Data protection is a hot topic these days and ensuring that someone’s personal data is safely used and stored is very important for businesses, but it is also important for a landlord, even if they only have one property. As part of letting out a property a landlord or agent will gather quite a bit of very personal data on a tenant such as: E-mail address, home address, telephone number, date of birth, national insurance number, employer details and even salary details. All of this data falls under the remit of the General Data Protection Regulations (GDPR). Quite a few landlords feel that they are exempt as they don’t see themselves as a business. Renting a property might be a side job, just to earn some extra money or keep up the mortgage payments on a second property but this does not create an exemption as far as the requirement to register with the Information Commissioner’s office (ICO).
What is the Information Commissioner’s Office?
The Information Commissioner’s Office, or ICO, is an independent body set up by the Government to uphold information rights and data privacy, The ICO is a non-departmental public body sponsored by the Department for Digital, Culture, Media and Sport which reports directly to Parliament. The ICO is responsible for upholding compliance with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.
Does a Landlord need to register with the ICO?
According to the ICO website, unless a landlord is registered as a not for profit organisation and complies with certain rules around data processing or the landlord delegates everything to do with the tenancy to an agent and only receives the rent and a monthly statement, then it is most likely that they will need to register with the ICO as they will almost certainly be processing personal data.
What is personal data?
Personal data is anything relating to a living individual such as a name, bank account details, NI number, address, phone number, employer, work personnel number amongst other things. The data can be in the public domain and still be classed as personal. If a person can be identified either directly from the information or indirectly in conjunction with other information, then it is personal.
How to register with the ICO
The process is pretty simple and any landlord who needs to register can simply go to the ICO website registration page and start a new registration. It will take about 15 minutes and landlords will also need to pay a fee. The lowest fee starts at £40 or £35 if paid by direct debit and goes to £2,900 for the largest organisations.
How to be compliant with GDPR
Compliance with GDPR isn’t that difficult and by following a few simple steps any landlord can prove compliance:
- Have a written privacy policy or statement stating what information will be collected and for what purpose; how long data will be stored; who the data controller is and information on the right to complain
- Only collect data that is absolutely necessary for the purposes of the business
- Ensure that consent is given to collect data
- Any data collected is stored securely and only accessible by authorised people
- Any data collected is only stored for as long as necessary and then securely destroyed
- Allow subject access requests from anyone whose data has been collected
- Correct any errors in someone’s personal data and also give individuals the right to be “forgotten”, i.e. have their data erased
- Audit collection, storage and deletion of personal data and communicate any breaches immediately
Penalties for non-compliance with GDPR
The ICO has the power to investigate any complaints of non-compliance with GDPR and can impose fines of £1,000 for each breach. If, however, someone does not then comply with an enforcement notice, an assessment notice or an information notice, they can impose fines of up to £17.5 million for the most serious breaches. It is unlikely that any normal private landlord would be fined this much, but even £1,000 per breach is a significant sum.
Under the ICO guidance a landlord, even with only one property, who processes any personal data in setting up a tenancy, is required to register with them. A failure to do so would be seen as a beach and could lead to a substantial fine. Given the low cost of the fee, it really isn’t worth taking a chance and not registering.