LetCompliance

Navigation

AES-256GDPREU-hostedGOV.UK
Compliance Guide11 min read

Landlord GDPR & Data Protection UK 2026: Complete Guide

Landlords handle a lot of tenant personal data, so UK GDPR applies to you. ICO registration and the data protection fee, choosing the right lawful basis, the privacy notice, how long to keep data, subject access requests, CCTV and breaches.

Landlord GDPR & Data Protection UK 2026: Complete Guide — Quiet UK terraced street in early morning mist
Quiet UK terraced street in early morning mist
Free tool

Free compliance checker

Score any property 0–100 across the 6 statutory areas in under a minute. No signup.

Check a property
Free for 1 property

Keep one rental compliant for free in LetCompliance, no card. Rent, tax and unlimited doors on paid plans.

Start free

Ask an AI about this guide

Opens your assistant with this page as the cited source, so you get an answer grounded in the guide rather than a paraphrase of it.

Share this guide

𝕏

Prefer to watch?

See how it works in 2 minutes

TL;DR — quick answer

Landlords handle a lot of tenant personal data, so UK GDPR applies to you. ICO registration and the data protection fee, choosing the right lawful basis, the privacy notice, how long to keep data, subject access requests, CCTV and breaches.

Every landlord is a data controller. The moment you take a reference, copy a passport for a Right to Rent check, hold a tenant's bank details for rent, or keep an arrears history, you are processing personal data — and the UK GDPR (as amended by the Data (Use and Access) Act 2025) and the Data Protection Act 2018 apply to you just as they do to any business.

Most landlords have never thought about it, and the Information Commissioner's Office (ICO) is not knocking on doors over a single buy-to-let. But data protection surfaces at exactly the wrong moments — a disgruntled ex-tenant sends a subject access request, a referencing email goes to the wrong address, or a deposit dispute turns on records you should not still be holding. This guide covers what you actually have to do.

Guidance, not legal advice. Fees and thresholds change — confirm anything material on ICO.org.uk or GOV.UK before you rely on it.


Do I have to register with the ICO (and pay the fee)?

Probably yes. If you process tenant personal data electronically for your letting business — keeping records on a computer or phone, using referencing or rent software, receiving tenancy documents by email — you generally must register with the ICO and pay the annual data protection fee.

  • The fee is tiered by size and turnover, currently ranging from about £52 to £3,763 a year. Almost every private landlord falls in the lowest tier (around £52), with a small discount for paying by direct debit.
  • The narrow exemptions (for example processing done purely for your own household, or entirely on paper with no computerised records) rarely fit a landlord running a lettings business in 2026.
  • Not registering when you should is itself an offence and can bring a separate penalty — it is a cheap thing to get wrong expensively.
  • Check the current fee and register on the ICO's own site; it takes a few minutes.


    Your lawful basis — pick the right one

    UK GDPR says you need a lawful basis for each type of processing. You do not rely on "consent" for most of it — that is the biggest landlord misconception. The bases that actually fit letting are:

  • Contract — processing needed to perform the tenancy: collecting rent, managing the tenancy, handling repairs. This covers most day-to-day data use once a tenant is in.
  • Legitimate interests — referencing an applicant, chasing arrears, keeping records to defend a possession or deposit claim. This is the workhorse basis, but you must do and record a short Legitimate Interests Assessment (LIA): a purpose test, a necessity test, and a balancing test weighing the tenant's privacy against your interest.
  • Legal obligationRight to Rent checks (Immigration Act 2014), keeping gas/electrical safety records, and retaining tax records for HMRC. You are compelled by law, so this is your basis for those.
  • Consent — reserve this for genuinely optional things, like marketing emails. Consent must be freely given and easy to withdraw, so it is the wrong basis for anything you actually need to run the tenancy.
  • Getting the basis right matters because it determines the tenant's rights and what you must say in your privacy notice.


    The privacy notice

    You must give every tenant (and ideally every applicant) a privacy notice at or before the point you collect their data. In plain English it tells them: who you are, what data you hold, your lawful basis, who you share it with (referencing agency, deposit scheme, contractors, the local council, HMRC), how long you keep it, and how to exercise their rights.

    It is a one-off document you can reuse across tenancies, issued with a dated email so you can prove you provided it. If your notice relies on legitimate interests, it must say so and summarise your LIA. See our tenant privacy notice guide for a landlord-ready template and the exact fields to include.


    How long should you keep tenant data?

    The UK GDPR sets no fixed retention period — the principle is that you keep data only as long as you have a reason to. In practice:

  • During the tenancy plus about six years afterwards is the widely accepted default, because the limitation period for most contract claims is six years and HMRC expects tax records to be kept for around six years too. That window lets you defend a deposit dispute, an arrears claim or a tax enquiry.
  • Right to Rent copies should be kept for the duration of the tenancy and for one year after it ends, then securely deleted — holding immigration documents indefinitely is a data-minimisation breach.
  • Unsuccessful applicants — delete their referencing data promptly (a few months at most). There is no reason to hold the bank statements of someone you did not let to.
  • "Keep everything forever" is not caution, it is a liability. Set a retention point and stick to it.


