Find your document
The law changed on 1 May 2026. Section 21 is abolished and new tenancies are now assured periodic tenancies. See what every landlord must do →
Landlord Laws & Legislation

UK GDPR and Data Protection Act 2018: A Landlord's Guide

Reviewed by Bradley Askew, Solicitor (non-practising), England & Wales · SRA 300076

Last reviewed 2026-06-21

← Part of Landlord Laws & Legislation

The UK General Data Protection Regulation (UK GDPR), implemented through the Data Protection Act 2018, governs the processing of personal data in the UK. It applies to landlords from the first prospective tenant enquiry through to retention of records after the tenancy ends. Landlords are 'data controllers' subject to the full framework — six legal bases for processing, seven data protection principles, mandatory privacy notices, data subject rights including subject access requests, retention limits, security obligations, and 72-hour breach reporting. Civil penalties up to £17.5m or 4% of turnover. This page covers the framework as it applies to landlord operations: legal bases, principles, privacy notices, retention periods, security, breach reporting, and practical compliance.

What the framework does

The UK General Data Protection Regulation (UK GDPR), implemented domestically through the Data Protection Act 2018, is the principal statute governing the processing of personal data in the UK. It applies to almost every organisation that handles personal data — including residential landlords. From the moment a prospective tenant submits an enquiry through to the end of the tenancy and the retention of records afterwards, landlords are processing personal data subject to the framework.

Many landlords assume that GDPR is a concern primarily for large organisations and that small portfolio operations fall outside the regime. This is incorrect. The framework applies to all "data controllers" — anyone who determines the purposes and means of processing personal data — regardless of size or commercial context. A landlord with a single buy-to-let property who collects a tenant's name, address, employment details, bank details, and emergency contact information is a data controller subject to the full framework.

The practical compliance burden for typical small-portfolio landlords is moderate but real. The framework does not require sophisticated infrastructure; it requires basic principles to be observed — process only what is necessary, hold data securely, retain it only for as long as necessary, respond to data subject requests, and report breaches. Civil penalties for breaches can reach £17.5 million or 4% of global annual turnover (whichever is higher), but in practice penalties for ordinary landlord-context breaches are typically more modest. The bigger risk is reputational and operational: data breaches damage tenant relationships, attract Information Commissioner attention, and can produce civil claims by affected individuals.

What counts as personal data in landlord operations

Personal data is any information relating to an identified or identifiable individual. In landlord operations, this includes:

  • Tenant identification — names, dates of birth, photographs, ID document copies.
  • Contact information — addresses, phone numbers, email addresses.
  • Employment information — employer names, payslip details, employer references.
  • Financial information — bank account details for rent payments, credit check results, deposit references.
  • Right-to-rent documentation — passport copies, visa documents, share codes.
  • Communication records — emails, text messages, letters relating to the tenancy.
  • Property and tenancy records — inspection reports, repair history, complaints.
  • Emergency contacts — names and contact details of family members or others.

Some of this data is "special category" data attracting heightened protection — information about health, religious belief, ethnic origin, political opinions, trade union membership, sexuality, or biometrics. Landlords occasionally encounter special category data (medical information relating to a tenant's disability, for example) and must process it only on specific legal bases that go beyond the general bases for ordinary personal data.

The six legal bases for processing

Every processing operation must have a legal basis under Article 6 of the UK GDPR. The six available bases:

  • Consent — the data subject has given clear, freely-given, informed, specific consent.
  • Contract — processing is necessary to perform a contract with the data subject or to take pre-contractual steps at their request.
  • Legal obligation — processing is necessary to comply with a legal obligation (e.g. right-to-rent checks under the Immigration Act 2014).
  • Vital interests — processing is necessary to protect someone's life.
  • Public task — processing is necessary for tasks in the public interest (rare for landlords).
  • Legitimate interests — processing is necessary for the controller's legitimate interests, where these are not overridden by the data subject's rights.

In landlord contexts, the most commonly relied-on bases are:

Contract. Processing necessary to perform the tenancy agreement — collecting rent, sending notices, arranging repairs, communicating about the tenancy. The "necessary to perform the contract" basis covers most ordinary tenancy operations.

Legal obligation. Right-to-rent checks under the Immigration Act 2014, deposit protection prescribed information under the Housing Act 2004, gas safety record service under the Gas Safety Regulations 1998, and similar statutory obligations.

Legitimate interests. Tenant referencing, credit checks, screening of prospective tenants, retention of records after the end of the tenancy for limitation period purposes. Each case requires a "legitimate interests assessment" balancing the landlord's interest against the data subject's rights.

Consent is generally a poor basis for landlord operations because it can be withdrawn at any time. Where consent is the only basis, withdrawal terminates the lawful basis to continue processing — leaving the landlord scrambling for an alternative. Better to use contract or legitimate interests as primary bases and rely on consent only where genuinely free choice is meaningful.

The data protection principles

Article 5 of the UK GDPR sets out principles that must apply to all processing:

  • Lawfulness, fairness, and transparency. Process lawfully (with a legal basis), fairly (without misleading or harming the data subject), and transparently (with clear information to the data subject about the processing).
  • Purpose limitation. Collect data for specific purposes and don't use it for incompatible purposes.
  • Data minimisation. Collect and retain only what is necessary.
  • Accuracy. Keep data accurate and up-to-date; rectify inaccuracies promptly.
  • Storage limitation. Don't keep data longer than necessary.
  • Integrity and confidentiality. Process securely.
  • Accountability. Demonstrate compliance.

