The top 5 data protection considerations for those involved in the residential property and housing market, including landlords and managing agents
1. Get the basics right – including privacy notices
- Whether you are a landlord, a managing agent or another service provider, if you use, store or share personal data (including information relating to your tenants), you will very likely be subject to UK data protection law (primarily, the UK GDPR) as a data controller (for example, landlords in relation to tenant data they hold) or a data processor (for example, managing agents in relation to tenant data they hold on behalf of the landlord).
- For example, a landlord or managing agent may hold image data collected by their CCTV systems, contact details and financial data of their tenants or potentially biometric data or marketing preferences if technology enabled entrance systems or property management apps are used.
- Taking active steps to comply with the UK GDPR may be considered an expensive and daunting distraction. However, ignoring its requirements is a risky strategy.
- At the very least, basic compliance and security measures should be taken. Addressing certain ‘easy-win’ public facing compliance measures can go a long way to stave off unwanted scrutiny.
- Examples include: (a) ensuring that controllers have appropriate privacy notices drafted and made available and (b) ensuring that employees who have regular or permanent access to personal data are made aware of their responsibilities, including through appropriate training.
2. Use of CCTV
- CCTV may capture personal data of tenants, people visiting a property or those who work there. The use of CCTV in communal areas and publicly accessible areas (inside or outside) will likely be subject to the UK GDPR.
- As such, care should be taken to ensure that signs are clearly displayed to inform individuals that CCTV is in operation. Its use should then be explained in further detail in relevant privacy notices, including details of how the data will be recorded, used, stored and retained.
3. Subject access requests
- Related to the above point, individuals who want to exercise their right to access and receive a copy of their personal data can make a data subject access request (DSAR). The UK’s privacy regulator, the
- Information Commissioner’s Office (ICO) has published detailed guidance on the Right of access under Article 15 UK GDPR.
- If you are a data controller, you must comply with a DSAR without undue delay and, at the latest, within one month of receiving the request.
4. Security and data breaches
- If you are a data controller and discover a personal data breach, depending on the seriousness, you may be required to notify the ICO within 72 hours.
- You must describe the nature of the breach and, where possible, the categories and approximate number of individuals affected as well as the name and contact details of the Data Protection Officer (DPO) or other contact point for more information, the likely consequences and the measure taken or proposed and any measures to mitigate its adverse effects.
5. Data processing agreements
- If you are a data controller (for example, a landlord) who engages a data processor (for example, a managing agent), you will need a written contract covering a number of specific issues, including that the data processor will take appropriate measures to ensure the security of the personal data and act only in accordance with the data controller’s instructions. This is a legal requirement under the UK GDPR.