By Law, You Can’t Ignore – GDPR for Landlords

Landlords must take action to comply with new regulations

GDPR: A word that has landed on everyone’s doorstep. It is yet another regulation that cannot and should not be ignored, but as a private landlord you may think it doesn’t apply to you…

The General Data Protection Regulations (GDPR), which came into effect on May 25th 2018, affects anyone that gathers and holds personal data about other parties, and you must, by law, comply with the new data protection legislation.

So how do you become compliant…

The Residential Landlords Association (RLA) provides guidelines on measures you should take to meet the new GDPR regulations, as follows:

As a residential landlord or agent under the GDPR there are a number of things which you must do to be fully compliant. Failure to comply could mean that you could in some cases be successfully sued or face a fine from the Information Commissioner’s Office (ICO). These are the things that you must do –

The RLA has provided a toolkit for its landlord and agent members to help with full compliance, but it stresses that “compliance and content of documents is your responsibility”.

Legitimate Interest

Where you have ‘Legitimate Interest’ to process an individual’s personal data, you need to include in a Privacy Policy notice what that legitimate interest is. For example, if you share your tenant’s information to a property services company such as Vibrant to carry out an EPC, Inventory, mid-term inspection, or Legionella Risk Assessment, then you need to include in your notice who you will share their details with and why.

The RLA advises that if the information is something that the tenant etc. would expect you to handle/process or share then this would satisfy Legitimate Interest.

Therefore, in order to work towards achieving compliance, the RLA suggests a step by step process, and advises that a landlord or a designated data protection officer should perform an assessment to see whether they:

  1. need to comply
  2. have fully mapped out what personal information is held, how it used and who it is shared with
  3. have a lawful basis for processing personal information and where consent is needed, you have a high enough standard for it
  4. have a data protection policy with enough regard to the data protection principles and the rights of the individual
  5. have investigated whether or not their third party data processors are compliant with GDPR.
  6. have a satisfactory privacy notice

By law, you can’t ignore. There are penalties for non-compliance and fines can be imposed of “up to 20 million euros or 4% of turnover (whichever is higher)”.

Vibrant is GDPR compliant and any tenant, property owner, or client data shared with us to carry out a property assessment, mid-term inspection, EPC, Legionella Risk Assessment, or any other required service, is held in the strictest confidence.


You can find the RLA guidelines and more documentation to support landlords and agents on the RLA website:

For detailed guidance on GDPR, visit the Information Commissioner’s Office (ICO) website:



Author’s Note: 

This article is for information only and does not suggest or provide formal or legal advice.