Your agency's guide to data protection rules in the UK

16 October 2023

Letting agents handle a lot of information about their tenants and landlords and there are rules for how you need to go about it. So, here's an overview of the data protection laws in place in the UK.

Data protection has evolved rapidly over the last 20 years or so. Back then, very few people used the internet on a regular basis. Now, everyone does - and that means that more data is being sent back and forth.

The use and storage of personal information therefore came under scrutiny, as government's realised that there was a need to protect this information but recognised the economic value of sharing it too. 

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) forced companies in the EU to comply with new rules around data protection - with fines for those that don't - while allowing them to use relevant information in a secure way.

The law defines how personal data should be processed, including how it's collected, recorded, stored, used, erased, and more.  

What is the Data Protection Act 2018?

In the UK, GDPR was implemented through the Data Protection Act 2018.

This act outlined how the UK planned to follow the EU regulations, mainly that personal data needs to be:

  • Used fairly, lawfully and with full transparency, for clear and specific purposes
  • Used in a relevant way, and only where necessary
  • Accurate and up to date
  • Kept only as long as necessary
  • Stored and handled securely

Personal data is any information that could be used to identify an individual.

What's UK-GDPR?

After Brexit, the UK needed to translate GDPR directly into UK law. That's when GDPR simply transitioned into UK-GDPR, changing some of the terminology to reflect that the regulation only applies in the UK.

This means that, although they're both very similar, the Data Protection Act and UK-GDPR need to be read together. UK-GDPR holds the detail, while the Data Protection Act outlines how that detail is implemented.

What are the Privacy and Electronic Communications Regulations?

Alongside the UK's data protection rules sit the Privacy and Electronic Communications Regulations (PECR).

These are regulations specifically for how data is then used for marketing communications, including emails, calls, text messages, and website cookies.

It also covers the security of the data retained for this purpose, and who it can be shared with.

What are the rules around "consent"?

A key part of these rules relates to consent for how personal, contact information is used.

For example, you need new contacts that you add to your database to consent to receive marketing communications from your agency and need consent to share that personal information with third parties.

UK-GDPR defines consent as being freely-given, specific and informed, unambiguous, and easy to withdraw. It also must be an "opt in" option rather than "opt out".

What's the Data Protection and Digital Information (No. 2) Bill?

The Data Protection and Digital Information (No. 2) Bill will amend UK GDPR, the Data Protection Act 2018 and the PECR.

The bill aims to "update and simplify the [existing data protection] framework to reduce burdens on organisations while maintaining high data protection standards."

Businesses that are already compliant with the existing regulations are likely to still be compliant under this new bill.

However, it will mean that businesses that only operate in the UK with no plans to expand into the EU would be able to comply with these new, simplified UK-only laws.

What do letting agents need to consider when it comes to data protection?

Letting agents collect and handle a lot of personal information for both their tenants and landlords. You need to remember that you need a lawful basis to collect personal information.

If you ask for any extra information from your tenant, you need to make sure you have a reason to do so, and that it's relevant and necessary. For example, if it's to add to the contract for the tenancy.

If you collect that information for any other purpose - such as marketing services based on the tenant's preferences - you'll need consent to do so, or ensure that it would fall under "legitimate interest". You need to be able to justify why you're collecting that information at each step.

Once you have that data, you need to make sure that it's secure. That's where an online lettings platform like Goodlord can help, where most information would be kept in a protected space.

The volume of information included when processing a tenancy could easily lead to fraud if it were mishandled, and if it fell into the public domain.

You can take a self-assessment to check that your agency is compliant through the Information Commissioner's Office.

This article is intended as a guide only, and is not legal advice. Visit for more information.

Further reading