New Data Protection Rules Coming

Posted 10.04.18

On 25th May 2018, the Data Protection Act 1998 will be replaced with the General Data Protection Regulation.  This new regulation contains very onerous obligations compared to what we have now in the form of data protection and  will affect all landlords and agents as it introduces new and enhanced rights for individuals and their personal data.  A landlord is classed as a Data Controller and an Agent is classed as a Data Processor

This will not only affect landlords and agents but will affect everyone who holds any data on anyone – Companies, NHS, etc. although there are a few exemptions, Local Authorities, for instance.  Although it will not affect yourselves a much as the big Companies, please be aware it DOES affect you even if you only have one tenantMany landlords will already have these procedures in place but everyone needs to ensure they have correct procedures in place.

It is all about accountability – you must be able to demonstrate that your processing is compliant with law.

We recently held training on this subject where it was confirmed by the trainer, Les Brown, Solicitor confirmed that all landlords and agents should be signed up to the Information Commissioners Office and they will certainly need to be signed up by the time the new rules come into place in May.  The Association itself signed up as soon as we became independent as we hold name and addresses of our members.  For further information go to  or ring them on 0303 123 1113

Under the new rules you will have to:

Notify people whose data you hold informing them what data you are holding and how long you intend to hold it for.

  • Appropriate measure to ensure security of data.  Eg. Password protect any documents
  • If you have any data on ipad, phone or computer and these are lost or stolen, you must report this to the Information Commissioners Office immediately, failure to do so will be classed as a criminal offence.
  • If person whose data you hold asks for it, you must provide it.  You can only continue to hold data that is relevant.
  • A very high standard of consent is required and you must be able to demonstrate that consent was obtained.
  • Consent can be withdrawn unless you are holding that information under a contract.
  • Data must be destroyed or returned when not dealing with subject further.
  • All data breaches to be notified to the Information Commissions Office within 72 hours.  Data processor (Agent) must inform the data controller (landlord)
  • Agents must provide written agreement between you and the person you are holding the information for eg. Landlord which must contain certain information –
    • Why are you holding it
    • How long are you holding it for
    • Type of information – eg. Does it concern the tenant or guarantor
    • What information it is
    • Appropriate measures you have in place to ensure security of data


Individuals affected by a breach of the rules by a data controller or processor have the right to bring compensation claims – need to be related to financial loss but can also include personal distress and anxiety.

To assist members we have  added this requirement onto the checklist which all tenants must sign at the beginning of the tenancy.  This form is attached to our tenancy agreement but you can also find it in our Document Library in the Members Area.  There is also a guidance letter  that you will need to send out to your current tenants as these requirements will apply to all current data not just new data.  A copy of this document is also in the Document Library.