Letting agencies deal with personal and sensitive information on an almost daily basis. Mismanaging that data and not complying with data protection rules can lead to hefty fines that run into thousands of pounds.
To help your agency stay compliant, we look at what to consider and how you can best protect your client’s data.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s an EU regulation that sets the standard for information privacy and how data should be managed. GDPR rules were adopted in the UK as part of the Data Protection Act 2018.
Does GDPR apply to letting agents?
Yes. Data protection laws apply to anyone that deals with someone else’s personal information.
Personal information is anything that can be used to identify a living person, for example, their address, phone number, or bank details.
What does data protection and GDPR mean for letting agents?
Under the law, any personal data you hold about tenants and landlords must be handled according to the rules. This means, data should be:
- used fairly, lawfully, and transparently;
- collected for specified, explicit, and legitimate purposes;
- limited to what is needed and used in a way that’s adequate and relevant;
- accurate and (where necessary), kept up to date;
- stored only for as long as necessary;
- protected in a way that prevents illegal access, loss, destruction, or damage.
How can letting agencies comply with data protection laws?
Data protection can feel like a large task. However, the aim is simply to make people aware of how their data is being used, allow them to access the information you hold (if they want), and keep it secure.
You can do this by:
Creating a privacy notice
This tells tenants and landlords why you need their information and what you’re going to do with it. Typical examples will be using data to carry out tenant referencing checks.
If you’re liaising between tenants and landlords, you’ll usually need to share their information with each other. With that in mind, it’s a good idea to make this clear in your privacy policy to ensure you’re compliant.
Keeping personal data safe
All data should be kept secure. For paper copies, this means being locked away with access limited to just necessary members of staff. For digital data, you should consider encrypting or password-protecting files.
You should also reinforce the importance of securing data to your wider team. This includes being aware of cyber attacks and scammer tactics such as phishing. You can get cyber security advice from the National Cyber Security Centre.
Responding to information requests
Tenants and landlords are allowed to know what information you hold about them. They can also ask why it’s being used, who has access to it, and where the data came from.
If you’re asked for information, you must provide it and explain anything that might not be clear (for example, if you use codes or abbreviations). You’ll usually be expected to provide a hard copy of the information, but email is fine as long as the other person agrees.
Delete certain data if requested
If a tenant or landlord asks you to delete personal data, you should. Although, in some cases, you can refuse if you’re legally obliged to keep some information (for example, you must keep Right to Rent information for at least two years).
Similarly, you may need to keep tenants’ personal details to manage the tenancy or pass them on to contractors you hire to make repairs at the property.
Destroy data when it’s no longer needed
You should regularly review any data you keep and delete anything that you don’t need anymore. For example, if a landlord sells their property and no longer needs you to manage it, or if a tenant moves away when their tenancy ends.
When can letting agents share information?
You can share information as long as it’s relevant and appropriate to do so. Remember to inform clients what information you will likely share and why in your privacy notice. For example:
- Providing utility companies with forwarding addresses for tenants who have left unpaid bills or are in credit.
- Sharing email addresses and phone numbers between tenants and landlords.
- Instructing a debt collection company if a tenant has left with unpaid rent.
- Giving tradespeople addresses, names, or telephone numbers of tenants so they can make an appointment to carry out repairs.
- Disclosing information when you’re legally obliged to (such as Right to Rent information).
What is the ICO?
ICO stands for Information Commissioner’s Office. The organisation protects information rights and promotes transparency. It also enforces the law, investigates breaches, deals with concerns, and offers guidance.
The ICO also has a register of all firms that process data.
Do landlords and letting agents need to register with the ICO?
In most cases, yes. Collecting or processing personal data means you’ll need to register with the ICO. There are exemptions but these are very limited (for example, not-for-profit organisations are exempt, as is data compiled for the Electoral Roll). A full list of exemptions can be found here.
If you’re not exempt, you’ll have to register with the ICO and pay a registration fee.
How much does it cost to register with the ICO?
There are three different costs depending on factors including how many employees you have and your turnover. Currently, costs are split into these three tiers and are charged annually:
- Tier one – micro-organisations with no more than ten employees or a maximum turnover of £632,000 in your financial year. Fee is £40.
- Tier two – small and medium organisations with no more than 250 employees or a maximum turnover of £36 million in your financial year. Fee is £60.
- Tier three – these are classed as large organisations and cover everyone that doesn’t fall into tier one or two. Fee is £2,900.
What happens if you don’t register with the ICO?
If you don’t register with the ICO, you face a penalty of up to £4,000 (in addition to the fee you should have paid).
What are some common data protection issues in the housing sector?
The ICO lists several examples where data hasn’t been used or managed according to the rules. Common issues include:
- Sharing information when there is no need to (you can use this ICO checklist to help you work out what to share).
- Not sharing information when needed (for example not sharing an address with tradespeople, leading to delays and more damage).
- Not keeping accurate records.
- Sharing tenant information with landlords or vice versa, without permission.
What happens if you don’t comply with GDPR?
If you don’t comply with data protection laws, the ICO can take enforcement action, which could include:
- Carrying out an audit of your data processes;
- Asking you to provide more information as they investigate;
- Issuing fines.
How much can businesses be fined?
For very serious breaches, the ICO can fine organisations up to £17.5 million or 4% of its global turnover, whichever is higher.
While letting agencies are unlikely to be fined millions of pounds, non-compliance is taken seriously and can result in significant penalties.
Can tenants sue a landlord or letting agent for data breaches?
Yes. If tenants believe you or their landlord has breached their rights under the Data Protection Act 2018, they can:
- Make a complaint to you or their landlord;
- Report the breach to the ICO if it hasn’t been resolved to their satisfaction;
- Take legal action in court (they will need to prove they’ve suffered harm because of the breach).
What can letting agents do if a data breach occurs?
The ICO has some clear guidelines about what to do if a data breach has occurred:
- Identify what the breach is, how it happened, and who is involved.
- Try to contain the breach (for example, if an email has gone to the wrong person, you can ask them to delete it).
- Consider the risk; for example, if you’ve mixed up tenants and sent the wrong tenancy agreement, but it’s not been signed, you could just ask them to ignore it or delete it. In this case, the risk of harm to others is minimal.
- Let people know how to protect themselves if you think it’s necessary.
- Report the data breach to the ICO within 72 hours if you think you need to. The ICO has a tool to help you decide if you need to do this: ICO, self-assessment tool.
Is property data really considered personal data?
According to the ICO, any data that can be used to “make a decision about, or influence the status or behaviour of an individual” is considered personal data. Based on that definition, all the information you gather as part of the tenant referencing process counts as personal data.
How can insurance help?
Data protection law can seem complex but much of it comes down to being mindful of how you use and secure private information about other people. Using data appropriately and keeping it secure and for no longer than necessary means you’ll already have gone a long way towards compliance.
However, for extra peace of mind you can consider commercial insurance. Policies can include protection from cyber threats and other losses you could suffer in the course of everyday business. You’ll also be covered for legal expenses if a claim is made against you.
For more information about how we can support your business, speak to a member of the team on 01603 649727.
Information provided in this article was correct at the time of publication. This article is intended as a guide only. Please note that legislation does change, it is always best to check the most up to date guidance on gov.uk.
