Helpful Tips Tenancy Management

Call of the Week: General Data Protection Regulation

Call of the week
Landlord Advice
Written by Landlord Advice

The General Data Protection Regulation comes into force in May, replacing the Data Protection Act and creating new responsibilities for businesses including PRS landlords.

Landlords and agents are now preparing the groundwork for this and the RLA’s Landlord Advice Team has received a number of calls on the topic.  This week’s call was a typical one that asked about the basic requirements.

The situation

The member who called was unsure as to where to start when to came to implementing the new rules. We explained the initial steps they should be taking.

By May 25th  2018 all landlords and agents need to ensure their business is compliant with GDPR.  This means auditing how their customer’s personal data flows in and out of the business, checking with any third parties they share information with to make sure they are GDPR compliant, preparing a privacy notice to provide to customers, and developing a data protection policy that sets out how tenants’ details are stored.

The results of this process will be unique to each business’ data protection usage so specific answers on exactly how to comply with GDPR are in short supply for landlords and agents.

Instead they must assess their own business and show that they have thought through the specific requirements GDPR places on them.

Over the course of the next month the RLA will be publishing a number of guides and documents to assist  members in going through this process.

One thing that was certain (until recently) was that landlords and agents would not need to register with the Information Commissioner’s Office (ICO) as part of the GDPR requirements.

This was a change from the old rules where the RLA took the view that landlords and agents must register with the ICO as part of their data protection requirements.

Unfortunately, this has now changed.  The government has introduced additional legislation that makes registration with ICO a statutory requirement.

A fee of £40, £60 or £2,900 is to be paid annually as a registration charge, though most landlords and agents who register now will pay only £35 for the year.

We advised the landlord that along with registering, they should start at the beginning by doing a full audit of all the personal information that flows into the business, how it is used, and how it is disposed of.

We also advised them that they would need to keep good records of this as ICO can ask to see the process by which they came to their final data protection policy. Much like a maths test at school, the GDPR requirements insist that you show how you came to your answer.

This gave the landlord a solid basis to start with and they left to start stage 1 of GDPR compliance.

Rupinder Aujla, LAT manager said: “The requirements of the GDPR can be quite intimidating so it’s good to break down what you need to do into stages.  With less than two months to get ready this will break the work down into more manageable chunks.’

Want to learn more about GDPR? The RLA is hosting Future Renting North conference at the Concorde Conference Centre this April, which includes an update on upcoming legislation from RLA Policy Director David Smith. Find out more and book tickets here.

About the author

Landlord Advice

Landlord Advice

On-demand phone support from our landlord advisors is a big feature of RLA membership and is seen by many of our members as the most important service we offer. You can call the team in total confidence and be assured that the advice you'll receive is friendly, pertinent, up-to-date and practical.

Access to the advice team is FREE for all RLA Members.


  • Are we really supposed to understand this? This is as clear as mud. Surely the Landlord Advice Team is supposed to make things clearer, not drag up some ridiculous idea. What does flowing in and flowing out mean? Are they talking about the tide? For goodness sake, we have two tenants maximum living in our property. With more and more Landlord expenditure we cannot possibly afford all this. Our house is in Wales with low rent, not a London based house or flat, We have ridiculous Rent Smart Wales fes where we have to buy 2 Licences for 1 house, and increasing expenditure as legislation upon legislation is poured on us. Last year after all the spending we ended up with less than 4K profit. Do you seriously think that Landlords are willing to put up with increased spending which does not benefit neither Tenant nor Landlord, but simply creates jobs for the boys. Really, there will be no Landlords left, and where will Councils house all their tenants when this happens. Disgustingly yours

  • There is an interesting exemption where in the schedule it says that the processing is exempt if “of personal data which is not being processed wholly or partly by automated means or recorded with the intention that it should be processed wholly or partly by automated means”.
    So does that mean that manual processing is exempt ? Does that still apply if a computer is used (eg using a spreadsheet for the accounts) ?
    And would that exemption be lost if, for example, using Landlord Vision to automatically flag up late rents and so on ?

    • Hi Simon,

      The vast majority of landlord would storing something at least partly via an electronic medium – which would even include a tenant’s mobile number on a phone, or an email address.
      Using Landlord Vision would be considered a third party that you are sharing data with – as are we at the RLA.

      According to our legal advisers the question you need to ask yourself is:

      Am I processing personal data wholly or partly my automated means?

      If personal data is held electronically or you are using email for communication then you are processing personal data, even if some of the information was collected in written form and not stored electronically.
      Alternatively, if automated means are not involved at all, are you using a manual filing system? This is where structured sets of personal data are held which can be manually accessed according to specific criteria.

      If you answer yes to either of these two scenarios then GDPR applies.

      Essentially if you process data you have to comply. Potentially the only circumstances in which you would be exempt would be if you did not keep any filing system or records at all for anything other than accounting purposes.

      However working as a landlord requires you to keep records of documents such as references, deposit protections details, credit checks and right to rent checks so in real terms the only way a landlord wouldn’t trigger it would be if they weren’t fulfilling these obligations, in simple terms, not doing their job.

      I hope this helps.

      • “However working as a landlord requires you to keep records of documents such as references, deposit protections details, credit checks and right to rent checks so in real terms the only way a landlord wouldn’t trigger it would be if they weren’t fulfilling these obligations, in simple terms, not doing their job.”

        I am a ‘landlord’ (I rent out my home while I’m overseas) but I do not keep or see any of the documents you list in the paragraph above – the property is managed by an agent. Am I still required to register with ICO?!

        • hi Sarah. If you hold no information about the people renting your home then you do not need to register. However if you do hold any information that would identify the tenant ie a name, mobile number or email address then you would need to register

  • I am a landlord but am not privy to detailed information about tenants – my property is managed by a letting agent who carries out the checks and references; I am simply told whether or not a prospective tenant has passed the relevant checks.

    If I still need to register, I will do so, but I am struggling to understand how this applies to me. For example, the need to ‘prepare a privacy notice to show to customers’. Is this relevant to me and, if so, who would I show the privacy notice to? The managing agent? And do I ask them to show it to any prospective tenants?

    • It depends what you mean by ‘detailed information’. If you hold even basic information that would identify a tenant (name/email address/mobile number) or if this information was shared with you electronically in the first instance you would need to register.
      I would also advise contacting your agent to get something in writing to confirm they are GDPR compliant.
      If you are holding even basic data you would need to provide the data subject (tenant) with a privacy notice explaining what data is being held and who you might need to share it with. If you would like any further guidance, then please contact the advice team on 03330 142998

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.