Whether it's a landlord’s email address or a guarantor’s financial information, agents are responsible for managing data that must be handled in line with legal requirements. Ensuring compliance is crucial to protect sensitive information and avoid serious penalties. Failure to do so could result in fines up to £17.5 million or 4% of annual turnover, whichever is higher.
In 2019, a letting agency was fined £80,000 for failing to secure tenant and landlord data. The breach exposed sensitive details like financial records, passport copies, dates of birth, and addresses.
The use and storage of personal information are continually evaluated and regulated to ensure its protection.
So what are the data protection rules within the UK? And what do letting agents need to do to remain compliant?
The General Data Protection Regulation (GDPR) is an EU law which was initially implemented in May 2018. Organisations and companies must comply with GDPR rules, surrounding data protection and how that data is used.
All companies must “comply with this new regulation and consider the ethical and appropriate use of data and technology”.
This legislation defines how personal data should be processed, including how it's collected, recorded, stored, used, erased, and more.
GDPR applies to any organisation that processes the personal data of an individual within the EU, no matter where the company is based.
In the UK, GDPR was incorporated into national law through the Data Protection Act 2018. This Act, together with UK-GDPR, forms the legal framework for data protection.
Under this legislation, personal data must be:
Personal data is any information that could be used to identify an individual.
Individuals have the right to access, rectify, erase, and restrict the processing of their data, and it must be easy for them to exercise these rights.
The UK's data protection law is primarily governed by the Data Protection Act 2018 (DPA 2018), which implements the EU's General Data Protection Regulation (GDPR) into UK law.
The Information Commissioner's Office (ICO) is the supervisory authority responsible for enforcing both the DPA 2018 and the GDPR as it applies in the UK.
Letting agents should ensure they are focusing on the correct legislation to ensure compliance during the process.
Instead of worrying about which legislation to follow, using a lettings technology platform such as Goodlord can focus on the compliance process so they don’t have to.
The Privacy and Electronic Communications Regulations (PECR) are a set of regulations that complement the UK's data protection law.
These regulations specifically address electronic marketing communications, including email, text messages, and telephone calls. PECR also covers the use of cookies and similar technologies.
A letting agency must receive explicit consent before sending marketing communications. They should also provide clear and easy-to-use opt-out options. By including a tick box at the end of a contact form, asking for permission to send a landlord marketing emails, letting agents have permission to contact them for those purposes.
Agents need to ensure it is clear what they are asking permission for and make it easy for a landlord to subscribe at any time.
Letting agencies must comply with PECR when contacting tenants and landlords for marketing purposes. This includes obtaining appropriate consent and providing clear information about how to opt-out.
A key part of these rules relates to consent for how personal, contact information is used.
For example, if a letting agent needs new contacts to add to their database and marketing materials; a tenant or landlord must give consent to receive marketing communications from the agency and need consent to share that personal information with third parties.
UK-GDPR defines consent as freely given, specific, informed, unambiguous, and easy to withdraw. It must be an "opt-in" rather than an "opt-out" option. Agents should be aware that individuals can withdraw consent at any time under UK-GDPR.
The Data Protection and Digital Information Bill will amend the UK GDPR, the Data Protection Act 2018 and the PECR.
The bill aims to "update and simplify the [existing data protection] framework to reduce burdens on organisations while maintaining high data protection standards."
Businesses already compliant with existing regulations are likely to remain so under the new bill. However, the bill intended to simplify UK-specific laws, particularly for businesses that operate solely within the UK.
The Data Protection and Digital Information Bill was introduced by the Conservative government in July 2022 but did not pass through the final stages before parliament closed for the general election.
However, instead, the Labour Government introduced their version of this bill called the Digital Information and Smart Data Bill (DISD Bill).
This Bill aims to secure “the sharing of customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data”.
Letting agents handle significant amounts of personal information for both tenants and landlords. They must ensure they have a lawful basis for collecting personal information and that any data collected is relevant and necessary.
If agents collect information for additional purposes, such as marketing, they must have explicit consent or justify it under "legitimate interest." Agents must ensure that all data is secure and compliant with legal requirements.
Using secure online platforms, like Goodlord, can help agents protect personal data and maintain compliance. Proper handling and storage of information are crucial to prevent fraud and data breaches.
The volume of information included when processing a tenancy could easily lead to fraud if it were mishandled, and if it fell into the public domain. Therefore, using a platform like Goodlord can let agents feel confident that any information they collect is protected and in line with compliance requirements.
Agents can conduct a self-assessment through the Information Commissioner's Office to check their compliance with data protection laws.
This article is intended as a guide only, and is not legal advice. Visit gov.uk for more information.