Dear Barry

My question is about the new General Data Protection Regulations (GDPR). There has been a lot of confusing, conflicting information in the media and online and I wondered if you had any advice specific to landlords on these new rules? I have three different properties, and as I'm sure you can appreciate, even a small portfolio like this involves dealing with a lot of personal information, from tenants to guarantors to references, and sometimes it can be very sensitive - if a tenant is communicating financial difficulties, or if there are conversations about benefits and allowances, etc. I enjoy news and social media online, but when it comes to business, I still prefer to keep as much of the paperwork on actual paper as possible; does this matter? Would it be better to computerise all of this information - and where would I start? What do I need to know and what kind of systems should I put in place to make sure I'm doing what I should do to protect the data I'm handling? Your Sincerely, Mr B. Cooper
Ask Barry Image

Mr Cooper, you are a man after my own heart - although I have mastered the art of blogging (he said, modestly), the world of electronic data and communication moves at a dizzying pace and it's difficult to keep up.

Many of our landlords prefer more traditional methods of record-keeping, and while there is a lot to be said for the convenience and traceability of computer communications, I can understand why you prefer to keep it primarily paper-based too.

I won't claim to be a GDPR expert and would urge you to use this article as a guide and a signpost rather than an instruction manual - consult a professional data protection expert for any major decisions or strategies in this area.

However, I consider the pointers below to be a good start in wrapping your head around what's expected of you and some good sources of further information.

What is GDPR?

General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It came into effect on May 25th 2018.


So, what does a landlord need to know about GDPR?

Firstly, if you haven't already (and unless you are exempt), you need to pay a fee to the Information Commissioner's Office (ICO). For sole traders and very small operations, this is usually an annual fee of around £40. 

Take the ICO's self-assessment quiz here to check if this fee applies to you.

Secondly, I believe there is no need to computerise your data if your current systems are working well for you. As long as you document and monitor your data activities, I see no reason why a paper-based system puts you at a disadvantage in terms of GDPR.


Data Controller or Data Processor?

You are considered to be the Data Controller for the personal information you handle in relation to letting out your houses. It's your business and it's you making the final decisions on what data is processed and what's done with it.

As an agent, my company acts as Data Processor for our landlords. Both have important responsibilities in how we collect and use personal information.

The Information Commissioner's Office (ICO) explains:

  • The GDPR applies to ‘controllers’ and ‘processors’. 
  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
  • However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

From your letter it sounds as though you are managing the properties yourself, but if you do opt to use an agent to manage your properties, make sure they have robust data protection systems in place - ask them to talk you through the policies and procedures they have in place.


What personal information do you process?

Once you've paid your fees and figured out what hat is worn by whom, it's time to map out exactly what personal information you process. Personal information is any information that can be used to identify an individual.

This can include (but isn't limited to):

  • Name
  • Date of birth
  • Driving licence number
  • Car registration
  • Email address


Then make a list of any sensitive information you might collect - that's personal information that can identify someone's racial or ethnic origin (not nationality), political opinion, religious or philosophical belief or trade union membership, genetic data biometric data, data concerning health, or sexual orientation.

This can include (but isn't limited to):

  • Hospital or Health & Social Care number or identifier
  • Requests to update a property to accommodate a disability

How do you process the information?

For each piece of information you collect from tenants and potential tenants, you should map out its journey through your business (even if you are a one-person operation) - write it all down.

  • What is collected and how (paper form? Phonecall?)
  • What will you use this information for? (Contacting the tenant, processing a tenancy application?)
  • How do you store it? How do you ensure the storage is secure?
  • Who do you share this information with?
  • Is it sensitive?
  • How long will you keep it?
  • How will you dispose of it when you no longer need it?

Once you've done this, congratulations - you just performed a full audit of your data processing activities.

You also now have a very useful reference document for both assessing and demonstrating your GDPR compliance.

Do you need tenant consent to hold their personal info?

In a word, no. You can, but you don't have to by law.

There are 8 lawful bases for processing personal data:

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interests
  • Special category data
  • Criminal offence data

You are processing it in the performance of a contract and also as a legitimate interest.


GDPR in a nutshell

  • Personal information is any information that could identify an individual
  • You have to have a specific, lawful purpose for processing personal information and collect and use ONLY the info you need
  • Consent is one of several lawful bases for processing information about an individual
  • You have to protect that information, ensure it's only accessible to those who need access, and that it is only held for as long as it's needed. You've also got to make sure it's disposed of correctly.
  • People have the right to access information you hold about them, correct it and even have it erased entirely once you no longer need it. Have a plan and a process for each possible scenario. 
  • You must document your activities in relation to processing data
  • You must be registered with the ICO and pay an annual fee 

Further reading

A very comprehensive guide from the Residential Landlords Association

A full breakdown of all aspects of GDPR by the ICO


I hope this has been useful to the rest of the blog's readers. Important to note I received and replied to this question before the legislation came into effect. I get a lot of questions and try my best to answer them all, so the blog's content slots fill up rather quickly.

I felt it was worthwhile sharing my response as there are still people wrapping their heads around the rules and getting their houses in order.

Are you one of them? Do you have any other questions or want to share your experience of GDPR as a landlord that others could learn from?

Drop me a line to the usual address -