The days of a rent book and a handshake – being all was required to rent a property are a long distant memory. Even if you’re just a landlord with one property, there’s no getting away from compliance in today’s rental industry.
That’s not just a case of making sure appliances are safe, and you’re fully insured. Because landlords store information about their tenants then they must now be GDPR (​General Data Protection Regulations) compliant.
The EU regulations now in force were intended to tackle conglomerates such as Facebook’s use of personal data. But the legislation applies to every business and landlord. That’s why a rudimentary understanding of GDPR is essential. In this quick guide, we lay down all the need-to-know facts about GDPR.
GDPR background
Most people in the UK will have heard about Data Protection rules and regulations that govern how businesses access, use, store, and process personal information.
The GDPR came into effect on May 25, 2018, at which point it replaced the UK Data Protection Act of 1998. Regardless of what happens eventually with the UK and the EU following Brexit, the GDPR will be brought into UK law.
The legislation aims to improve and unify data protection for all EU citizens. As a result, the new rules will now apply to all businesses that handle customer data, which includes private landlords, like yourself.
The Information Commissioner’s Office (ICO) is in charge of GDPR in the UK.
What are the biggest changes?
The GDPR is primarily a way to update to data protection laws in an evolving digital world. It aims to give individuals back control over their data and is primarily a way to update data protection laws in an evolving digital world.
The legislation further extends the rights of the individual, and businesses will have to work harder to store data safely.
The individual now has the right to transfer and alter data as well as being forgotten. If a tenant asks, you must transfer, change, or delete their data.
What are the penalties for non-compliance?
If you breach GDPR rules, you could be fined up to 4% of your annual turnover or €20 million (whichever is highest). Assuming €20 million is higher than 4% of your annual turnover, such heavy penalties are not an option for most businesses.
Register with the ICO
When, as a landlord, you take the details of a tenant or prospective client, you act as a “data controller.
The ICO requires all businesses, including landlords, to register with them. To find out if there is a fee head to the official website and register now.
Collecting data
As a data controller, it’s essential you can prove you’re using personal data for one of these reasons:
Consent. When you’ve explained why you have their data and have their permission to use it for that reason. You must ensure that you only use the personal information for the purpose your tenant gave their permission. For example, a mobile phone number for emergencies explicitly cannot be used for any other reason.
If a prospective tenant is interested in a particular property, they must opt-in and give you permission to add them to a newsletter about all your properties. You must also not pass on data without permission to do so.
Contract. You may need data to complete a request. For example, you may need to carry out repairs and need a contact number.
Legal obligation. You may need to see your tenant’s passport and take a copy to confirm their’ right to rent’ eligibility.
Vital interests. You may need data to protect someone’s life.
Public task. You might need data for the public good. An example of this might be to remove a fallen tree that threatens passers-by.
Legitimate interests. You have a legitimate interest in protecting your property investment by taking a tenant’s details for insurance purposes. Your interests must always be considered against your tenant’s right to privacy.
Keeping data up-to-date
You must keep accessible data records. Do this physically and digitally so that if requested your tenants can:
- Request a copy of the information you hold
- Find the reason why you’re holding it
- Have the data deleted
- Stop you from using it
You can keep your records up-to-date by being organised. Make sure you delete previous tenant’s information periodically when you no longer need it, or it’s no longer accurate.
Keeping data secure
As a data controller, you are responsible for keeping data safely. In the event of a data breach, the ICO may ask you to prove how safe your systems are.
In terms of keeping data physically safe, you should ensure that you treat documents, hard drives, and USB sticks with data in a locked place. It can be a safe or drawer which is locked to prevent anyone other than you and any other data controllers gaining access.
When storing data digitally, it should be password-protected, backed up, and encrypted. If you store your tenant’s name and phone number on a mobile that should be password protected too. You should ensure that your WiFi network is also secure and password protected.
Where to get help and what to do if your store data is lost or stolen
If you have any questions or queries about data protection and the GDPR, then you can address them to the ICO. They have plenty of information available for landlords. You must also report any data breach due to loss or theft to the ICO and your tenants in 72 hours.
Good to know
You can register with the ICO at their official website in just a few minutes.
Landlord’s checklist: Important things to remember
- You must register with the ICO and pay any required fee.
- When collecting data, you must be able to prove that you are using it for one of many reasons. They are consent, contract, legal obligation, vital and legitimate interests, and public tasks.
- Keep data up-to-date by regularly deleting data from previous tenants, once you no longer need it.
- Keep data secure by making sure all your networks and devices are password protected.
- Keep physical documents and data held electronically on USB sticks or drives, securely locked away.
- You must contact the ICO and your tenants within 72 hours if data is lost or stolen.