Renters' Rights Act 2025 — Phase 1 commencement
Transition readiness pack

England · UK GDPR · Data Protection Act 2018 · ICO

Landlord GDPR and Data Protection UK 2026 — Complete Compliance Guide

Most landlords do not think of themselves as data controllers — but any landlord who holds personal data about tenants, applicants, or contractors is processing personal data under the UK GDPR and the Data Protection Act 2018. This brings real obligations: ICO registration (for most landlords), a lawful basis for every category of data processed, defined retention periods, and the right of tenants to see the data you hold about them through a Subject Access Request. This guide covers every obligation in plain terms.

The UK GDPR (the retained version of the EU GDPR, amended by the Data Protection Act 2018) applies to all data controllers and processors in the UK — including private landlords. The scale of processing does not matter: a landlord with one property who stores a tenant's name, address, and bank details on a spreadsheet is processing personal data and is subject to the same legal framework as a large corporate landlord.

Non-compliance carries real risks: ICO fines for failure to register (up to £4,350), enforcement notices for data breaches, reputational damage, and tenant claims for compensation. The obligations are not burdensome for small landlords — but they require basic awareness and a few practical steps.

What personal data do landlords hold?

Landlords typically process the following categories of personal data:

  • Referencing data: Name, date of birth, address history, employment details, income, credit check results, and previous landlord references
  • Right to Rent documents: Passport copies, biometric residence permits, share codes — these include nationality and immigration status, which are 'special category' data requiring extra care
  • Tenancy agreement: Full legal names, contact details, emergency contact details, bank account details for direct debit or standing order
  • Maintenance records: Repair requests, inspection reports, contractor notes — these may contain personal information about the tenant's lifestyle, working hours, or access arrangements
  • Financial records: Rent payment history, arrears correspondence, deposit deduction schedules
  • Communications: Emails, letters, text messages, and call records relating to the tenancy

ICO registration — do landlords need to register?

Most landlords must register with the Information Commissioner's Office (ICO):

  • You must register if you process personal data on a computer or in a structured paper filing system — and you do not qualify for a specific exemption
  • The main exemptions most landlords might think apply (staff administration, accounts only) are narrow — most landlords who store tenant data on a computer fall outside these exemptions
  • Annual fee: Tier 1 (turnover under £632,000, fewer than 10 staff) — £40/year. This covers most private landlords
  • Register at ico.org.uk — the self-assessment tool will confirm whether you need to register
  • Failure to register when required is a criminal offence — the ICO regularly issues fines of up to £4,350 to unregistered data controllers
  • Even if you use a managing agent, you may still be a data controller in your own right — check with the ICO

Lawful basis for processing

Every category of data processing must have a lawful basis under UK GDPR Article 6:

  • Contract: Processing necessary to perform the tenancy agreement — rent collection, repairs, deposit protection. This is the primary lawful basis for most landlord data processing
  • Legal obligation: Processing required by law — Right to Rent checks (Immigration Act 2014), gas safety records (Gas Safety Regulations), deposit protection (Housing Act 2004)
  • Legitimate interests: Processing where the landlord's interest is proportionate and not overridden by the tenant's rights — e.g. credit referencing a prospective tenant, checking references
  • You do not need to write the lawful basis into the tenancy agreement, but you must be able to identify it for each processing activity if challenged by the ICO or a tenant

Data retention — how long to keep records

Personal data must not be kept longer than necessary for the purpose it was collected:

  • Tenancy agreement and correspondence: 6 years after the tenancy ends (contract limitation period)
  • Gas Safety Records: 2 years from the date of inspection (legal minimum — in practice, keep for 6 years)
  • Right to Rent documents: 1 year after the tenancy ends — then securely destroy (shred physical copies, delete digital files)
  • Referencing data for unsuccessful applicants: No longer than 6 months — delete after that period
  • Financial records (rent, deposit): 6 years after the tenancy ends for HMRC tax purposes
  • Do not retain data indefinitely 'just in case' — over-retention is a GDPR breach

Responding to Subject Access Requests

Tenants have the right to request all personal data you hold about them:

  • A Subject Access Request (SAR) can be made verbally or in writing — you must respond within one calendar month
  • Your response must include: confirmation that you hold data, a copy of the data in an intelligible format, the purposes for which it is processed, and the retention period
  • You may redact third-party personal data (e.g. a previous landlord's reference) if disclosing it would identify the third party
  • You cannot charge a fee for a standard SAR unless it is manifestly unfounded or excessive
  • Do not delete or alter data after receiving a SAR — this is obstruction and can be treated as a criminal offence
  • If you use a managing agent who holds data on your behalf, co-ordinate the response — the agent may hold data you are not aware of

Frequently asked questions

Do I need to register with the ICO as a private landlord?+

Most private landlords who store tenant data on a computer or in a structured filing system must register with the ICO. The annual fee is £40 for Tier 1 data controllers (turnover under £632,000, fewer than 10 staff). Use the ICO's self-assessment tool at ico.org.uk to confirm whether you need to register. Failure to register when required is a criminal offence with a fine of up to £4,350.

How long should I keep a tenant's Right to Rent documents?+

Right to Rent documents (passport copies, biometric residence permits, share codes) must be retained for at least the duration of the tenancy, and then for 1 year after the tenancy ends. After that period, they must be securely destroyed — shred physical copies and permanently delete digital files. Retaining copies longer than necessary is a GDPR breach. Keep a record of when documents were destroyed.

What if a tenant makes a Subject Access Request?+

You must respond within one calendar month of receiving the SAR. Provide the tenant with copies of all personal data you hold about them, an explanation of why you hold it, and how long you intend to keep it. You can redact personal data about third parties (e.g. the contents of a reference from a previous landlord) if disclosing it would identify the third party. Do not delete or alter any data after receiving the SAR.

Does my letting agent handle GDPR on my behalf?+

A letting agent who processes tenant data on your behalf is a data processor — you remain the data controller. You are responsible for ensuring the agent processes data lawfully on your behalf. The management agreement should include a data processing clause specifying how the agent handles tenant data. You cannot outsource your GDPR obligations to the agent — if the agent mishandles data, you may still be liable as the data controller.

Related reading

Templates you can use today

Editable DOCX + typeset PDF. Reviewed against the current commencement status of the relevant Acts.

TenancyLS-E-001

Periodic Assured Tenancy Agreement

The new default English tenancy from 1 May 2026. Periodic from day one, with the prescribed written statement of terms built in.

£29
Live now