    Subject Access Requests (SARs)

    A tenant (or ex-tenant, or even a failed applicant) can ask for a copy of all the personal data you hold about them. This is a subject access request, and you must:

  • Respond within one calendar month (extendable by up to two further months for complex requests, if you tell them within the month).
  • Provide it free of charge in most cases — you can only charge for manifestly excessive or repeated requests.
  • Include the data itself plus supplementary information (why you hold it, who you share it with, how long you keep it).
  • SARs spike during disputes — an arrears case or a deposit row often triggers one. The landlords who handle them calmly are the ones whose records are organised, dated and defensible in the first place. You can redact third parties' personal data, but you cannot withhold a tenant's own data because the relationship soured.


    Right to Rent and special-category data

    Right to Rent checks make you copy identity and, in effect, immigration-status documents — some of the most sensitive data you will ever hold. Store copies securely (encrypted or locked away, not in an open shared drive), restrict who can see them, and delete them on the retention timetable above. Collect only what the check requires; do not keep a tenant's full immigration history "just in case".


    CCTV at the property

    If you install CCTV covering the communal areas of an HMO or a block, GDPR applies to the footage. You need a lawful basis, clear signage telling people they are being recorded and why, a sensible retention period (often around 30 days), and you must not point cameras into anyone's private space — a tenant's room, or through a window. For anything beyond a modest communal camera, a short Data Protection Impact Assessment (DPIA) is expected. Covert recording of tenants is almost never lawful.


    Data breaches — the 72-hour rule

    A data breach is not just a hack — it includes emailing a rent statement to the wrong tenant, losing a laptop with tenancy files, or a referencing document going astray. If a breach is likely to risk people's rights and freedoms, you must report it to the ICO within 72 hours of becoming aware of it, and tell the affected people if the risk is high. Keep a short internal log of every breach, even the ones you decide are low-risk and do not report — the ICO expects you to be able to show your reasoning.


    The common mistakes

  • Relying on "consent" for everything — most letting data runs on contract or legitimate interests; consent you cannot evidence is worse than the right basis.
  • No privacy notice — the cheapest fix on this list, and the first thing asked for in a complaint.
  • Hoarding data — old applicants' bank statements, ex-tenants' ID copies kept for years. Data you should have deleted is pure downside.
  • Not registering with the ICO — a separate, avoidable penalty.
  • Panicking at a SAR — treat it as routine records retrieval, not an attack.
  • How LetCompliance fits: the platform is built to make this the default rather than a project — a reusable tenant privacy notice, secure document storage for Right to Rent and referencing files, a dated audit log of what was sent and when (useful evidence if a SAR or complaint lands), and structured records you can actually search when a request comes in. It does not replace registering with the ICO or taking advice on a specific dispute, but it removes most of the day-to-day ways landlords slip up.

    Sources

  • ICOData protection fee (real estate sector)
  • ICOA guide to lawful basis and subject access requests
  • GOV.UKData protection and Right to Rent checks
  • Free PDF · instant by email

    2026 UK Landlord Compliance Cheat Sheet

    Every Gas Safety, EICR, EPC, deposit and Right to Rent deadline on one printable A4 page. Updated for the Renters’ Rights Act 2025.

    • Every UK statutory deadline by document type
    • Maximum penalty per breach (HSE, MEES, RtR, deposit)
    • What blocks a Section 8 / Form 6A possession claim
    • Print-friendly A4 with checkboxes

    We only add you to the tips list if you tick the box, and you can unsubscribe in one click.

    Frequently asked questions

    Do landlords have to register with the ICO?

    Usually yes. If you process tenant personal data electronically for your letting business — referencing, rent software, tenancy documents by email — you generally must register with the ICO and pay the annual data protection fee. It is tiered from about £52 to £3,763; almost every private landlord is in the lowest tier (around £52, with a small direct-debit discount). Confirm the current fee on ICO.org.uk.

    What is my lawful basis for handling tenant data?

    For most letting activity it is contract (running the tenancy) and legitimate interests (referencing, chasing arrears, keeping records to defend a claim) — for which you should record a short Legitimate Interests Assessment. Right to Rent checks and keeping tax/safety records are legal obligation. Reserve consent for genuinely optional things like marketing, not for anything you need to run the tenancy.

    How long can a landlord keep tenant data?

    There is no fixed limit — keep it only while you have a reason to. In practice the tenancy plus about six years is the accepted default (the contract limitation period and HMRC record-keeping both point to six years). Keep Right to Rent copies for the tenancy plus one year, then delete, and delete unsuccessful applicants' data promptly.

    What is a subject access request and how long do I have to respond?

    A subject access request (SAR) is a tenant, ex-tenant or applicant asking for a copy of the personal data you hold about them. You must respond within one calendar month (extendable by up to two months for complex requests), usually free of charge. You can redact third parties' data, but you cannot refuse because the relationship soured.

    Run the whole tenancy in LetCompliance

    Advertise, collect rent, score compliance 0 to 100 and prepare your SA105 tax, the whole UK let in one login. Free forever for 1 property, plus 14 days of everything to start. Paid plans from £14.99/month, no card.

    compliance softwarefeaturespricingfree landlord softwareletting agent compliance softwareUK regulations

    Start free