Apr 12, 2020 | Articles, GDPR

GDPR for Landlords

Howard Freeman

Howard Freeman

yellow and black spiral light

What Landlords need to do in order comply with GDPR and how a specialist agent can help without breaking the bank.

What is GDPR (General Data Protection Regulation)?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. The GDPR is designed to protect and empower all EU citizens’ data privacy. The GDPR will change the way organisations across Europe approach data privacy. Our GDPR for Landlords packages are designed to help you achieve compliance.

Does it affect landlords?

It does. Why? Well, landlords typically use and store their tenant’s personal information (e.g. name, email address, phone number, previous addresses and ID documents etc) in some form or another. Landlords are legally required to comply with GDPR, basically, as landlords, you need to process and control tenant’s information in a transparent fashion, which includes explaining:

  • What personal information you collect
  • Why this personal information is required
  • How you might use their personal information (including who the information might be shared with), and ensuring you only use it in that way (unless there are overriding legal precedence requiring the information)
  • How long their personal information is kept
Landlords are legally required to comply with GDPR

What should I do to comply?

Here is what you need must do:

Ensure you are registered with the ICO.

If you are a landlord or letting agent – you should already be registered with the Information Commissioners Office. The Information Commissioner is the government department that enforces the Data Protection rules.

Everyone that holds and processes (i.e. uses) data electronically needs to be registered.  There are very few exceptions and they probably won’t apply to you. If you are not registered, you need to get this done asap – check the ICO website here. The cost is £40 if paid by debit card or £35 by direct debit, the latter will auto renew every year and is the recommended option.

Create a list of the type of data that you hold

So, for example, if you are a landlord or letting agent:

  • You will hold personal details about your tenants.
  • If you are a letting agent, you will have details about your landlords.
  • You may also hold details about ‘prospects’ e.g. your mailing list, for example. This will apply if you regularly send information, promotional emails or letters to prospective landlords or tenants

Create a list of the places where it is held

For example, if you are receiving this post via email, then I will hold some details (your email address and maybe your name) on my CRM which is my database.

There will probably be more than one place where you hold data. For example, your Customer Relationship Management (CRM) software, any separate service used to send out newsletters such as Constant Contact or MailChimp and in your accounting software. Data is also stored in your email system.

Data sources
There will probably be more than one place where you hold data. For example, your Customer Relationship Management (CRM) software

Check that these providers are GDPR compliant

If data is held online, it should be on a secure site and be password protected. However, there is more to it than that. You need to contact your service provider to find out what they are doing.

Most of these services are fully aware of the new rules and should have a policy statement somewhere. Find out where it is and keep a record of it. Most reputable services will ensure that they are compliant. If they are not, find a service that is.

But remember, if you input people’s data onto these services, you are responsible for its safety as you are the Data Controller, whilst the service provider is a Data Processor.

Check that you have permission from people to use their data in the way that you are using it.

For example, if a prospective tenant gave you their email address in connection with an application for a tenancy.  This does not mean that you her permission to send marketing mailings to them. Only use data for the purpose for which you acquired it. If the tenancy application is unsuccessful, you should you have a policy in place for the deletion/destruction of the data.

If you are using data from a purchased list to send out marketing emails you need to be very careful. You will need to prove that the recipients have opted in to receive information about the service you offer. 

If you are using an in-house mailing list that you created, it is worth trying to re-consent the recipients. If they are clients, then this does not matter. Therefore, you don’t need permission to process your tenant’s data.

Create a Privacy Notice on your website

A Privacy Notice needs to set out in detail what you do with people’s data and inform people what they can do if they want to unsubscribe or to get their data deleted. Do not call this is a Privacy Policy as this built in to your overall GDPR Data Protection Policy. Do not be tempted to copy one from another web site. Their processes will be different than yours so this will mean nothing.

Once you have this set up you should link to it from all your mailings, particularly any automatic mailings. If you don’t have a website, or when dealing with tenants, provide a printed notice or pdf which you can give to tenants and prospective tenants.

Appoint a Data Protection Officer

By law, as a business with under 250 employees, you don’t need one. However, a responsible person should be appointed. If you are a single person landlord, this will be you.

The Data Protection Officer’s job is to monitor compliance, ensure that your employees are informed of their duties under the regs, and to be the first point of contact for members of the public contacting you about data protection issues, and also the authorities (i.e. the ICO). Generally, the Data Protection Officer will be responsible for compliance within your organisation.

They should be someone of reasonable empowerment and have the authority to make any necessary changes.

No matter the size of your business, you should arrange for your Data Protection Officer to have suitable training. We can provide that for you. Alternatively, you can outsource it to us. The details of our service can be found here.

GDPR for Landlords
This may take the form of a Data Deletion Register, Data Deletion Register, Internal Breach register and will link to the Data Asset Register.

Keep a record of actions taken

Create a record to list any work you have carried out in relation to the GDPR. So, if the ICO contact you about a breach you can show them that you are taking it seriously. You will also know how to handle a breach.

A Data Deletion Register, Data Deletion Register, Internal Breach Register and will link to the Data Asset Register are all form of recording the work you have completed.


Consent is an important part of GDPR. So, is a tenants consent necessary to process their personal information?

If a tenant is prospective or current then you do not need consent to process. However, transparency rules do still apply.

Using a letting agent?

If you’re using a letting agent to manage the tenancy applications, then they are the Data Controller. You become the Data Processor, but you are still responsible for keeping the data safe. In this situation, you must sign a Data Processing Agreement with the Agent.

How we can help you

If all of that sounds painful or a lot of work, don’t worry. The GDPR Compliance Consultancy has three specifically designed packages to help you. The pricing is set at a realistic level so you wont need a mortgage to achieve compliance and, the service is at a fixed price. The details of which can be found here.

You do need to be compliant and with prices starting from a little as £195 + VAT, there is really no good reason not to be.

Call us today on 03333 22 1011 or contact us here.


Can we help?