need to document all the personal data you hold, where it came from and who you share it with. If you’ve still got any personal information for ex-tenants, destroy it. The only exception is copies of passports, which you have to keep for 12 months after the tenant leaves, by law.
- If the consents you’ve already got from tenants don’t meet the new GDPR criteria, you’ll have to refresh consents. That means going back to your tenant(s) with documentation that states exactly:
- What information you have of theirs, and why
- Where it’s held
- Who else holds it and why
…and then you will need formal confirmation that they agree to all the above.
If you’re not sure whether you have any “consents”, review your tenancy agreement, as this may hold that information.
- Appoint a “Data Protection Officer” (DPO). This sounds very formal but it just means that someone in your business must be responsible for ensuring that you are managing the use and security of tenants’ information and that you have processes in place to do so. This could be you, or someone else.
- Make sure all documentation associated with the tenancies and the tenants’ information is properly signed, dated and stored, ideally electronically.
What's the risk if you don't take any of these steps?
If the security of tenants’ personal information is compromised – e.g. if someone breaks into your home office and steals hard copies or hacks into your digital storage – you have to let the tenants know and report it to the Information Commissioner’s Office (ICO) within 72 hours.
It’s really important you take care to follow the guidelines, because if something goes wrong and you’re investigated, and then the ICO decides you’ve breached GDPR, they can levy the following penalties:
For minor breaches, an undertaking to improve
Fines of up to £17m (or 4% of turnover, whichever is higher)
In the future, possibly prison sentences for the most serious criminal offences (not yet in force).
5 Top tips for securing tenants' data
Store information in as few places as possible - do you really need both a hard and a digital copy?
Keep hard copies and USB sticks with digital information in a locked cabinet or safe
Make sure your WiFi network and all devices are password protected- never use the default password that came with the device
Store digital data within an EEA cloud-based service that stores the data within the EEA, because that passes the responsibility of keeping it secure to the provider. Their security is also likely to be stronger than in a home office, for example. (Cloud storage must be in the EEA, unless the tenant has agreed to their data being stored outside or your provider can provide suitable alternatives such as Privacy Shield standards for USA.) Remember this include phones and tablets you use
Permanently delete any data you no longer need remembering to clear computer ‘recycle bins’ and caches
GDPR also gives your tenants the right to request that you provide them with a copy of any data you hold about them and the right to request the correction or deletion of information. You need to ensure that you have the necessary processes ready to do this.
For further information visit the Information Commissioners.