There are many circumstances where landlords might hold personal data about individuals. For example information about tenants, employees, customers or as part of security arrangements. This might be collected as part of a manual process or be entirely automated. Obvious examples of personal data include names, addresses (email and physical), telephone numbers, DoB's and bank details for regular payments such as rent.

Emerging technologies make this more complicated. For example face recognition and other biometric technology, smart metering, "the internet of things" and email screening all present unique problems in terms of how an individual's data is adequately collected, protected and processed.

Current data protection law already imposes obligations on how landlords (and others) must manage this data and includes significant sanctions for non-compliance. However, the law will be significantly strengthened on 25 May 2018 when the EU General Data Protection Regulation comes into effect. Despite the name it will continue to apply following Brexit and will:

  • Impose greater obligations on landlords (and others) that process personal data; and
  • Change the risk profile of data protection compliance; and
  • Give individuals enhanced rights that are easier to enforce.

The new regime imposes:

  • A requirement for data handlers to notify the Information Commissioner’s Office and affected data subjects of data security breaches in certain circumstances;
  • Fines for breaches of up to 4% of annual worldwide turnover, or EUR 20m whichever is the highest; and,
  • Simpler rights for affected individuals to claim compensation for non-financial damage, with claimant firms still able to claim success fees from defendants (the Jackson reforms do not apply to privacy proceedings).

Landlords should review the extent to which they need to prepare for the new regime (including developing or updating a suitable response plan to deal with any data breach).