Yes, yes, yes! I know, I’m late to the freak show.
Apparently I should have written this blog post back in 1999. That is, according to the seven billion people that have emailed me, expressing their utter disappointment and growing disgust in my negligence of the matter, and how I failed to meet their impeccable expectations.
If you were one of those people, I didn’t reply because I felt too embarrassed to confess the bitter truth: “THE GDPR blog post… it’s coming… soon. Can’t confirm a day. But it’s coming. Stay tuned. It’s coming!”
Fortunately, while I’ve been sitting on the naughty-step I’ve had time to compose myself.
The fact is, I needed a moment to gather my thoughts and process the whole GDPR shit-storm. And by that, I mean wait until some other schmuck – that actually has a clue – to share some decent and digestible information that’s smooth enough for my feeble noggin to munch through and regurgitate.
Which leads me onto my next crucial point…
Here’s an obligatory disclaimer, so that my snotty, finger-twiddling, overpriced solicitor doesn’t roll me into a snot-ball and throw me out the window: I’m not a lawyer, so not even a single word contained in this blog post (or website, for that matter) should be construed as legal advice. The title of this blog post is actually missing a closing question mark and grunt, it should really be, “What Landlords need to do to comply with GDPR, aye?”
My objective is to simply share my opinions and thoughts on what GDPR is and how it affects ME as a landlord, including the steps I’ve taken to comply. If you want legal advice to ensure you’re covered, you should speak to a qualified professional. Happy spending!
And now, here’s my second disclaimer: I’m going to avoid getting into the legal technicalities of GDPR for the reasons mentioned in my first disclaimer, so fair warning, my attempt at simplifying complex information that’s way beyond my shockingly limited capacity may equate to a 1 year old reciting Quantum Mechanics.
I’ll try and stick to what I believe to be the need-to-knows for landlords, avoiding the background noise. So hopefully there won’t be any labour pains, just a baby tossed into your arms, albeit a gooey one. However, I will link to the more in-depth and – what I believe to be – notable resources below, for those that want to get hardcore with it. You’ll need matches and coffee for that journey, though!.
We good? We good.
Let’s go…
What is GDPR (General Data Protection Regulation)?
Ok, real quick…
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
Source: https://www.eugdpr.org/eugdpr.org-1.html
In layman’s terms: GDPR is a new set of rules designed to give EU citizens more control over their personal data.
GDPR regulation came into effect on the 25th May 2018, and it’s scaring the shit out of people because the fines for failing to comply can reach up to a ridonculous €20 million or 4% of a company’s global annual turnover. So no need to panic, it’s only a shit-ton of money, and possibly our livelihoods.
Does it affect landlords?
Yup, because landlords typically use and store their tenants personal information (e.g. name, email address, phone number, menstrual cycle dates etc) in some form or another. Landlords are legally required to comply with GDPR, which is cool, because it’s not like we have enough legal obligations as it is.
Basically, as landlords, we need to process and control our tenants information in a transparent fashion, which includes explaining:
What personal information we collect.
Why we need their personal information.
How we might use their personal information (including who the information might be shared with), and ensuring we only use it in that way (unless there are overriding legal precedence requiring the information).
How long their personal information is retained for.
What am I going to do to comply?
Based on all the lengthy and confusing guff floating around, you’d think you’d have to shred a landfill worth of paper and perform brain surgery on a Raccoon to comply. But in practical terms – as far as landlords are concerned – there doesn’t seem to be too much to it, from what I can tell, anyways. I did the following two things…
1) Registered with the Information Commissioner’s Office If you currently or at some point stored, used or deleted tenant personal information (e.g. name, email, telephone, address etc.) on any electrical device (e.g. computer, phone or tablet etc.) then you should be registered with the ICO, and that’s actually regardless of GDPR (i.e. it’s always been required). I’m not saying I didn’t know about it… hmm yeah! I’m just saying GDPR has reminded many of us that it’s required, is all!).
There are a few exemptions, but they probably won’t apply to you.
It costs £35-40 per year (depending on payment method) to register. You can register here or if you’re adamant on fighting the cost (all the power to you) you can use this tool to discover if you’re exempt (which you probably won’t be).
Yup, it was inevitable- GDPR exposed another added expense of being a landlord.
