The introduction of the EU-wide General Data Protection Regulation (GDPR) legislation requires landlords to process tenants’ personal data more rigorously and securely than many of us are used to.

Let’s start with the obvious: GDPR wasn’t designed with private landlords or people with second homes in mind. It was drafted to tackle some of the more egregious uses of personal data by tech giants.

Nevertheless, the legislation applies to all of us and it’s important to have a basic understanding of how and why.

GDPR is an opportunity and an incentive for all of us to implement strategies that make our operation as a whole more professional, effective and secure.

What constitutes personal data and do I process it?

With measures such as tenant referencing, it’s impossible to be a diligent, compliant landlord and not process some personal data, particularly if you self-manage. There’s a tendency to think of data as computer or cloud-based, and much of it is these days. But a filofax or ledger with tenants’ names, numbers and email addresses, dates of birth, and bank details, is just as relevant under GDPR. So too are digital scans or printouts of tenants’ IDs such as passports.

How can I handle data more securely?

There are some basic things each of us can do to make sure we comply with GDPR without creating masses of extra work for ourselves.

+ Ensure its physical safety. Keep tenants’ information in a locked cabinet or safe. This applies equally to paper copies, hard drives, USB sticks and anything else that carries personal data.

+ Ensure its digital safety. Password protect your mobile phones, computers and other devices. Be certain that your WiFi network is password protected and secure. Consider using a separate network for your business and home usage.

+ Be organised. Keep track of each tenant’s data and permanently delete anything you don’t need. Under GDPR a former tenant can ask you to delete all the information you have about them – so be diligent and make sure you can do so quickly and easily.

What does opting-in mean?

We need to always be clear about the legitimate reasons we hold or process any personal information. One of the significant grounds on which we can justify this is consent. The fact that a tenant has agreed to you recording and using their information is reasonable justification for you to, for example, save their contact information on your mobile phone so that you can contact them in an emergency.

Under GDPR, however, consent needs to be explicit – if you are relying on consent as a basis for holding someone’s personal information, you need to have a record of their ‘opt-in’ to that purpose.

In our example above, just because a tenant has said that you can contact them in an emergency, this does not mean they have agreed to you doing anything else with their details. You would need to be able to show that your tenant also gave you permission to contact them and invite them to social events, and most certainly if you want to pass their information on to anyone else.

However, consent is not the only grounds you can have for processing someone’s information.

For example, if you are in a business relationship with someone, you can process their information in order to maintain that relationship. So, it is reasonable for landlords to contact existing tenants about their tenancy, or previous tenants about matters regarding their tenancy, for example the return of any deposit. It is also reasonable to record someone’s information if they have asked to rent a property from you: you need their details in order to do what they have asked you to do. You would, however, need to be clear with them if you were going to do a background check and pass their information on to someone else as part of that process: This would require clear consent.

Whatever you do, under GDPR you need to bear in mind that you should only be doing things with people’s information that they would reasonably expect you to be doing. Take time to think about what you are doing with their information in the context of the reason they gave it to you. 

You can read our updated privacy policy in full here.  These are the key points.

  • We collect your data, such as name, email address, tenant names, tenant email, and details regarding transactions and bank details mostly related to your tenancy agreement and to send you our email newsletter and any emails which may affect you and your property.
  • We will never share your information without your explicit permission.
  • We honour your right to privacy and will comply should you wish to have your data removed from our systems.

We thank you for your continued support.  There is no action required on your part.  If you have any questions or needs, please contact us at any time