General Data Protection Regulation (GDPR) for Landlords
First, let’s understand what GDPR really is. In simple terms, GDPR is a set of standardised rules created by the European Union, aimed at guiding the handling and storage of personal information within the member states. The regulations are meant to apply to anyone or any organisation that’s controlling and processing sensitive personal data for EU citizens – and this applies even when the data controller or processor is based outside the EU. In a nutshell, the reasoning behind the establishment of the GDPR was to give the citizens and residents control over their personal data, under a simple regulatory framework, or environment – the EU, making the regulation easy and achievable.
Once the GDPR takes effect, it is expected that each member state will adopt the regulations and maybe make a few adjustments to the laws so as to suit their jurisdictions. In the UK, for instance, the GDPR regulations will replace the decades-old Data Protection Act of 1995. Even after Brexit, the UK Government did confirm that it will integrate the GDPR laws into the country’s laws. And to uphold the laws and ensure data privacy in the country, that task was assigned to the Information Commissioner’s Office (ICO).
How do the GDPR laws affect landlords?
As you may know, landlords do collect the tenants’ information as part of the lease agreement. They do also collect data of anyone they employ. Now, this makes them data controllers and has to ensure that the collected data is kept safe and secure. If they want to use the data, they must conform to the GDPR UK laws. In many situations, you find that landlords do employ contractors or third parties to run their businesses for them – which includes carrying out the letting and management on their behalf. In this case, evidence of compliance with GDPR from the contractor or third party will be required before any landlord hires their services. The evidence could include the following:
- Privacy policy
- Data management policy
- Data processing policy
- Privacy agreements
And if the landlord had already hired a contractor long before GDPR, he or she needs to check with the contractor and figure out their plan on how to ensure compliance in the nearest future. Moreover, as a data controller, GDPR law requires one to ensure that there is always a legal basis for processing data, and must always be documented at all times.
Also, GDPR requires every landlord to provide the tenants with Privacy Notices, which inform them about how their data will be used by the landlords. Some of the elements covered in the notice would include:
- The personal data to be protected
- How the data will be used
- The legal basis for data collection
- How long the data will be stored, and;
- If there are any third-party processor with whom the data might be shared, then those details needs to be included on the notice.
How does the landlord comply with GDPR?
Now that we have an idea of how GDPR affects the landlords, how about we take a look at how they can ensure total compliance with the regulations? So, here is a detailed guide on to ensure total compliance:
Registration – you see, even without GDPR, the fact that landlords collect, uses, or delete tenants’ personal information, means that they must be registered. So, this requirement wasn’t brought about by the GDPR, as it existed even under the previous data laws in the UK. The registration cost in the UK is about 35 pounds and quite an easy process.
Documentation of the processing activities – this is a major step when it comes to compliance with GDPR regulations. By documenting the processing activity, you will be able to establish what personal data you hold, with whom the data is shared, and also how long the data is held. You should also document whether or not the tenant was informed of the privacy policy. This will be good for future reference.
Lawful basis – yes, we have mentioned that data processing should only be done on a lawful basis under the GDPR regulations. But what exactly do we mean by this? When collecting or processing personal data in the United Kingdom, you are required to have a reason that’s well based on the law for your activity. You can’t just start collecting personal data for the sake of it, you know!
Now, under the GDPR, here are the main lawful bases for data processing for landlords:
- Legitimate interests – under this basis, the landlord may use their tenants’ data, but in a way that they would reasonably expect, and would have a minimal privacy impact, or in a situation where there is a compelling justification why the processing is necessary.
- Contractual fulfillment – under this basis, the landlord can use the tenants’ personal data when fulfilling a contract clause, such as passing the information to a contractor to carry out a few repairs in the property.
- Legal requirement – there are some instances where the landlords are legally required to process the data, such as in deposit prescribed information.
- Consent – even though this basis is not that common with landlords, but it sometimes comes into play, for instance, when speaking housing benefit, you will require consent from the tenants.
Privacy policies – as a landlord, you are always required to inform the tenants on how you plan to use the data that you collect from them. Now, the usual practice was to include clauses in the tenancy agreement allowing landlords to deal with consent and privacy. However, under the new GDPR laws, that’s no longer acceptable, as it wasn’t enough to guarantee the landlord’s full compliance with their legal obligation. Under the new GDPR law, anything that needs consent from the tenant needs to be in a separate document from the tenancy agreement. This is to allow it to be easily withdrawn when consent is given.