These are not abstract principles. The Information Commissioner's Office (ICO) examines landlord conduct against them when investigating complaints, and breach of the principles supports civil claims by data subjects.

Privacy notices

Article 13 requires data controllers to provide specified information to data subjects when collecting their data. For landlords, this means a "privacy notice" given to prospective and actual tenants covering:

  • The identity and contact details of the landlord.
  • The purposes for which data will be processed.
  • The legal basis for the processing.
  • The legitimate interests pursued (where that is the basis).
  • Recipients or categories of recipients.
  • How long data will be retained.
  • The data subject's rights and how to exercise them.
  • The right to lodge a complaint with the ICO.

Most landlords meet this requirement through a privacy notice provided at the start of the application process and (often) included as a schedule to the tenancy agreement. Template privacy notices for landlords are available from the National Residential Landlords Association and similar bodies; they need to be tailored to the specific operations of the landlord.

Data subject rights

The UK GDPR gives data subjects substantial rights including:

  • The right of access. A "subject access request" entitles the data subject to a copy of their personal data within one month.
  • The right to rectification. Inaccurate data must be corrected on request.
  • The right to erasure. Data must be deleted in defined circumstances ("the right to be forgotten").
  • The right to restrict processing. Processing must be paused in defined circumstances.
  • The right to data portability. Data must be provided in a portable format on request.
  • The right to object. Processing based on legitimate interests must stop on request unless the controller can establish overriding legitimate grounds.

Subject access requests are the most common in landlord contexts. A current or former tenant requesting "all data you hold about me" must receive a copy of every personal data record within one month. The information must be provided free of charge for routine requests; manifestly unfounded or excessive requests can be refused or charged a reasonable fee.

Retention periods

Storage limitation requires data to be retained only for as long as necessary. Landlord operations involve several different retention periods:

  • Right-to-rent records: for the duration of the tenancy plus 1 year (Home Office expectation).
  • Tenancy agreements and amendments: typically 6 years from the end of the tenancy (limitation period for contract claims).
  • Deposit records: for the duration of the deposit being held plus a reasonable period after return (typically 6 years).
  • Repair and maintenance records: typically 6 years (limitation period for personal injury claims under tort).
  • Gas safety records: minimum 2 years under the Gas Safety Regulations 1998; best practice 6+ years.
  • Tenant referencing data not leading to a tenancy: typically 6 months unless retained for specific purposes.
  • Email correspondence: follow contract retention (6 years) for substantive correspondence; shorter for routine queries.

Records relating to ongoing or potential disputes may need to be retained longer — the landlord's legitimate interest in defending claims usually justifies extension until the limitation period for any related claim has expired.

Data security

Article 32 requires controllers to implement "appropriate technical and organisational measures" to ensure security. For landlords this typically means:

  • Encrypted storage for digital records — not just on the landlord's computer but on backups, mobile devices, and any cloud storage used.
  • Strong access controls — passwords, two-factor authentication, limited sharing of credentials.
  • Secure transmission of data — encrypted email for sensitive materials, secure file transfer for ID documents.
  • Physical security for paper records — locked filing cabinets, restricted access.
  • Disposal procedures — secure shredding for paper, secure deletion for digital files.

A breach occurring because of inadequate security can result in:

  • ICO investigation and enforcement action — fines, monetary penalty notices, undertakings.
  • Civil claims by affected data subjects — compensation for distress, costs of credit monitoring, costs of identity protection.
  • Reputational consequences affecting future tenant relationships and HMO licensing applications.

Breach reporting

Where a data breach occurs and is likely to result in a risk to the rights and freedoms of natural persons, it must be reported to the ICO within 72 hours. Where the risk is high, the affected individuals must also be notified.

"Breach" is broadly defined and includes accidental disclosure (sending tenant data to the wrong recipient), unauthorised access (theft of a laptop containing tenant records), unauthorised alteration, and accidental loss. Landlords should have a written breach response procedure documenting the steps taken when a breach occurs.

Practical compliance for typical landlords

A landlord operating professionally on data protection:

1. Provides a privacy notice to every prospective and actual tenant, tailored to their operations.

2. Maintains a documented retention schedule identifying what data is held, why, and for how long.

3. Stores data securely — encrypted digital records, secure paper files, and proper disposal procedures.

4. Responds promptly to subject access requests — within the one-month statutory deadline.

5. Has a breach response procedure — written, tested, ready to use within the 72-hour reporting window.

6. Reviews periodically — annual review of processing activities, retention practices, and security measures.

Authoritative sources

Need a template?

Template

Tenancy Agreement

Assured shorthold tenancy template, post-RRA 2025.

View template
Template

Lodger Agreement

For resident landlords renting a room in their own home.

View template
Court forms

Court Forms

N5, N5B, N9, N11R and other forms for landlord proceedings.

View court forms

Net Lawman is a UK legal document publisher. We earn a small commission if you buy via our links, at no extra cost to you. Read our affiliate policy.