Loading Guild Resources
Loading Guild Resources
Loading Guild Resources
Landlords or agents must have a sound system of record-keeping.
You should keep a file for a property, and then each time a new agreement is given to a new occupier, you should place a new file into the property file. You could keep the same structure for computer storage.
Under the UK GDPR and Data (Use and Access) Act 2025 ("GDPR"), landlords will, in almost every situation, be required to register with the Information Commissioner's Office (ICO) as a data controller. Registration is required if personal information is processed on an electronic device, including mobile phones, tablets, and computers. Processing includes: storing, using, and deleting information, and registration is straightforward and inexpensive.
To complete registration, visit the ICO website, where there is a quick and straightforward self-assessment tool that establishes in a few easy steps if a fee is payable - https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/
The GDPR significantly impacts how data controllers must operate. Firstly, if the processing is based on consent, consent to process data must be "opt-in", not "opt-out". This means they have to undertake some specific action to choose to allow their data to be processed. Secondly, consent is not the only lawful basis for processing data. Lawful bases likely to be relevant to lettings include consent, processing necessary for the performance of a contract, processing necessary for compliance with a legal obligation, and ordinary legitimate interests. Of these, performance of a contract and compliance with a legal obligation are the most common bases for processing.
From 5 February 2026, a separate recognised legitimate interest basis may apply, but only where the processing is necessary for one of a limited number of purposes set by law. Examples relevant to landlords include preventing or investigating crime, safeguarding a child or a qualifying vulnerable adult, responding to a statutory emergency, or making a necessary disclosure under a properly framed request from a body carrying out a public task. It is not a general basis for routine referencing, occupation contract management or marketing. Ordinary legitimate interests remain separate and still require the processing to be necessary and balanced against the individual's rights.
The new rules give more rights to the individual, including:
The first step in compliance is to understand what data you hold and on what basis you process it. Arranging a plumber for a repair may fall under the lawful ground of processing contract fulfilment and may not, therefore, need the contract-holder's consent. However, suppose you want to send a surveyor to value the property. In that case, this is not likely to be "contractual", so giving out the contract-holder's information would have to be based on another basis of processing, perhaps either the landlord's legitimate interest or consent.
The English Right to Rent landlord scheme is not a legal duty for premises in Wales. A landlord may carry out proportionate identity or fraud checks for another lawful purpose, but should not describe them as mandatory Home Office Right to Rent checks for Welsh premises.
From 19 June 2026, the Data (Use and Access) Act 2025 requires controllers to provide an accessible way for people to make data protection complaints, including electronically and by other means. A complaint may come from a contract-holder, applicant, guarantor, or other person whose personal data is involved. The controller must acknowledge receipt “within the period of 30 days beginning when the complaint is received”. It must also respond without undue delay, make enquiries that are proportionate to the complaint, keep the complainant informed of progress, and tell them the outcome. The 30-day period is for acknowledging the complaint, not for delaying the investigation.
This is separate from ordinary housing or service complaints. It applies where someone considers that the handling of their personal data infringes the UK GDPR or the Data Protection Act 2018. The ICO provides guidance on handling data protection complaints.
Privacy information that is currently used should explain how to complain both to the landlord or agent as controller and to the ICO. Include both complaint routes in subject access request responses and in any message saying that the controller will not act on, or is refusing, a data rights request. There is no blanket requirement to resend revised privacy information to every former contract-holder or other person simply because this wording has changed.
Deal with a subject access request without undue delay and usually within one month. The time starts once you have the request, any information reasonably needed to confirm identity, and any fee that may lawfully be charged. You may extend the deadline by up to two months if the request is complex or there are several requests, but tell the person within the first month and explain why. You may pause the time while waiting for clarification, but only where this is reasonably needed to identify the information or processing being requested. Carry out a reasonable and proportionate search. The first copy is free; a reasonable administrative fee may be charged for further copies. See the ICO guidance on the right of access.
Note that if the data controller provides the data to a third party, then a record must be made of this so that if the data is later updated, you know to whom the data was given and pass on the correct updated data. It would help if you also made sure that any third party handling the data follows UK GDPR and what they are and are not allowed to do with the data. This is referred to as a data processing agreement.
Ask cloud and other suppliers where personal data can be accessed, as well as where it is stored. Remote access by a separate organisation overseas can count as an international transfer even if the server is in the UK. Check the supplier, the countries involved, the safeguards in place, and the transfer rules that apply. See the ICO guide to international transfers.
Many people store copies of agreements on their computers or in the 'cloud'. Ensure any format they are being held in will still exist in many years, if you need it in 20 years. Note, UK GDPR would make it an offence to store the data for 20 years without a valid reason for keeping it that long. Although average lets are around 18 months, it is not unusual to see an occupier stay in a property for 10 - 20 years. If you need the agreement for possession in 15 years, could you still open it? Is the cloud provider you were using still in business then? It is always best to have a paper copy of essential things, such as agreements.
Although there are no guarantees, suitable formats that should survive include PDF or JPEG (or JPG).
You should use a sound rent accounting system. There is nothing wrong with a simple spreadsheet, such as Excel or Google Docs Spreadsheet.
There are other specialist software programs also available, but again, ensure longevity.