New General Data Protection Regulation (GDPR) – what you need to know

From 25th May this year, data protection legislation is changing, which will affect the way landlords and agents can collect and hold tenants’ personal information. The new GDPR is being introduced EU-wide and the Government has confirmed it will remain in force, even after we leave the EU.

What is GDPR?

The legislation requires landlords and agents to process tenants’ personal data more rigorously and securely than at present. Significantly, you will need to obtain explicit consent from tenants to hold and use their personal information - things such as email addresses, dates of birth, phone numbers, passport, Visa scans and bank details - in certain specific circumstances.

You will have to provide your tenants with clear information about what you want to do what with their data, and why, and get your tenant’s signature to confirm they are happy with that. For example, if you are using a credit-checking agency as part of the referencing process, you will have to inform your prospective tenants:

  • exactly what personal information you need
  • which agency you intend to pass that information on to
  • that it is for the purposes of checking whether they have ever been bankrupt or had a CCJ.

It’s also important to be aware that anyone can withdraw their consent at any time. In this example, if they decided to withdraw their consent, you would have to inform the credit-checking agency so that they could delete the tenant’s personal information at their end.

If a managing agent is looking after your properties, they should take care of everything, but you need to check they are abiding by the law and if you self-manage, it’s vital that you know and understand your responsibilities under this new legislation.

What steps you should take now

  1. If you use a managing agent, ask them to confirm in writing to you that they are – or will be - fully compliant with GDPR. If they organise the let, but you then manage it, you will need to liaise with them to confirm who holds what data and ensure that the tenant has (a) been properly informed and (b) given their explicit consent.
  2. If you hold any data, organise an audit. Document what personal data you hold, where it came from and who you share it with. If you still hold information belonging to ex-tenants, it should be destroyed – all except for passport copies, which much be kept for 12 months after the tenant leaves, by law.
  3. If the current consents you have from tenants don’t meet the new criteria, you will have to refresh them – i.e. go back to your tenants with documentation that states exactly

           (a)  what data you have of theirs, and why

           (b)  where it’s held

           (c) who else holds it and why

and have your tenants sign to say they agree to that.

  1. Appoint someone (which could be yourself) as a ‘data controller’, who will take control of and responsibility for the security of tenants’ information.
  2. Make sure everything is properly filed, signed and dated.

If the security of tenants’ personal information is compromised – such as if somebody were to steal hard copies or hack into any emails or files where the data is stored - you must let the tenants know and report it to the Information Commissioner’s Office (ICO) within 72 hours, which you can do via their website.

Five top tips for ensuring data is secure:

  1. Store data in as few different places as possible, i.e. do you need both a hard and a digital copy?
  2. Keep hard copies and USB sticks with digital information in a locked cabinet or safe
  3. Ensure your WiFi network and all devices are password protected
  4. Store tenants’ data digitally, within an EU cloud-based service, as that passes the responsibility of keeping the data secure to the provider. The security is also likely to be stronger than in a home office, for example. (The cloud storage must be in the EU, unless the tenant has agreed to their data being stored outside.)
  5. Permanently delete any data you no longer need. Under GDPR, a former tenant can ask you to delete all the information you have about them, at any time.

More detailed information and guidance is available from the ICO.

 This information has been provided by our partner Mortgage Advice Bureau. For more information relating to Mortgages or for Mortgage Advice please visit Mortgage Advice Bureau.

Cron Job Starts