Record Keeping and Data Protection (GDPR)

Landlords or agents must have a sound system of record keeping.

You should keep a file for a property, and then each time a new agreement is given to a new occupier, you should place a new file into the property file. You could keep the same structure for computer storage.

Under the UK General Data Protection Regulations, landlords will, in almost every situation, be required to register with the Information Commissioner's Office (ICO) as a data controller. Registration is required if personal information is processed on an electronic device, including mobile phones, tablets and computers. Processing includes: storing, using and deleting information, and registration is straightforward and inexpensive.

To complete registration, visit the ICO website, where there is a quick and straightforward self-assessment tool which establishes in a few easy steps if a fee is payable - https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

The UK General Data Protection Regulations significantly alter how data controllers must operate. Firstly, if the processing is based on consent, consent to process data must be "opt-in", not "opt-out". This means they have to undertake some specific action to choose to allow their data to be processed. Secondly, consent is not the only lawful basis for processing data. Four relevant lawful bases are likely to affect lettings: Consent Fulfilment of a contract Compliance with the law and legitimate interests of the data controller Of these, contractual fulfilment and compliance with the law are the most common basis of processing.

The new rules give more rights to the individual, including:

  • the right to be informed about what you will do with data (privacy notices),
  • the right to access their information (you can now charge no fee),
  • the right to have errors corrected,
  • the right to have their data erased (in some circumstances) and
  • some rights to restrict the reasons you can process their data.

The first step in compliance is to understand what data you hold and on what basis you process it. Arranging a plumber for a repair may fall under the lawful ground of processing contract fulfilment and may not, therefore, need the tenant's consent. However, suppose you want to send a surveyor to value the property. In that case, this is not likely to be "contractual", so giving out the tenant's information would have to be based on another basis of processing, perhaps either the landlord's legitimate interest or consent.

Note that if the data controller provides the data to a third party, then a record must be made of this so that if the data is later updated, you know to whom the data was given and pass on the correct updated data. It would help if you also made sure any third party will be handling the data following UK GDPR and what they are and are not allowed to do with the data. This is referred to as a data processing agreement.

Many people store copies of agreements on their computers or in the 'cloud'. Ensure any format they are being held in will still exist in many years, if you need it in 20 years. Note, UK GDPR would make it an offence to store the data for 20 years without a valid reason for keeping it that long. Although average lets are around 18 months, it is not unusual to see an occupier stay in a property for 10 - 20 years. If you need the agreement for possession in 15 years, could you still open it? Is the cloud provider you were using still in business then? It is always best to have a paper copy of essential things such as agreements.

Although there are no guarantees, suitable formats that should survive include PDF or JPEG (or JPG).

You should use a sound rent accounting system. There is nothing wrong with a simple spreadsheet such as Excel or Google Docs Spreadsheet.

There are other specialist software also available but again, ensure longevity.

Related Forms

Related Services