Compliance
Mar 2, 202613 min read

Landlord Data Protection and GDPR Guide UK 2026

Essential guide to GDPR and data protection obligations for UK landlords. Covers lawful basis for processing tenant data, privacy notices, data retention, subject access requests, and ICO registration requirements for 2026.

L

The Latch Team

Editorial

Landlord Data Protection and GDPR Guide UK 2026

Every landlord in the UK is a data controller under data protection law. Whether you manage one property or one hundred, you collect, store, and process personal data about tenants, guarantors, contractors, and prospective applicants. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 impose legally binding obligations on how you handle that data, and the penalties for getting it wrong are severe.

Many landlords are unaware that they are likely required to register with the Information Commissioner's Office (ICO) and pay an annual data protection fee. Failure to register is a criminal offence. Beyond registration, landlords must understand lawful bases for processing, privacy notices, data retention limits, and how to respond to tenant subject access requests.

This guide explains every data protection obligation that applies to UK landlords in 2026, with practical steps you can take to ensure compliance. Whether you are a hands-on landlord or you use a letting agent, understanding GDPR is not optional — it is a legal requirement.

UK GDPR and the Data Protection Act 2018

The UK GDPR is the retained EU law version of the General Data Protection Regulation, preserved in UK law after Brexit by the European Union (Withdrawal) Act 2018. Together with the Data Protection Act 2018 (DPA 2018), it forms the UK's data protection framework. The UK GDPR sets out the principles, rights, and obligations for processing personal data, while the DPA 2018 provides supplementary provisions including exemptions and enforcement powers.

As a landlord, you are a 'data controller' because you determine the purposes and means of processing personal data about your tenants. If you use a letting agent, they are typically a 'data processor' acting on your instructions, although agents who make their own decisions about how to use tenant data may also be controllers in their own right.

The seven data protection principles under UK GDPR are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. Every data processing activity you carry out must comply with all seven principles.

The UK GDPR applies to all landlords regardless of size. There is no small landlord exemption. Even if you rent out a single property, you are a data controller and must comply with all seven data protection principles.

ICO Registration Requirements

Most landlords are required to register with the Information Commissioner's Office (ICO) and pay an annual data protection fee. The fee is determined by your turnover and number of employees. For most individual landlords, the fee is £40 per year (Tier 1: organisations with turnover up to £632,000 and fewer than 10 employees). Larger operations pay £60 (Tier 2) or £2,900 (Tier 3).

Registration is done through the ICO's online portal and takes approximately 10 minutes. You will receive a registration number that is publicly listed on the ICO's register. You must renew your registration annually.

Failure to pay the ICO data protection fee when required is a criminal offence. The ICO can issue a fixed penalty notice of up to £4,350. Check the ICO's self-assessment tool at ico.org.uk to confirm whether you need to register.

There are limited exemptions from the fee requirement. If you only process personal data for the maintenance of a public register, or for staff administration, or for advertising, marketing, and public relations in connection with your own business, you may be exempt. However, processing tenant data for the purposes of managing a tenancy goes beyond these exemptions, so most landlords will need to register.

TierTurnoverStaffAnnual Fee
Tier 1Up to £632,000Fewer than 10£40
Tier 2Up to £36 million10-249£60
Tier 3Over £36 million250+£2,900

Lawful Bases for Processing Tenant Data

Under UK GDPR, you must have a lawful basis for every processing activity. There are six lawful bases, but landlords most commonly rely on three: contract performance, legitimate interests, and legal obligation.

Contract Performance (Article 6(1)(b))

You can process tenant data where it is necessary for the performance of the tenancy agreement. This covers collecting tenant names, contact details, bank details for rent payments, and other information directly required to operate the tenancy. This is usually the primary lawful basis for most tenant data processing.

Legitimate Interests (Article 6(1)(f))

You can process data where you have a legitimate interest that is not overridden by the tenant's rights. This might cover referencing and credit checks on prospective tenants, CCTV in communal areas for security purposes, or contacting former tenants about deposit returns. You must carry out a legitimate interest assessment (LIA) documenting your interest, the necessity of the processing, and the balancing test against the individual's rights.

