In a previous post, we discussed the details of GDPR and consumer data protection. It’s less than two months away now. As discussed in that article, it certainly applies to landlords no matter how much property you own and whether you’re a one-person band or have set up a holding company. This is how you make sure you’re GDPR compliant by May.
Note: it’s been a voluntary arrangement for two years but in May it becomes law. Most organisations have been compliant since plans were announced.
Obtaining Consent and a Withdrawal of Consent Process
As a landlord, you need to collect personal information about your tenants. For obvious reasons, you need proof of their student status, name and address details for outside of term time and proof of their Right to Rent. This is sensitive identifying data and therefore subject to GDPR. Therefore, it is the landlord’s responsibility to obtain explicit consent to collect that information from them and store it. Passive consent is no longer appropriate, and consent can no longer be assumed.
The best way to do this is to insert a clause or a tick box on a contract for the students to actively consent. There also needs to be a clause and a clear method for the student tenants (usually after they are no longer a tenant) to withdraw that consent should they so desire.
Collect Only Necessary Information
Landlords are in a position, like many businesses, of needing this data. It’s vital that you collect only the information deemed necessary to the contract (already discussed). In the general population, landlords are permitted to collect information concerning employment and benefit income. Naturally, that doesn’t apply to students. From May, higher penalties will apply to any business that fails to tighten up their data collection and retention.
Retaining Information
Landlords need to retain this information for a set time for tax purposes but what constitutes a “reasonable amount of time” to keep personal data has not always been clear. Even if a past tenant has not explicitly requested their Right to be Forgotten, you are obliged to destroy that data after a reasonable period of time. Six years is typical and permissible under GDPR because that length of time is required for tax purposes.
You will not, however, be able to use that information for other parts of your business. If you want or need to, you must seek extra consent.
How To Protect Tenant Data
Landlords will also need to become a “Data Controller” under GDPR. Even if you’ve complied with data protection (by storing hard copies in a secure place or digital files securely such as Cloud or an electronic device that requires password access), it’s your responsibility to ensure any third parties with which you work in conjunction with your tenant(s) also complies.