The impact of GDPR on Landlords and Letting Agents

The General Data Protection Regulation is a new set of guidelines for the collection and processing of personal information of individuals that comes into force on 25th May, but what does it mean for the lettings industry?

GDPR applies to anyone that holds or processes any personal data, from large Letting agents with a huge customer base to an independent landlord letting a single property. So what are the main steps you should you take in becoming GDPR compliant?

1. Register with the Information Commissioner's Office

The ICO is the UK's independent body set up to uphold information rights, everyone who holds and processes data electronically needs to be registered.

2. Document all the specific types of data that you hold

  • As a landlord you will hold personal details about your tenants.
  • As a letting agent you will hold personal details about your landlords and their tenants as well as personal information on your employees.
  • You may also have a marketing database or mailing list.

Part of GDPR is not keeping data longer than is necessary. While in the process of documenting your data you should ask yourself whether it is necessary for you to keep it.

3. Document the locations in which this data is stored

It's likely that you hold this data in multiple places, for example:

  • CRM software
  • Letting/property management software
  • Email software
  • Accounting software
  • Local documents on computers
  • Physical documents and records

4. Check that these data storage locations are GDPR compliant

If the data is held online then it needs to be within a secure site protected with a strong password. The systems that you use must apply levels of security to protect this data including encryption. You should check with the services you are using to ensure they are GDRP compliant.

5. Ensure that you have permission from people to process and use their data the way you are using it

For example, if a tenant applies to rent a property it doesn't give you the right to send them marketing emails, they must opt-in to receive your communications. You should email all your customers asking them if they are happy for you to continue to use their information and have a process to provide them with a full extract of all data you hold on them and to remove their data if they request it.

6. If you have a website, you need a privacy policy

This should details what data you collect, how it is used and if it is shared with any 3rd parties. You should also detail your unsubscribe procedure.

7. Ensure all staff are trained on the best practices of data protection and privacy

8. Ensure all 3rd parties that you share customer data with are GDPR compliant

For example contractors, inventory clerks, referencing companies. Anyone that you send customer data to must be GDPR compliant in how they handle your data, if not, you're not.

For more information on GDPR visit the General Data Protection Regulation Website.