Legal Obligation (Article 6(1)(c))

Some data processing is required by law. For example, Right to Rent checks require you to verify and retain copies of identity documents. Anti-money laundering regulations may require identity verification for high-value transactions. Tax obligations require you to retain financial records.

Consent

Consent is generally not recommended as a lawful basis for landlord-tenant data processing. Because of the power imbalance in the landlord-tenant relationship, consent may not be considered freely given, which would make it invalid under UK GDPR. Rely on contract, legitimate interests, or legal obligation instead where possible.

Privacy Notices for Tenants

You must provide tenants with a privacy notice that explains how you will use their personal data. Under Articles 13 and 14 of UK GDPR, the privacy notice must be provided at the point of data collection — typically when a prospective tenant applies or when a tenancy agreement is signed.

A landlord privacy notice should include the following information:

  • Your identity and contact details (landlord name, address, email)
  • The types of personal data you collect (name, contact details, bank details, employment info, references)
  • The purposes of processing (tenancy management, rent collection, safety compliance, legal obligations)
  • The lawful basis for each processing purpose
  • Who you share data with (referencing agencies, letting agents, contractors, HMRC, deposit schemes)
  • How long you retain data (retention periods for each category)
  • Tenant rights (access, rectification, erasure, restriction, portability, objection)
  • How to make a complaint to the ICO
  • Whether data is transferred outside the UK

Keep your privacy notice in plain, clear English. Avoid legal jargon. The ICO provides template privacy notices on its website that can be adapted for landlords. Include the privacy notice as a schedule to your tenancy agreement or provide it as a standalone document at signing.

Data Retention Periods

UK GDPR requires that personal data is kept only for as long as necessary for the purpose for which it was collected. This means you cannot keep tenant data indefinitely. You must establish and document retention periods for each category of data.

Data CategoryRetention PeriodReason
Tenancy agreementsDuration of tenancy + 6 yearsLimitation Act 1980 (contract claims)
Rent payment records6 years from end of tax yearHMRC record-keeping requirements
Deposit protection recordsDuration of tenancy + 6 yearsPotential deposit dispute claims
Right to Rent checksDuration of tenancy + 1 yearImmigration Act 2014 requirements
Referencing/credit check dataUntil tenancy starts or application rejected + 6 monthsNo longer necessary after decision made
Gas/electrical safety certificates2 years after expiryPotential regulatory enquiries
Correspondence and complaintsDuration of tenancy + 6 yearsPotential legal claims
CCTV footage30 days (rolling)ICO CCTV code of practice
Unsuccessful applicant data6 months after decisionPotential discrimination claims

The six-year retention period after the end of a tenancy aligns with the limitation period for contract and tort claims under the Limitation Act 1980. After this period, you should securely delete or destroy the data unless there is an ongoing dispute or legal proceeding.

Subject Access Requests (SARs)

Tenants have the right to request a copy of all personal data you hold about them. This is known as a Subject Access Request (SAR) under Article 15 of UK GDPR. You must respond within one calendar month of receiving the request. The response must be free of charge in most cases.

When you receive a SAR, you must provide the tenant with a copy of their personal data along with supplementary information about how it is processed, the purposes, the categories of data, who it has been shared with, and the retention period. You should search all systems where tenant data might be held: email, spreadsheets, property management software, paper files, text messages, and WhatsApp conversations.

You may redact information about third parties from your SAR response if disclosing it would involve disclosing another person's data without their consent. For example, if a neighbour has complained about a tenant, you can redact the neighbour's identity while still providing the substance of the complaint.

You cannot charge a fee for a SAR unless the request is manifestly unfounded or excessive. You also cannot refuse to respond simply because the request is inconvenient. Failure to respond within one month can result in a complaint to the ICO and potential enforcement action.

