We use cookies to give you the best experience and help us improve our website.

Find out more about how we use cookies.

Latest News A landlord & letting agent’s guide to data protection
Return to Landlord Advice articles

A landlord & letting agent’s guide to data protection

A landlord & letting agent’s guide to data protection

If you are a busy landlord or letting agent, getting to grips with your data protection obligations is likely to be low down on your list of priorities. That said, it’s crucial that you collect, store, and process your tenants’ personal information in compliance with the law. If you don’t, you could end up facing a hefty fine.

According to the Information Commissioner’s Office (ICO), it has “received a number of complaints from residents who have been failed by poor data protection practices from their housing association, company or landlord.” Figures certainly back this up; during the third quarter of 2023/24, the ICO received 8242 data protection complaints. Of these, at least 137 involved the property management sector, over 100 were levelled at estate agents or lettings agencies, while 78 involved accommodation providers. While not all those complaints were upheld, the statistics underscore the importance of complying with data protection laws. If you are compliant, you are far less likely to suffer the hassle and possible expense of a complaint.

In this article, we examine how data protection legislation affects landlords and letting agents, what they need to do to comply, and how insurance can help you if things go wrong.

What is GDPR?

GDPR is an abbreviation for the General Data Protection Regulation. This is an EU regulation concerning information privacy. After the UK left the European Union, the GDPR was retained in domestic law as the UK GDPR. This is implemented in law by the Data Protection Act 2018.

Under the law, anyone responsible for using personal data must follow strict rules known as ‘data protection principles’.

Does GDPR apply to landlords and letting agents?

Yes. If you handle or store tenants’ personal information, GDPR rules apply to you. This can be as simple as storing a tenant’s name and number on your mobile phone.

Do landlords and lettings agents need to register with the ICO?

In almost every instance, a landlord or letting agent will need to register with the ICO (for exemptions, see the FAQs below). You can register online using their form.

How much does it cost to register with the ICO?

At the time of writing, there are three tiers of registration fees, ranging from £40 to £2,900, which must be paid annually.

The vast majority of landlords will pay £40 per year. This fee applies to businesses (including sole traders) with an annual turnover of £632,000 or no more than ten staff members.

Some larger letting agents will need to pay more. If you have a turnover of no more than £36 million or no more than 250 staff, the fee is £60. Any organisation with a turnover of more than £36 million or more than 250 staff must pay £2,900.

What are the data protection principles?

If you handle tenants’ personal data, you must make sure it is:

  • used fairly, lawfully, and transparently
  • used for specified, explicit purposes
  • used in a way that’s adequate, relevant, and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • not kept any longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

How do I comply with GDPR?

You comply with the GDPR by following the data protection principles above. From the perspective of a landlord of letting agent, compliance is likely to include the following:

  • Creating a privacy notice. This tells tenants and applicants how you’ll use their data. Common reasons include using it to decide on a tenancy, conduct tenant referencing, provide tenancy information to utility companies and local councils, or for debt collection.
  • Keeping personal data safe. Any electronic or online data must be secure, while printed data should be kept under lock and key.
  • Responding to information requests. Tenants are allowed to ask for copies of information you hold about them.
  • Delete certain data if requested. Tenants can ask for you to remove or delete information about them. However, you can (and sometimes must) refuse in certain instances. For example, you are required by law to keep Right to Rent information for at least two years. Similarly, you may need to keep tenants’ personal details to manage the tenancy or pass them on to contractors you hire to make repairs at the property.
  • Destroy data when it’s no longer needed. This might include things like tenant reference results or resolved emails from a tenant.

Letting agents and landlords will need to share some of a tenant’s personal information with each other to manage the tenancy efficiently. In these instances, this should be made clear to tenants in the privacy notice.

In what scenarios can a landlord give out tenant information?

