Skip to content

    Section 21 abolished 1 May 2026. Check what this means for you.12 days to go Read the guide →

    PropertyKiln
    This is general information, not legal advice. See our full disclaimer.

    Data Protection for Landlords (GDPR)

    Written by Scott Jones, founder of PropertyKiln · Last updated

    Spot something wrong? Report an error. We reply within 48 hours.

    6 min read
    Reviewed Apr 2026
    UK-wide

    You are a data controller for every tenant you take on. That brings you under UK GDPR, the Data Protection Act 2018 and usually means you must register with the ICO and pay the annual fee.

    "This guide provides general information about UK landlord tax obligations. It is not financial or legal advice. Tax treatment depends on your individual circumstances and may change. Consider consulting a qualified accountant or solicitor for advice specific to your situation."

    1. What data you hold and your lawful basis

    Typical personal data you hold as a landlord

    • Identification: names, addresses, phone numbers, email addresses.
    • Financials: bank details, rent payment history, credit reports.
    • Employment: employer details, salary, contract type.
    • References: previous landlord and employer references.
    • Right to Rent: passport/visa copies or Home Office share codes and check records.
    • Photos / video: inventory photos, check-out photos, and CCTV covering common areas if you have it.

    Lawful basis for processing (UK GDPR)

    • Contract: processing needed to enter into and perform the tenancy (AST, collecting rent, managing repairs).
    • Legal obligation: Right to Rent checks, safety certificates, HMRC/tax records.
    • Legitimate interests: referencing, credit checks, debt recovery, sharing references with a future landlord, reasonable CCTV for security.

    You almost never need consent for core landlord tasks and should not rely on it where "contract" or "legitimate interests" is available.

    2. Privacy notice and retention: what you tell tenants and how long you keep stuff

    You must give tenants a privacy notice (often called a Data Protection Notice) explaining:

    • Who you are and how to contact you.
    • What data you collect (as above).
    • Your lawful bases for each main processing purpose.
    • Who you share it with (agents, contractors, deposit scheme, insurers, referencing companies, local authority, DWP/Home Office where required).
    • How long you keep each type of data.
    • Their rights: access, rectification, erasure (within limits), restriction, objection, data portability, and the right to complain to the ICO.

    Retention (headline rules)

    • Right to Rent: keep copies of documents for the duration of the tenancy plus 12 months, then destroy securely.
    • Financial / tax records: HMRC can look back up to 6 years, so many advisers suggest keeping rent statements and invoices for at least 6 years after tax year and often up to 7 years after tenancy to cover limitation periods.
    • References and application forms: keep while they are your tenant and for a reasonable period after (often 6 years) in case of disputes, then delete.
    • CCTV footage: keep only as long as needed for security, typically 30-31 days unless you need it for an incident.

    Key principle: do not hoard data "just in case". If you no longer need it for a lawful purpose, delete or anonymise it.

    3. Subject access, data sharing and CCTV

    Subject access requests (SARs)

    • Tenants (and former tenants) can ask for all personal data you hold about them, why you hold it, who you share it with.
    • You normally have 1 month to respond; can extend by 2 months if the request is complex, but you must tell them within the first month.
    • You cannot charge a fee for normal SARs. You can refuse or charge for manifestly unfounded or excessive requests, but you need to justify that.

    Data sharing

    • With next landlord: you can share factual reference information (rent paid, conduct, breaches) under legitimate interests, as long as it is fair and not malicious.
    • With deposit schemes, local authority, Home Office, DWP, courts, insurers: usually legal obligation or legitimate interests.
    • With contractors (plumbers, electricians): only what is necessary (name, address, contact) and ensure they handle it properly.

    CCTV and surveillance

    Common in HMOs or blocks. Lawful basis is usually legitimate interests (crime prevention, safety).

    You must:

    • Do a simple legitimate interests assessment / privacy impact assessment (why CCTV, what benefits, what risks, how you minimise them).
    • Put up signs saying CCTV is in operation and who to contact.
    • Angle cameras to cover communal areas and external entrances only -- no cameras in bedrooms, bathrooms, toilets or through windows into private rooms.
    • Limit access to footage and have a policy for how long you keep it (short, typically 30 days).
    • Hidden cameras or audio recording in living areas are a clear no.

    4. ICO registration and fees

    If you store or process tenant data electronically (email, referencing systems, bank transfers, spreadsheets, CCTV), you are a data controller and must usually pay the ICO data protection fee.

    ICO confirms that landlords who:

    • Produce tenancy agreements.
    • Perform credit checks via agencies.
    • Hold electronic tenant records.

    are within scope and must register.

    Fees (2025-26)

    • ICO guidance now puts Tier 1 (micro organisations) at GBP 52 per year, usually where turnover is under GBP 632,000 and fewer than 10 staff.
    • Most small landlords will be Tier 1. Larger portfolio or agency setups might fall into Tier 2 (small/medium) with a higher fee.
    • Failure to register can lead to fines of several thousand pounds and being named on the ICO's enforcement list.

    5. Common landlord GDPR mistakes and forum myths

    Frequent mistakes

    "I am just a small landlord; GDPR does not apply to me." Wrong. If you hold any tenant data electronically, UK GDPR and DPA 2018 apply and the ICO expects you to register and comply.

    No privacy notice at all Tenants should be told who you are, what you collect, why, how long, who you share with, and how they exercise rights. Many landlords have nothing in writing.

    Keeping everything forever Old applications, ID scans and bank statements from tenancies that ended 10+ years ago. That conflicts with the "storage limitation" principle -- you should have clear retention periods.

    Sharing data casually in emails and WhatsApp Sending full reference packs to new landlords without tenant knowledge, or dumping bank details into group messages, can breach fairness, minimisation and security principles.

    Over-broad CCTV Cameras pointing into bedrooms or neighbouring gardens, no signage, no policy and footage kept indefinitely.

    Forum myths to ignore

    "If I only keep paper files, GDPR does not apply." UK GDPR covers structured paper records too, and the DPA 2018 applies regardless. And in reality, you will still email, bank online, or text tenants.

    "If my agent is GDPR compliant, I do not need to do anything." Your agent is a data processor and/or separate controller. You still have your own obligations, especially if you keep copies or use CCTV, and may still need to register.

    "I need explicit consent for everything." No. For most landlord activities, your basis is contract, legal obligation or legitimate interests. Over-using consent just creates problems when tenants withdraw it.

    "SARs can be ignored if the tenant owes money or is being difficult." You must still deal with subject access requests unless they meet the narrow "manifestly unfounded or excessive" test.

    Get the monthly landlord update

    Legislation tracker, budget coverage, new tools. Free, no spam.

    Was this useful?

    Didn't find what you were looking for?

    PropertyKiln uses essential cookies to run the site and optional analytics cookies (Plausible) to see which guides help. No ad-tracking, no resale, no creepy stuff. You can change your mind anytime on our cookies page.