As a private landlord, you control the personal data of an EU resident (like your tenant). Under the General Data Protection Regulations (GDPR), this makes you a “data controller”, and means you have a set of legal responsibilities surrounding the data you control.
You’re obliged to consider the data you’re holding, and make decisions as to the best, safest way to hold and process it. As part of this, you are legally required to register with the Information Commissioners Office (ICO).
Breaching GDPR can lead to a fine of up to €20 million – over £17 million!
The Legislation
GDPR came into effect in May 2018. The regulations were intended to give people greater control of their personal data, requiring organisations and businesses to be accountable and transparent for the processing of that data. It places emphasis on gaining consent for collecting data.
It applies to businesses, organisations, and governments within the EU, and those outside the EU who process the data of EU residents. Although the UK is leaving the EU, no plans have been announced to renounce this data protection law as of yet.
ICO is the supervisory authority responsible for data protection.
A private landlord is classed as a business for data protection purposes, and thus must comply with GDPR, and with ICO as its governing body.
Personally Identifiable Information
The updated data protection law relates to personally identifiable information. – known as “personal data”. This information includes things like names, bank details, right to rent documents, an email address, and even location data (such as an IP address), which is considered sensitive and can be related back to a person.
For example, the salary information of a prospective tenant along with their name would be classed as personally identifiable (personal) data. The fact that a tenant is looking for a property in Swansea may not be personal data.
As a landlord, you are likely to be holding personal data for not only your tenants, but your agent (if personally named), previous tenants, and enquirers, and contractors.
Data Controllers and Data Processors
With the legislation, two roles are identified: the controller and the processor.
The controller determines the purpose for which personal data is processed and how, therefore making decisions. As a landlord, you are a data controller.
The processor is someone the controller shares data with for the purpose of enabling them to carry out the controller’s instructions. They are limited in scope to those instructions, and must not process the data any further.
Controllers will need to have data processing agreements in place with their processors to make clear what they can and cannot do with the the data shared.
Controllers will also need to provide privacy notices to the person they hold data for (your tenant) to make clear to them how you will store their data, and how it will be processed going forward.
Processing is collecting, recording, storing, retrieving, using, erasing, and the destruction or loss of data.
If the processor breaches GDPR, they will be held legally liable. Not providing the processor with the correct limits could be seen as a breach too, however.
Lawful Bases for Processing
There are 6 lawful bases for processing data:
- Contractual Fulfillment. For example, a landlord provides their tenants’ contact details to a carpenter in order for the carpenter to arrange to repair the kitchen cupboard door. The landlord has a contractual obligation to repair the property, so this data is processed to fulfill that contract. Ideally, a tenant should be advised that their details will be shared with relevant contractors for the sole purpose of them arranging access for repairs in the privacy notice.
- Legitimate Interest. For example, a landlord uses the data a tenant has provided to reference them in order to ensure they are financially suitable to take on the responsibility of renting the property. If you’re using legitimate interest as a lawful basis, you must identify what that interest is, and ask yourself “am I using this personal data in a way in which the tenant might reasonably have expected when they gave me the data?”
- Consent. If none of the other bases apply, consent may be required to process data. It’s key that consent, once given, can easily be revoked by the data subject.
- Compliance with the Law. As it’s a legal requirement for a landlord to provide the tenant’s contact information to a deposit protection scheme in order to comply with the Housing Act 2004, this data can be shared with “compliance with the law” as the basis for doing so.
- Protecting Vital Interests. This would only really come into effect if there was a life or death situation. It must be in the vital interest of the data subject (and not the data controller or business). This is not likely to be relied upon much in the Private Rented Sector.
- Public Interest or Official Function. For example, if a landlord discovers a tenant is supplying illegal drugs from the property, they can inform the Police and provide the personal data requested relating to the tenant as it is not in the public interest for this data to be withheld.
Am I Achieving GDPR Compliance?
The first step towards achieving GDPR compliance is to conduct a thorough data audit (sometimes known as an Information Asset Register). You need to determine what data you hold, who is collecting it, how it is collected, why, the lawful basis for processing, who it will be shared with, how it is stored, and when it will be deleted/destroyed.
Registering with ICO
As mentioned, ICO are the governing body for data protection, and private landlords need to be registered with them as they are involved in protecting data.
There is a charge for registering which is dependent on your business size and turnover.
Tenancy Health Check
If you are unsure about any of the legislation affecting you as a landlord in Wales, please don’t worry; book your property/portfolio booked in for a free tenancy health check today and start making changes to ensure your interests are protected and your liabilities met.
Click here to book, and I’ll give you a call to discuss.
Want to discuss these changes, and other concerns you have as a landlord with other Swansea landlords? Join our Swansea Landlord Circle Facebook Group.
Source: Training for Professionals
