Data Protection Act 2018 (UK GDPR): Handling Tenant Data Lawfully

In today’s digital rental market, landlords handle more personal data than ever before — tenant applications, references, ID documents, rent payments, and even CCTV footage.

The Data Protection Act 2018 (DPA 2018), which enforces the UK General Data Protection Regulation (UK GDPR), governs how you must collect, store, and use that information.

Failing to comply can result in financial penalties of up to £17.5 million or 4% of global turnover, whichever is greater. Yet, thousands of landlords remain unregistered and unaware of their obligations.

Why the Data Protection Act 2018 matters

If you let property in your own name, through a company, or as an agent, you are classed as a data controller.
That means you determine how and why personal information about tenants, guarantors, or applicants is processed.

Examples of data you handle include:

• Tenant names, addresses, phone numbers, and emails.

• Bank details and rent payment records.

• Employment and income verification.

• Credit references and guarantor details.

• Copies of passports or visas for Right to Rent checks.

Under the law, you must handle all of this information fairly, securely, and transparently.

Step 1 — Register with the Information Commissioner’s Office (ICO)

Every landlord who collects or stores personal information must register with the ICO and pay a small annual fee (usually £40–£60).

How to register

1. Visit the ICO and register.

2. Complete the self-assessment to confirm you need to register (most landlords do).

3. Submit your details and pay the fee.

4. You’ll receive a registration certificate — keep this for your records and renew annually.

Failing to register when required is a breach of the law and can result in civil penalties of up to £4,000.

Step 2 — Understand the principles of lawful data processing

The UK GDPR sets out seven key principles you must follow when processing personal data:

1. Lawfulness, fairness, and transparency – Be open about what data you collect and why.

2. Purpose limitation – Only use the data for legitimate rental management purposes.

3. Data minimisation – Collect only what’s necessary.

4. Accuracy – Keep data up to date.

5. Storage limitation – Don’t keep data longer than needed (usually six years for financial records).

6. Integrity and confidentiality – Protect data from loss, theft, or unauthorised access.

7. Accountability – Be able to demonstrate your compliance (records, privacy notice, policies).

Step 3 — Issue a privacy notice to tenants

Every landlord must give tenants a Privacy Notice explaining:

• What data you collect.

• Why you collect it.

• Who you share it with (e.g., referencing agencies, contractors, deposit schemes).

• How long you’ll keep it.

• Their rights to access, correct, or delete data.

This can be included in your tenancy pack or emailed separately.

Step 4 — Keep data secure

Practical security measures include:

• Password-protecting electronic files and devices.

• Storing paper files in locked cabinets.

• Using encrypted software for tenant data and rent collection.

• Restricting access to data to only those who need it (e.g., letting staff).

Landlords are legally responsible for ensuring that agents or contractors who process data on their behalf also comply with the Act.

Step 5 — Responding to tenant data requests

Tenants have strong rights under the UK GDPR, including:

• The right to access their personal data (“Subject Access Request”).

• The right to have incorrect information rectified.

• The right to object to processing in some circumstances.

Landlords must respond within one month and provide a copy of the data held, free of charge (unless the request is excessive).

What happens if you don’t comply

The ICO has powers to investigate and penalise individuals and organisations that breach the law.

Possible enforcement actions:

• Monetary penalties – up to £17.5 million or 4% of turnover for serious breaches.

• Civil fines – commonly £400–£4,000 for failing to register.

• Enforcement notices – compelling you to take corrective action.

• Public listing – your name published on the ICO’s “non-payers” register.

In recent years, small letting agents and private landlords have been fined for ignoring ICO registration and mishandling tenant data.

Compliance checklist for landlords

✅ Register with the ICO and pay the annual fee.
✅ Provide tenants with a Privacy Notice.
✅ Keep data secure and only collect what you need.
✅ Delete or anonymise data once it’s no longer required.
✅ Respond to Subject Access Requests within one month.
✅ Audit your agents and contractors for compliance.
✅ Review your policies every year.

Key takeaway

The Data Protection Act 2018 is not optional — it applies to every landlord who handles personal information.
ICO registration takes just minutes online but protects you from costly penalties and reputational harm.

As the rental sector becomes increasingly digital, compliance with data protection law isn’t just about avoiding fines — it’s about trust. Tenants are more likely to rent (and stay) with landlords who handle their personal data responsibly.

Disclaimer: NetRent does not provide legal advice. These articles represent our understanding of rental property law.

Contact NetRent
Telephone: 01352 721300
Email: support@netrent.co.uk