New Data Protection Obligations For Landlords

If you are a landlord, have you registered yourselves with the Information Commissioner’s Office? If you are a large organisation or deal with high volumes of tenants’ persona data, have you appointed a Data Protection Officer to monitor compliance with the Regulations?

If not, recent changes to data protection laws mean you may need to do so, urgently.


You should all be aware that the General Data Protection Regulation (“GDPR”) came into force on 25 May 2018.

It is true that GDPR is an extension and evolution of our existing data protection laws. However, the changes have brought may new obligations which will affect the property rental sector.

A common scenario

As a property litigator, one issue that has come to my attention in relation to GDPR is the ability for a landlord to share the tenants data with third party suppliers. Many landlords will have encountered tenants that have vacated a property without paying utility bills. The tenant may not have provided a forwarding address for outstanding invoices or bills.

Your business may also rely on third-party websites or software products to manage your properties and tenant information.

The old way

Past practice relied on by landlords was to use a clause in a tenancy agreement. This would state that consent is granted to allow them to provide the utility supplier with a copy of the tenancy agreement or a copy of the notice seeking possession, or even a court order. This is now most definitely at an end. GDPR is more detailed than previous data protection legislation.

The new way

Under GDPR, using such data without a valid lawful basis and consent can lead to significant fines. The provision of specific consent by the tenant is now required by a landlord to process any personal data. For example, consenting that information may be passed to a utility company for the purpose of invoicing for the supply of services, or chasing payment for those services following termination of  the tenancy.

The consent must be a “positive opt –in”; that is to say that the tenant must have taken steps (ticking an unticked box – “a clear affirmative action”, – for example) to confirm their consent to process their data. Alternatively, and a slightly more risky approach,  is that if the tenancy agreement permits the landlord to pass on data to assist the utility company, the landlord could be deemed to be lawfully processing the data. Even if the tenancy agreement did not permit the landlord to pass on details, it may be that the landlord would be able to pass it on relying on the legitimate interest ground.

This isn’t the only change for landlords under GDPR. Like all businesses, if you are holding or processing personal data you must ensure that all data you hold is necessary for the tenancy, and that it is stored securely and in a way that it can be easily provided to the tenant if requested. It is also important that you have a clearly set out Privacy Policy for your clients to let them know how you will process their data.

If you haven’t already done so, you should carry out an audit of the data you hold, and who you share it with. You should take advice and implement any changes necessary to ensure you are compliant with GDPR.

Whilst it may initially seem burdensome, GDPR compliance should be seen as a benefit to your business. It will give your tenants confidence that they are dealing with a professional organisation, and that their personal data will be managed properly.

Further Advice

For more information about this topic or to arrange a GDPR healthcheck for your business, please contact me by telephone on 0114 3496983 or email

About the author

James Parden is a property litigation lawyer based at our Sheffield office.

For more advice on this topic or related matters:

0114 3496983