As a landlord you have many responsibilities. But one responsibility you might not be aware of is your data protection responsibility. In this post we will look at data protection for landlords, and the all important GDPR and ICO.
What is data protection?
Data protection is the process of safeguarding information, particularly personal information, from unlawful or unauthorised processing, access, loss, destruction or damage.
The concept of data protection has been around for decades but is more relevant than ever today as more information is stored digitally and so is much more liable to be misused.
Data protection and being a landlord
While data protection may not appear to be a big issue for landlords it is actually a significant issue with serious legal implications.
Any information about a living individual which can identify them is considered to be personal data, and as a landlord you are likely to hold a significant amount. This could be relating to tenants, those who enquire about or apply for a tenancy, referees or guarantors, employees, casual staff, suppliers including letting agents and tradespeople, business contacts or perhaps investors.
Data protection is especially relevant when it comes to tenants: The personal information you hold about tenants is likely to include their name, address, age, employment details, financial details, identity documents, details of family members and more.
If you collect, store and use personal data whether digitally on a computer, website or phone app – or even with an organised paper filing system – you are what is known in law as a data controller.
What is the GDPR?
The General Data Protection Regulation – or the General Data Protection Regulation (EU) 2016/679 (GDPR) to use its full name – is an EU law which covers data protection and privacy and which aims to give individuals control over their personal information.
The GDPR establishes a standardised framework for data protection across EU and EEA countries and controls how data can be transferred outside the EU.
The GDPR exists in UK law by way of the Data Protection Act (DPA) 2018 which builds on the earlier Data Protection Act 1998.
If you are a landlord who collects information about individuals for any reason other than your own personal, family or household purposes you are subject to the GDPR. This applies whether you are an individual landlord or operate through a limited company or other business format.
The GDPR and Brexit: Although GDPR is an EU law it is also UK law so still applies after Brexit, although there may be some small changes in the future depending on the UK’s future relationship with the EU.
What Is The ICO?
The ICO or Information Commissioner’s Office is the official body which regulates data protection in the UK. The ICO offers guidance, monitors compliance with the law and takes enforcement action against those who breach data protection laws, considers complaints and operates a register of data controllers and data processors.
This short questionnaire will help you decide if you need to register as a data controller with the ICO: Does data protection law apply to my business?
The seven key principles of data protection practice
The GDPR sets out seven key principles of data protection practice. These are:
- Fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
The data protection responsibilities of landlords
Here are some ways in which you can meet your data protection responsibilities as a landlord:
Be aware of the GDPR and how you should comply with it.
Know what personal information you keep and why you need to keep it.
Only keep what personal information is really necessary and only keep it for as long as is necessary.
Make sure the information you keep is accurate.
Use a privacy notice which informs tenants and others what information you keep about them and why.
Provide tenants and others with a copy of the personal information you have about them if they request it. And, in certain circumstances, correct or remove that information if they ask you to do so.
Keep your data secure. This might include keeping computers and phones secure, and ensuring data is password protected or encrypted.
Under GDPR there are also restrictions on transferring data outside the EU/EEA. So, for example, storing data on cloud services based in the US could put you in breach of your data protection responsibilities.
Register with the ICO if you are required to do so.
Here’s a useful blog post which explains how to register as a data controller with the ICO. Signing Up With The ICO: A Guide For Landlords
How PaTMa helps landlords meet their data protection responsibilities
PaTMa’s Property Manager software has been designed to help landlords with their data handling responsibilities from the ground up. Security is always taken seriously in both design and practice, personal information is encrypted and all data uploaded to PaTMa remains in the UK.
PaTMa is registered as a data processor with the ICO for entered information. However, landlords must still be registered with the ICO as data controllers.
For more information about the work of the Information Commissioner’s Office (ICO) see the ICO website here.
For a more detailed Guide to the General Data Protection Regulation (GDPR) see here.