What every landlord should know about GDPR
The days of renting a property with nothing more than a rent book and a handshake are long gone. Even if you manage just one rental, compliance is now a core part of being a landlord.
It’s not only about safety checks or insurance. Because landlords collect and store personal information about their tenants, they must comply with UK GDPR and data-protection rules.
Although these regulations were originally designed to address how major organisations handle personal data, they apply to every business—landlords included. That’s why understanding the basics of UK GDPR is essential. In this quick guide, we break down everything landlords need to know.
GDPR background
Most people in the UK are familiar with data-protection rules that govern how organisations collect, use, store, and process personal information. In 2018, the EU’s GDPR came into force, and the UK subsequently adopted its own version—UK GDPR, alongside the Data Protection Act 2018.
Today, these rules apply to any business or individual handling personal data, including private landlords. The aim is to ensure stronger, clearer, and more consistent protection for people’s information, no matter the size of the organisation managing it.
In the UK, the Information Commissioner’s Office (ICO) oversees and enforces data-protection compliance.
What are the biggest changes?
The GDPR is primarily a way to update to data protection laws in an evolving digital world. It aims to give individuals back control over their data and is primarily a way to update data protection laws in an evolving digital world.
The legislation further extends the rights of the individual, and businesses will have to work harder to store data safely.
The individual now has the right to transfer and alter data as well as being forgotten. If a tenant asks, you must transfer, change, or delete their data.
What are the penalties for non-compliance?
If you breach GDPR rules, you could be fined up to 4% of your annual turnover or €20 million (whichever is highest). Assuming €20 million is higher than 4% of your annual turnover, such heavy penalties are not an option for most businesses.
Register with the ICO
When, as a landlord, you take the details of a tenant or prospective client, you act as a “data controller.
The ICO requires all businesses, including landlords, to register with them. To find out if there is a fee head to the official website and register now.
Collecting data
As a data controller, it’s essential you can prove you’re using personal data for one of these reasons:
Consent. When you’ve explained why you have their data and have their permission to use it for that reason. You must ensure that you only use the personal information for the purpose your tenant gave their permission. For example, a mobile phone number for emergencies explicitly cannot be used for any other reason.
If a prospective tenant is interested in a particular property, they must opt-in and give you permission to add them to a newsletter about all your properties. You must also not pass on data without permission to do so.
Contract. You may need data to complete a request. For example, you may need to carry out repairs and need a contact number.
Legal obligation. You may need to see your tenant’s passport and take a copy to confirm their’ right to rent’ eligibility.
Vital interests. You may need data to protect someone’s life.
Public task. You might need data for the public good. An example of this might be to remove a fallen tree that threatens passers-by.
Legitimate interests. You have a legitimate interest in protecting your property investment by taking a tenant’s details for insurance purposes. Your interests must always be considered against your tenant’s right to privacy.
Keeping data up-to-date
You must keep accessible data records. Do this physically and digitally so that if requested your tenants can:
- Request a copy of the information you hold
- Find the reason why you’re holding it
- Have the data deleted
- Stop you from using it
You can keep your records up-to-date by being organised. Make sure you delete previous tenant’s information periodically when you no longer need it, or it’s no longer accurate.
Keeping data secure
As a data controller, you are responsible for keeping data safely. In the event of a data breach, the ICO may ask you to prove how safe your systems are.
In terms of keeping data physically safe, you should ensure that you treat documents, hard drives, and USB sticks with data in a locked place. It can be a safe or drawer which is locked to prevent anyone other than you and any other data controllers gaining access.
When storing data digitally, it should be password-protected, backed up, and encrypted. If you store your tenant’s name and phone number on a mobile that should be password protected too. You should ensure that your WiFi network is also secure and password protected.
What to do if your store data is lost or stolen
If you have any questions or queries about data protection and the GDPR, then you can address them to the ICO. They have plenty of information available for landlords. You must also report any data breach due to loss or theft to the ICO and your tenants in 72 hours.
Good to know
You can register with the ICO at their official website in just a few minutes.
FAQs
Do landlords need to comply with GDPR when managing tenant information?
Yes. Landlords collect personal data such as names, addresses, references, and bank details, so GDPR applies. You must handle this data lawfully, keep it secure, and only store it for as long as necessary. Tenants have the right to access, correct, or request deletion of their data.
What personal data can a landlord legally collect from tenants?
You can collect only information that’s necessary for tenancy management—identity details, contact information, references, right-to-rent checks, and payment details. Collecting unnecessary or excessive data breaches GDPR principles. Always inform tenants why you’re collecting the data and how it will be used.
How should landlords store and protect tenant data under GDPR?
Store data securely—password-protected devices, encrypted files, and limited access. Avoid sending sensitive documents through unsecured emails. Dispose of old data safely once it’s no longer needed. If you use digital tools or software, ensure they meet GDPR compliance standards.
GDPR: Things to remember
- You must register with the ICO and pay any required fee.
- When collecting data, you must be able to prove that you are using it for one of many reasons. They are consent, contract, legal obligation, vital and legitimate interests, and public tasks.
- Keep data up-to-date by regularly deleting data from previous tenants, once you no longer need it.
- Keep data secure by making sure all your networks and devices are password protected.
- Keep physical documents and data held electronically on USB sticks or drives, securely locked away.
- You must contact the ICO and your tenants within 72 hours if data is lost or stolen.
