What you must know about collecting, storing, and using tenant data
If you’re a landlord (or letting agent), it’s probable that you obtain a good deal of information about your tenants. You probably then store this data digitally. Up to now, how the information is defined and how you should store and protect this as data has been managed by the UK Data Protection Act 1998 (DPA). It is changing.
From May 25th 2018, the UK will adopt the General Data Protection Regulation (GDPR). It goes further and deeper than the DPA. If you’re not prepared, you could face hefty fines and worse.
In this article, you’ll learn what the GDPR means to you as a buy-to-let landlord in the UK.
Which landlords does the GDPR affect?
There’s a popular misconception that the GDPR won’t affect landlords who only own one or two properties. Not true. No matter how many properties you let, if you collect any data about your tenants, then you must comply with GDPR.
What if you don’t comply with GDPR?
If you don’t comply with GDPR, the fines you could be hit with could cripple you.
Large companies could be fined up to £20 million. You probably aren’t quite in this league, but you could still be fined up to 4% of your turnover. Put another way, that’s like slapping you with around a month’s void period – a costly mistake.
What do the new GDPR rules mean to buy-to-let landlords?
The data you collect about your tenants can only be used for the purpose it was provided. For example, a tenant gives you information because he or she wants to rent a home from you. Holding this data doesn’t give you the right to mail the tenant with an unrelated offer.
All this is perhaps not hugely significant for landlords, provided they do not hang on to data for too long. However, it is going to be very significant for agents who may no longer be able to rely on, for example, purchased mailing lists.
What is ‘data’?
There are two types of data defined by GDPR: personal data; and sensitive personal data.
Examples of personal data:
Personal data is information that identifies someone. Details such as name, age, address, and so on.
Examples of sensitive personal data:
Sensitive personal data includes details that tell you something about the person. Such information may include:
- Trade union membership
- Sexual preferences
- Criminal records
Think about the information you collect about tenants, and you’ll understand that much comes under the heading of sensitive personal data. For example:
- Ethnic origin
- Work and personal references
- Credit checks and salary details
- Passport and driver licence numbers
Can landlords hold this data?
Of course, it’s necessary to hold this data. However, GDPR is clear about how you hold the data and how it can be used. You can only retain the data for the purpose it was given, and you can only use it for that purpose. For example, these types of activity would be deemed to be illegal:
- Posting data held on social media or other forums
- Losing it because of computer hacking or leaving stored data/laptops on a train
You must protect all personal data with appropriate measures. These include having the systems, processes, and technical safeguards in place.
How long can you hold personal information about a tenant?
If a tenant moves on or asks you to delete information about him or her, you may still retain that information, providing you have a solid and legal reason to do so.
For example, as a buy-to-let landlord, you may keep tenants’ details and information about the tenancy for up to six years – the time during which a tenant could sue you. If you were obligated by law to destroy the tenant’s information upon request, you might be destroying evidence that supports your defence in court.
Can you ask to see tenant references given to agents?
You can, of course, ask anything of your letting agent or property manager. You are also entitled to see tenant references given to letting agents. However, they are only allowed to show you these if the tenant has agreed to this. You should make sure that all tenant application forms include an agreement by the tenant that such data can be shared.
Do you have to share your tenants’ personal data?
So, you must keep data you hold on tenants (and others) safe and secure so that others cannot steal it or access it. You must only use that data for the purposes it was collected. However, what if you want access to data about tenants, or others want access to your data? There are certain circumstances in which you might be asked to supply information. These are detailed in sections 29 and 35 of GDPR and include if the information is needed to:
- Prevent a crime
- Apprehend offenders
- Assess or collect tax
- Aid legal proceedings
- Help to get legal advice
A word of warning here: even though the new laws allow for such disclosures of information, it should only be given if not disclosing the information might prejudice any of the above purposes. You are unlikely to know this, and so you should always seek advice before accepting requests for information about any of your tenants. Especially because if you refuse to provide such information, and that refusal is deemed wrong, you could be breaking the law!
Summarising the scope of GDPR
The full text of GDPR contains 99 articles and runs for 88 pages. You should seek advice to ensure that your systems and processes are compliant with it. However, as a summary, the following eight points are most relevant to buy-to-let landlords:
- Personal data must be processed fairly and lawfully.
- Personal data may only be collected for specific and lawful purposes.
- Personal data may only be used for its intended lawful purpose.
- Personal data collected should only be what is necessary for the purpose to be carried out.
- Personal data should be kept up to date and accurate.
- Personal data should not be kept for any longer than necessary for its intended purpose.
- Personal data must not be transferred or communicated outside of Europe unless the country to which it is being transferred is deemed to have equally adequate protections regarding personal data.
- Anyone who collects personal data must have adequate and appropriate technical safeguards, systems, and processes in place to guard against unauthorised or illegal processing of personal data, including safeguards against its loss or destruction.
Are you prepared for GDPR?
Don’t think that the government will make a U-turn on GDPR because of Brexit. It isn’t going to happen. GDPR is coming into force from 25th May 2018. Period. To be prepared, you should:
- Make sure that all personal data you currently hold is accurate and up to date
- Make sure that you have the ‘opted in’ agreements of all those of whom you hold personal data
- Review the personal data you currently hold, and ensure that you aren’t retaining information inappropriately
- Make sure that if you are using a letting agent or property manager that their systems and processes are adequate to comply with GDPR and that if needed, they delete data that you no longer require to be held by them
If you hold a lot of personal data, you may wish to carry out a Privacy Impact Assessment, under the guidelines set by the Information Commissioner’s Office – the body in charge of ensuring compliance with GDPR.