Is registering necessary? The requirement for landlords to register appears to be a bit of a controversial and sore subject.
Tessa Shepperson from Landlord Law says it’s required, and so does Adrian Thompson from the GRL (Guild of Residential Landlords), but then we have this article on LandlordToday saying it’s “unlikely” to be unnecessary for small scale landlords, and we also have a couple of super irate twits squabbling on LandlordReferencing’s forum, absolutely refusing to believe it’s necessary (it’s quite an amusing read: the LR’s CEO, Paul, really seems to get his willy out about the whole ordeal).
In any case, I know which horses I’m backing, and it ain’t the willy-flaunter!
I did actually contact the ICO to get their view on the matter. I spoke to one of their ‘Registration Advisers’ (after being on hold for 40 minutes; they’re currently experiencing high call volumes, which isn’t terribly surprising), and this is what the conversation went like:
I’m a private landlord, do I need to register?
Have you held or do you hold any personal information about your tenants on an electrical device, for example, tenancy applications, contact details, tenancy agreements?
I sure do!
You need to register then.
Ok, what if I only have everything on paper? (regardless of how unlikely that scenario is for a landlord in the 20th century, I asked the question out of curiosity)
If you have printed the documents yourself off an electrical device, then you need to register, even if they’ve since been deleted. That also applies for details held in emails. If you only ever receive personal information about your tenants directly onto paper, then you don’t need to register.
Thank you. You’re cute.
So unless you’re Fred Flintstone, I think it’s safe to assume you and most other landlords would be required to register based on that conversation. But even if you think you don’t (i.e. because a letting agent manages your property), you may want to register to err on the side of caution for the sake of future-proofing, because you may somehow get lumbered with your tenant’s personal info via electronic means, and once you’ve got it, you’ve got it, kind of like hepatitis- something you can’t merely toss aside like a hot potato, unfortunately.
Either way, I’ll leave it in your capable hands to decide what’s best for you. I will say one thing though, I’m not aware of any case where a landlord has been prosecuted for failing to register. Make of that what you will.
The registering process The process is pretty straightforward, but I did get slightly confused by the “Sector” section of the application. Nothing really screamed “Landlord”, so I contacted ICO for guidance yet again, and they advised me to select the following options:
ICO Registration, “Sector” options recommended for private landlords.
Yup, yup, yup. I know you’re not a letting agent, but they’re still the recommended options!
Helpful? Hope so, because I was on hold for fifty-five painstaking minutes in total.
2) Use Privacy Policies where personal information is collected This seems to be the most important step of complying. If we’re going to get ass-raped for GDPR negligence, it will probably have something to do with this.
All the documents/forms used by agents/landlords that gather personal information from tenants should contain a privacy policy, clearly explaining ‘why’, ‘how’ and ‘for how long’ their information is controlled and processed.
I’ve updated all the landlord documents available on this website that require personal information from tenants with a privacy policy, including the Tenancy Agreements, Guarantor Agreements, Tenancy Application form (free to download), and Guarantor Application form (free to download).
For example, here is a snippet from the Privacy Policy in the tenancy application form:
Personal information which you have supplied may be used in a number of ways, for example:
To make a decision about granting a tenancy
To confirm identity and obtaining references
For tenancy/licence agreement preparation
Debt collection
Providing references and the conduct of any tenancy in the future
Providing information to utility companies or a local authority about any tenancy
Note that it doesn’t need to be written in old English from the 1200’s, like most of our legal guff is. Just plain old simple and clean English will suffice as long it makes sense.
Go ahead; download, adapt, use at your own risk, and stick it up your bum.
Oh, and please, please, please!!! If you’re already subscribed to my mailing list and you plan on downloading the free documents, use the same email address you’re subscribed with so you don’t resubscribe (otherwise you’ll double up on all my emails, and you’ll probably hate me for your own carelessness).
Anyways, what was all the GDPR fuss about, right?
During my ‘research’ phase, I glanced through the usual suspects for answers, including the RLA, and a few of the other heavy hitters… MY SHITTING-GOD, the shear depth of all the loosey-goosey ‘general’ information they’re flaunting on GDPR is, quite frankly, soul-destroying.
Personally, I didn’t need another GDPR manual, I just needed to know what I need to do in order to comply!
Sadly, I struggled to unearth guides explaining the practical steps required; I just kept bumping into endless reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels and reels…… of legislation that wasn’t really telling me anything.