As suggested above, there are various scenarios in which a landlord can give out tenant information. It’s best to make these explicit in your privacy notice, but they include:

  • Telling utility companies about new tenants or the forwarding addresses of old tenants (if their accounts are in arrears or credit)
  • Asking a letting agent for tenant references
  • Instructing a debt collection company if a tenant has left with unpaid rent
  • Informing tradespeople who need to carry out repairs
  • Disclosing information when you’re legally obliged to (such as Right to Rent information)

How to protect tenant data

To comply with the GDPR, you need to take steps to protect your tenants’ personal data. These are some of the measures you can take to do this:

  • Use strong passwords on all devices you store data on, and any cloud storage platforms.
  • Prevent unauthorised access. Make sure that only people who need access to tenant data have it. This might include the letting agents who are actively involved in managing the tenancy.
  • Take cybersecurity seriously. As a minimum, use anti-virus software and two-step verification wherever possible, and keep all software up to date. You can get many more cyber security tips from the National Cyber Security Centre.
  • Dispose of information securely. If you have paper documents, shred them. You can also use a ‘secure delete’ application to erase electronic files more efficiently.
  • Keep hard copy information locked away and restrict access to keys only to those needing them.

What are some common GDPR issues in the housing sector?

According to the Information Commissioner’s Office, there are a few common GDPR issues in the housing sector. These are:

  • Inappropriate disclosures of personal data. You should always use this checklist to ensure data sharing is justified.
  • Refusing to share information where it is justified. The ICO uses the example of a housing association that failed to share factual information about a leak repair that affected a neighbour. Because this is not personal information, the housing association was not prevented from sharing it under data protection law.
  • Failure to keep accurate records. It’s important to keep accurate records of contact with residents, particularly to help you address issues such as repairs.

Another common issue arises when a landlord asks a letting agent to see tenant referencing information. A letting agent can only do this if all parties agree. To solve this problem, make sure this is covered in the privacy notice issued to tenants.

What happens if you don’t comply with GDPR?

If you don’t comply with the GDPR, the ICO can take enforcement action. They can either ask you to take steps to become compliant, fine you, or do both. The ICO can issue assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For very serious breaches, the ICO can fine offenders up to £17.5 million or 4% of an organisation’s global turnover, whichever is higher. While landlords and letting agents are unlikely to be fined millions of pounds, it’s important to realise that non-compliance with GDPR can still result in significant penalties.

Can a tenant sue a landlord / letting agent for breach of GDPR?

If a tenant believes a landlord or letting agent has breached their rights under GDPR legislation, they can do three things. First, they should complain directly to the landlord or letting agent. If the complaint remains unresolved, they can request that the ICO investigate. Separately, the tenant has the right to take civil proceedings against the landlord or letting agent, but they must prove that they have suffered harm because of the breach.

How can insurance help?

If you handle tenant data, you could consider taking out cyber insurance. This can help protect you against the fallout from data loss, including settling tenant claims for damages or costs. In addition, you could consider legal expenses insurance, which has a 24/7 legal helpline that would offer limited advice.


Who is exempt from ICO registration?

The ICO publishes a list of exemptions from ICO registration. The only one likely to apply to a landlord is when they don’t process personal information without an automated system such as a computer. However, many landlords will keep personal information on computers, phones, or other devices and should therefore register.

What happens if you don’t register with the ICO?
If you don’t register with the ICO when you should have done, you face a penalty of up to £4,000 on top of the fee you should have paid.

Is property data personal data?
It depends. The ICO says, “If the data is used, or is likely to be used, to learn, evaluate, treat in a certain way, make a decision about, or influence the status or behaviour of an individual, then it is personal data.”  For example, data about a house isn’t, in itself, personal data. By contrast, information about a tenant’s gas or electric account is personal data.

Do landlords have to register with the ICO?
Yes, in almost all circumstances. Even if you use a letting agent, you will almost certainly need to share personal data on the tenant, so you’ll need to register with the ICO.


While data protection law can seem complex for landlords and letting agents, it needn’t be. By familiarising yourself with the GDPR’s data protection principles, you can easily comply with the regulations. By using data fairly for allowed purposes, keeping it secure and not keeping it longer than necessary, you’ll have gone a long way towards compliance. However, for extra peace of mind – particularly if you are a landlord or letting agent with many tenants on your books – you may want to consider cyber insurance to give you extra protection against any data breach or loss.