Existing tenancies – under the GDPR laws, there is no need to have a new tenancy agreement, given that even the old agreements did have privacy notices, though not as detailed as the current notices under the new law, but sufficient enough to carry on the remainder of the tenancy. But as new tenants take over, they will be issued with the new and more detailed privacy notices, meaning that the old ones will soon disappear. But if you really want to use the new tenancy privacy notice, you can send it to your existing tenants with a note stating that your policy for using their information has been updated. The key here is to make sure that the tenants are notified before making any changes.
How can I manage the tenants’ data more securely?
How, where and the method you use to store data is what determines how safe the tenants’ data really is. Many landlords may get a bit confused or overwhelmed given all the data they sometimes have to deal with. And when you think of the consequences for violating the security of personal data, you want to know if there are ways you can store and manage the data more securely. Having said that, here are our top suggestions:
Make sure that anything that contains the tenants’ information is locked away in a safe and secure place. This includes things like hard drives, tenancy documents, USB memory sticks, and many more. You also have to limit access to this information.
Digital security and safety – any information that you store digitally, make sure that you use strong passwords on all the devices that can be used to access it. It is also equally important to make sure that you use a well-protected Wi-Fi network and also one that has a strong password.
You also have to keep track of the tenants’ data. If there is data that you don’t need, be sure to permanently delete it. Don’t overwhelm your storage systems! Also. Under the new GDPR rules, the tenant can actually request that you delete some of his or her data, and when that happens, you will have to delete it.
Mandatory grounds where you must disclose the tenants’ data
There are some situations that would require the landlord to disclose the tenants’ data, and he or she may not have a choice but to comply, failure to which will lead to him or her facing legal action. For instance, if a third party was to make a request to the landlord under a mandatory legal ground, then the landlord won’t have a choice but to comply. However, he or she still has a right to seek legal help with regard to the matter before giving out the information. Or better yet, the landlord can seek from the requestor the legal basis with which they are requesting for disclosure. Maybe get them to provide the relevant legislation they are relying on. Basically, you got to be sure that they are not conning you.
The second ground could be that if you are were to receive a direct court order requiring you to disclose some information, then you don’t have a choice – you have to comply. Still, you can also seek legal advice on the matter.
Then we have a situation where the police request the landlord to disclose certain information about a particular tenant, or group of tenants. Now, in such a case, the disclosure may be made at the landlord’s discretion, unless, the police produce a court order – which then makes the disclosure mandatory. The case of the police requesting for data is actually quite unique, given that it could be part of an investigation, or the police are trying to prevent a crime from happening, or apprehend and prosecute the offenders. In such a situation, even without the court order, the landlord may not want to stand in the way of justice and will have to give them what they are looking for. As a matter of fact, if you choose to disclose, you don’t need to inform the tenant of the disclosure since it might interfere with the police investigation. And the tenants would also not be able to exercise their access right to obtain the information that’s provided to the police, as it would prejudice the police investigation.
Even with that, the landlord has an option to apply for an exemption in such a case. However, he or she ought to consider or weigh, between violating the tenant’s rights and the risk of prejudice to the investigation at hand. Remember, the tenant has no right to block, or object, to such processing. If you decide to disclose the data, make sure to document it.
Can a landlord be sued for breach of GDPR?
Absolutely yes! If a tenant felt that their rights as stipulated under the new GDPR laws have been breached or that they have been adversely affected by the use of their data, they can do one of the following:
- Complain to the letting agency or the landlord about the issue. Landlords do provide their tenants with a complaint avenue, in case they have an issue that they want to be addressed. So, the tenant can use this route to complain about the data breach.
- Complain to the Information Commissioner’s Office (ICO), and you may request for an investigation to be carried out. However, you should note that complaints to the ICO should only be made if they were not resolved by the landlord.
- Issue court proceedings, but you will have to prove that the breach really did cause significant harm to you.
For an easier time, landlords should include in their policy agreements ways to deal with the tenants’ access requests, minimizing chances of breaches.
What are the consequences of non-compliance?
Non- compliance with the GDPR regulations attracts heavy penalties. The penalties do vary based on the type of contravention, but the fines permitted goes up to 20,000,000 euro, or 4 percent of the turnover – whichever is greater. And while it is highly unlikely for a landlord to get a multi-million euro fine, they sure do receive proportionate financial fines. That’s not all, as we mentioned earlier, when the landlord breaches the data laws, thereby affecting the tenants, any of the tenants may sue the landlord, and that would mean more penalties for him or her.
In conclusion, in light of the heightened data protection enforcement environment, which was introduced by GDPR, plus the duty of care entrusted to data controllers and owed to data subjects, it is very important that the landlords are fully aware of their obligations. Also, when a landlord engages an agent or a third-party management company, they also need to make sure that they too complies with the data protection law. Anyway, if in need of any clarifications, you can always get legal help.