How the UK’s data protection laws impact letting agencies
The Data Protection Act 2018 (the UK’s implementation of the European Union’s GDPR) imposes a duty on everyone who handles other individuals’ personal data to follow certain data protection principles. Naturally, this includes letting agencies which store and process the data of tenants and landlords. Read on for an overview of the duties imposed on letting agencies and tips for how they can stay compliant.
What is personal data?
Personal data is any information which relates to an identifiable person (the data subject). This information can be anything from names, addresses, identity documents and numbers to Internet Protocol (IP) and email addresses, as long as they can be used to identify a particular person.
How should data be handled?
A letting agency will classify as a “data controller” because it determines the purpose and means of processing personal data. Thus, they have a duty to comply with GDPR requirements and to be able to demonstrate such compliance, or risk action taken against them by the Information Commissioner’s Office (ICO) or individuals. Here are some of these GDPR requirements.
The following seven principles must govern the collection, processing and storing of data:
- Data processing must be lawful, fair, and transparent to the data subject;
- Data must be processed for the legitimate purpose specified when it was collected;
- Only as much data as is absolutely necessary for the purpose specified must be collected and processed;
- Personal data must be accurate and up-to-date;
- Personal data must be stored for only as long as necessary for the specified purpose;
- Data must be processed in a way which ensures its security and integrity;
- The data controller is responsible for demonstrating compliance with these principles.
A letting agent’s lawful basis for collecting individuals’ data is likely to be: consent; fulfilment of a contract or legal obligation; or a legitimate interest i.e. where an individual’s data is used in ways they would reasonably expect it to be used.
What should letting agents do to stay compliant?
- Follow the aforementioned principles and be upfront with landlords and tenants about why they are collecting their data.
- Register with the ICO here and pay a data protection fee.
- If they have not already done so, delete all pre-GDPR personal data collected where the consents they received do not meet GDPR standards.
- Report suspected and actual data breaches to the ICO within 72 hours of becoming aware of them. They may also have to inform the data subject of the breach.
- Add clients’ data to their central Customer Relationship Management (CRM) system only when consent has been given. This means that people need to actively opt in to receive marketing communication from the agency.
- Get a Secure Sockets Layer (SSL) certificate for their website if any personal data is transferred over it to ensure security when visitors enter their details on the website.
- Draw up a data protection policy which should be sent to tenants and landlords. The policy should explain how the letting agent is complying with data privacy laws i.e. why data is being collected, how it will be used, if it will be shared with any third parties from time to time, the legal basis for its collection, and how long it will be stored for.
- When creating tenancy agreements, the letting agency should address data protection. Tenants must be notified of their statutory rights e.g. the right to request sight of any personal information of theirs held by the landlord/agent and the right to be forgotten (have all information held on them removed or deleted).
Legislate allows letting agents to create contracts which comply with relevant data protection and security laws. You can read how to create your first agreements in our tutorial and watch a short demo. If you would like to try Legislate, please book an introductory call.
The opinions on this page are for general information purposes only and do not constitute legal advice on which you should rely.