Law News

How Letting Agents and Landlords Should Handle Tenant Data, in order to Comply with GDPR Changes

Rose Jinks - January 2, 2019

Written by Mandy Webster, data protection auditor and trainer at Data Protection Consulting Limited.

GDPR (General Data Protection Regulation) is embedded in UK law by the Data Protection Act 2018, and Brexit legislation will ensure that it continues to apply after March 2019. GDPR is a step up from the Data Protection Act (DPA) 1998, but the Information Commissioner (the UK regulator for data protection) was keen to point out that compliance with the DPA 1998 was a good basis for compliance with GDPR. So, although some aspects are tougher, the basic data protection framework remains the same.

Personal data processed for domestic purposes is exempt from data protection law. But, as a landlord, your activities with tenant data are regarded as business activities and the law applies. So, what are the key points to review?

1 Security

Security is a key principle of data protection. Personal data should be secured against unauthorised access, amendment or deletion/destruction. This splits down into: IT security, making sure you have adequate virus protection and secure firewalls to safeguard data; organisational security, ensuring that staff know how to keep passwords secure and to avoid phishing and other online scams; and physical security for offices, paperwork and portable data storage, and access devices, such as tablets, laptops, mobiles and hard drives.

GDPR states that businesses are responsible for compliance with the principles, including the security principle. It also states that organisations should be able to demonstrate how they comply. This means having appropriate policies and procedures in writing around IT security, password management and access rights, office security, bring your own device, and mobile working. It also means training staff about their responsibility for data security, and signposting these policies and procedures.

Personal data breach reporting

A new requirement under GDPR is mandatory security breach reporting. Before GDPR, businesses were encouraged to report data security breaches, but it was a voluntary reporting scheme. GDPR sets out that personal data breaches (that is an incident that puts personal data or subject rights at significant risk) must be reported to the Information Commissioner within 72 hours of becoming aware of the incident. In some cases, where the individual can take action to protect themselves, for example, by cancelling a debit or credit card, the security breach has to be announced to data subjects. Having a personal data breach reporting procedure for staff to follow if a breach occurs is strongly recommended.

2 Risk management and whether size matters

A key feature of GDPR is that it encourages businesses to adopt a proportionate approach and put in place security appropriate to the circumstances of the processing. This does not mean that small businesses can opt out, but businesses that do not process very much personal data, or which have little sensitive data, perhaps just email contact details, name and job title, for example, can be less stringent in their security set up.

If you take an honest view of the data that your business processes as a landlord, you will discover that you hold a lot of information, some of it sensitive, about tenants and possibly third parties associated with them, such as guarantors and household members. So, the fact that you might have a small business is irrelevant; it is the amount and type of data that informs risk management.

Data minimisation is another data protection principle, and it is worth considering what personal data you actually hold and how much of it needs to be retained long-term. If you carry out Know Your Customer checks, do you need to hold onto copies of passports and birth certificates in all cases, or just record that you have seen them? Do you need to hold onto those copies forever, just until the next audit, or until the tenant gives up the tenancy? Your answer will vary depending on the financial regulations and proving the right the live in the UK.

If an agent is used to manage the day-to-day administration of the property portfolio, consider whether the landlord needs any information that is personal data above the basic name and contact details of individual tenants. As long as the agent has complete records, the landlord needs minimal information. Data minimisation is the key to data protection compliance, as it necessarily reduces the risk of holding personal data.

How Letting Agents and Landlords Should Handle Tenant Data, in order to Comply with GDPR Changes

3 Changes to outsourcing arrangements

Under the Data Protection Act 1998, if a business outsourced some of its activities involving data processing, it was under a statutory duty to carry out security compliance checks and to have a written contract in place. Under GDPR, both those compliance requirements carry on, but the terms of the contract have been extended, so, if you use a mailing house to send out rent invoices, or an agent to liaise with tenants, or a payroll service to manage your staff payroll, you will need an update to the contract terms.

4 Changes to subject rights

Most businesses are aware of the right of Subject Access. That is the right of every one of us to access personal data that relates to us that is processed by an organisation. That right continues under GDPR, but the practical arrangements have been updated. A request received electronically must be answered electronically, unless you can agree otherwise with the data subject. Instead of 40 days in which to respond, businesses now have one month and one business day in which to respond. Importantly, the £10 fee for responding to a subject access request may no longer be charged. To charge a fee for the exercise of any subject right is an offence under GDPR, subject to the highest potential level of fine.

Other subject rights continue to apply: the right to object to processing, the right to object to the use of personal data for direct marketing purposes, and the right to object to automated decision making. New subject rights have been introduced in certain circumstances:

  • To allow data portability, where a data subject decides to change from one online service provider to another;
  • Restriction of processing to require organisations to lock down personal data or not to delete it if the data subject requires it to be maintained;
  • Right to erasure of personal data that is no longer required for the purposes for which it was being processed; and
  • Right to specific information about what personal data is being held, the purposes for which it is processed, how long the data will be retained etc. This is known as a privacy notice.

5 Accountability

Another aspect of Accountability is the requirement to appoint a Data Protection Officer (DPO) where:

  • The controller is a public body
  • The personal data is processed for monitoring individuals on a large scale
  • The personal data includes a significant amount of special category data relating to mental or physical health, race or ethnicity, religious or philosophical beliefs, political opinions, sex life or sexuality, TU membership, genetic or biometric data
  • The processing presents significant risks to the personal data or rights of data subjects

Note that Property Management was an activity requiring registration under the 1998 Data Protection Act, so it has always been recognised that the activity is not without risk. The number and type of properties being rented will impact on the decision of landlords to appoint a DPO. In general, a big rental business is more likely to require a DPO, especially if there is CCTV in multi occupancy premises, than a smaller undertaking, where perhaps just a couple of properties are rented out.

6 Consent

There was a frenzy of activity around the introduction of GDPR, with organisations seeking to obtain consent to marketing. This was an ill-informed reaction to GDPR and mis-timed. The requirement to obtain specific, positive consent to direct marketing from individual consumers was introduced back in 2003. GDPR simply clarified for us that consent is an informed, positive action, not to be hidden in terms and conditions, not to be conditional to enter a competition or receive a service, not to be a pre-ticked box or assumption of consent (for example: “By continuing to use this website we assume that you consent to…”) Consent is also revocable.

In general, landlords are not relying on consent when they process personal data relating to tenants.  There is a lease agreement with a tenant, which is a form of contract. Processing necessary under the terms of a contract is the appropriate grounds for processing tenant data. Pre-contract, the grounds are that the processing is necessary prior to entry into a contract. This would also be appropriate in relation to guarantors. If personal data relating to household members of tenants is required, then the appropriate grounds would be processing in the legitimate interests of the landlord to know who is in occupation at the premises for health and safety, and fraud prevention purposes.

So, GDPR expands on some of the existing data protection requirements, but the basic framework of security, keeping people informed and data minimisation are still key aspects of compliance. As landlords, you are data controllers, and you will be expected to have policies and procedures in writing. This is a critical part of your defence, should there be a security breach or complaint investigated by the Information Commissioner. Demonstrating accountability is a statutory requirement.