Practical Steps for Handling SARs

  1. Verify the identity of the person making the request (ask for photo ID if you cannot confirm their identity)
  2. Log the date of receipt — the one-month clock starts immediately
  3. Search all systems and records for the individual's personal data
  4. Review the data and redact third-party information where necessary
  5. Compile the response with the data and the required supplementary information
  6. Send the response securely (encrypted email or recorded post)
  7. Keep a record of the SAR and your response for your own accountability

CCTV and Surveillance

If you operate CCTV cameras at your rental properties, additional data protection requirements apply. The ICO's CCTV code of practice and the Surveillance Camera Commissioner's guidance set out the standards you must meet. CCTV in communal areas of multi-let properties is generally acceptable for security purposes, but cameras must never be placed in areas where tenants have a reasonable expectation of privacy, such as inside individual flats, bedrooms, or bathrooms.

You must display clear signage informing people that CCTV is in operation, the purpose of the cameras, and your contact details. CCTV footage is personal data under UK GDPR, and tenants can make a SAR to obtain copies of footage that includes them. Footage should not be retained for longer than necessary — typically 30 days on a rolling basis unless an incident requires longer retention.

Smart doorbells with cameras (such as Ring or Nest) installed by landlords at rental properties also fall under these requirements. If the camera captures images beyond the property boundary (such as a public pavement), the domestic purposes exemption does not apply and the full weight of UK GDPR applies.

Data Breach Notification

A data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Common examples for landlords include losing a laptop containing tenant records, sending tenant information to the wrong person, having your email account hacked, or a contractor accessing tenant data they should not have.

If a breach occurs that poses a risk to the rights and freedoms of individuals, you must report it to the ICO within 72 hours of becoming aware of it. If the breach poses a high risk, you must also notify the affected individuals without undue delay. Keep a log of all breaches, even those that do not meet the reporting threshold.

The ICO's breach reporting tool is available online at ico.org.uk. You do not need to report every breach — only those that pose a risk to individuals. But you must document all breaches internally regardless.

Penalties and Enforcement

The ICO has the power to issue enforcement notices, reprimands, and fines for breaches of UK GDPR. The maximum fine for the most serious breaches is £17.5 million or 4% of annual worldwide turnover, whichever is higher. For less serious breaches, the maximum is £8.7 million or 2% of turnover.

In practice, fines against individual landlords tend to be in the hundreds to low thousands of pounds, but the ICO has the power to issue much larger fines and has shown willingness to do so against larger organisations. Common enforcement actions against landlords include failure to register with the ICO, failure to respond to SARs within the time limit, and excessive CCTV surveillance.

Beyond ICO enforcement, tenants can bring civil claims for compensation under Article 82 of UK GDPR if they suffer material or non-material damage as a result of a data protection breach. Non-material damage includes distress, which means tenants can claim compensation even without financial loss.

OffenceMaximum PenaltyCommon Range for Landlords
Failure to register with ICO£4,350 fixed penalty£400-£4,350
Failure to respond to SARICO enforcement notice + fine£500-£5,000
Unlawful CCTV surveillanceUp to £17.5M or 4% turnover£1,000-£10,000
Data breach (failure to report/notify)Up to £8.7M or 2% turnover£1,000-£5,000
Tenant civil compensation claimUnlimited (court awarded)£1,000-£25,000

Manage Tenant Data Securely with Latch

Latch provides secure, encrypted storage for all tenant data with built-in retention policies, access controls, and audit trails. Stay GDPR-compliant without the paperwork.

Rent received
£14,200
Paid on time
Upcoming rent
£3,275
7 scheduled
Rent overdue
£0
All clear
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Ready to simplify your property management?

Create your free account today and see how organized financial tracking can streamline your portfolio.

Get Started with Latch

Disclaimer: This guide is for information only and does not constitute legal advice. Data protection law is complex and fact-specific. If you are unsure about your obligations, consult a solicitor specialising in data protection or contact the ICO directly. The ICO provides free guidance for small organisations on its website at ico.org.uk.

Manage your properties with ease

Join thousands of landlords who use Latch to track income, expenses, and run their rental business on autopilot.

You might also like