It’s, like, they don’t even know we’re regular every day people… which means, by and large, we don’t give a flying fuck about the fluff!
I’m sorry, I’ve gone off on an awkward tangent. No wonder none of the other landlord webmasters invite me to the parties/gatherings/fancy black-tie dos.
Anyways, maybe I’ve misunderstood and/or oversimplified it, but they’re the two steps I’ve taken.
A word on “Consent”
The word “consent” has been deeply penetrated into almost all GDPR threads, so I just want to mention it in case you freak out because I didn’t.
“Consent” is a gigantic part of GDPR, and that’s precisely why we’ve all been email-bombed by companies, groveling for “consent” to remain on their shitty emailing lists so they can, ironically, continue bombing us with shitty marketing shit. I’m assuming they’re having to jump through those hoops because somewhere along the line they weren’t completely transparent with what they intended to do with our personal information.
So, anyways, do we need consent from tenants to process their personal information?
According to this article on the GRL, landlords are unlikely to require ‘consent’ to process personal information (don’t confuse that with the need to be transparent, though).
From what I understand, consent is not required if personal information will be processed under ‘legal requirement’, ‘contract’, ‘vital interest’ or ‘legitimate interests’, which pretty much covers the reasons for why landlords would process information while managing a tenancy, so we should be just fine without consent as long as we do our job as we’re supposed to. *high-five*
Again, from what I understand, consent is largely required for those that use any personal information for the purposes of sales or marketing. So, for example, if you’re the type of landlord that up-sells cutlery and bed linen to your tenants, then you’re probably the kind of asshole that will require consent before you’re able to continue doing so.
Additional notes
Existing tenancies
Couple of points and circumstances to consider here, and I’ll leave it up to you to decide which dusty road to walk down:
If your existing tenancy agreement already has some form of privacy policy in place (which many do), then they might be sufficient for now (albeit, not as elaborate as the post-GDPR tenancy agreements available).
As new tenants take over properties, the older tenancy contracts (which lack privacy policies) will eventually disappear.
If you want to play it super safe, you could contact all your tenants with your shiny new privacy notice, explaining that your privacy policy for using their information has been updated.
Using a letting agent?
If you’re using a letting agent to manage the tenancy applications, they should take care of the privacy policies since they’ll be the be the one’s collecting and processing the data. Your agent’s privacy policies should state that they may share your tenant’s personal information with you, but yes, that’s their responsibility, not yours.
If you’re not using an agent to manage the applications, just ensure any of the documents you use to collect personal information from your tenants – prospective or otherwise – contain sufficient privacy policies.
Information requests
Under GDPR, tenants have the right to request details about the personal information you hold about them.
Remember, transparency is key!
Right to be forgotten
Tenants have a “right to be forgotten”, which means they can request for all the information you hold on them to be removed/deleted. However, where you are legally required to process information (e.g. ID to prove they have a right to rent), there is no right to erasure.
Recommended GDPR resources for landlords
I’m only going to recommend one resource produced by The Guild of Residential Landlords, because almost all the information in this blog post was accumulated from information available on their website, specifically this page (go there for a more in-depth explanation of GDPR). It was probably the only website which I came across which catered to my limited attention span and very limited ability to absorb boring shit.
Needless to say, if you’re looking for a good time and practical day-to-day landlording tips, then RIGHT HERE is home. However, if you’re serious about staying on top of all the landlord legal junk, then I can’t recommend becoming a member of The Guild of Residential Landlords enough. I’ve been recommending and endorsing them for a while now – they’re the best Landlord Association, in my opinion.
Any questions? Hope not!
If you have any questions regarding GDPR I hope I’ve made it abundantly clear that it’s not worth asking me. But drop it down in the comment section anyways, because maybe Adrian from GRL will stop by since I [willingly and deservedly] plugged his services, or perhaps someone else with a credible legal mind can assist.
If you feel I’ve missed anything out, if you feel there’s been an oversight, or if you did something different to comply, please drop a comment!
Hope this rides been usAful! xoxo
P.s. Apologies for the delay on getting this out! Writing about legal nonsense doesn’t really flow as easily as a dip-stick tenant that ruined my walls with anal warts. But that’s my curse, not yours.
Commentaires