Every landlord is a data controller. The moment you take a reference, copy a passport for a Right to Rent check, hold a tenant's bank details for rent, or keep an arrears history, you are processing personal data — and the UK GDPR (as amended by the Data (Use and Access) Act 2025) and the Data Protection Act 2018 apply to you just as they do to any business.
Most landlords have never thought about it, and the Information Commissioner's Office (ICO) is not knocking on doors over a single buy-to-let. But data protection surfaces at exactly the wrong moments — a disgruntled ex-tenant sends a subject access request, a referencing email goes to the wrong address, or a deposit dispute turns on records you should not still be holding. This guide covers what you actually have to do.
Guidance, not legal advice. Fees and thresholds change — confirm anything material on ICO.org.uk or GOV.UK before you rely on it.
Do I have to register with the ICO (and pay the fee)?
Probably yes. If you process tenant personal data electronically for your letting business — keeping records on a computer or phone, using referencing or rent software, receiving tenancy documents by email — you generally must register with the ICO and pay the annual data protection fee.
Check the current fee and register on the ICO's own site; it takes a few minutes.
Your lawful basis — pick the right one
UK GDPR says you need a lawful basis for each type of processing. You do not rely on "consent" for most of it — that is the biggest landlord misconception. The bases that actually fit letting are:
Getting the basis right matters because it determines the tenant's rights and what you must say in your privacy notice.
The privacy notice
You must give every tenant (and ideally every applicant) a privacy notice at or before the point you collect their data. In plain English it tells them: who you are, what data you hold, your lawful basis, who you share it with (referencing agency, deposit scheme, contractors, the local council, HMRC), how long you keep it, and how to exercise their rights.
It is a one-off document you can reuse across tenancies, issued with a dated email so you can prove you provided it. If your notice relies on legitimate interests, it must say so and summarise your LIA. See our tenant privacy notice guide for a landlord-ready template and the exact fields to include.
How long should you keep tenant data?
The UK GDPR sets no fixed retention period — the principle is that you keep data only as long as you have a reason to. In practice:
"Keep everything forever" is not caution, it is a liability. Set a retention point and stick to it.
Subject Access Requests (SARs)
A tenant (or ex-tenant, or even a failed applicant) can ask for a copy of all the personal data you hold about them. This is a subject access request, and you must:
SARs spike during disputes — an arrears case or a deposit row often triggers one. The landlords who handle them calmly are the ones whose records are organised, dated and defensible in the first place. You can redact third parties' personal data, but you cannot withhold a tenant's own data because the relationship soured.
Right to Rent and special-category data
Right to Rent checks make you copy identity and, in effect, immigration-status documents — some of the most sensitive data you will ever hold. Store copies securely (encrypted or locked away, not in an open shared drive), restrict who can see them, and delete them on the retention timetable above. Collect only what the check requires; do not keep a tenant's full immigration history "just in case".
CCTV at the property
If you install CCTV covering the communal areas of an HMO or a block, GDPR applies to the footage. You need a lawful basis, clear signage telling people they are being recorded and why, a sensible retention period (often around 30 days), and you must not point cameras into anyone's private space — a tenant's room, or through a window. For anything beyond a modest communal camera, a short Data Protection Impact Assessment (DPIA) is expected. Covert recording of tenants is almost never lawful.
Data breaches — the 72-hour rule
A data breach is not just a hack — it includes emailing a rent statement to the wrong tenant, losing a laptop with tenancy files, or a referencing document going astray. If a breach is likely to risk people's rights and freedoms, you must report it to the ICO within 72 hours of becoming aware of it, and tell the affected people if the risk is high. Keep a short internal log of every breach, even the ones you decide are low-risk and do not report — the ICO expects you to be able to show your reasoning.
The common mistakes
How LetCompliance fits: the platform is built to make this the default rather than a project — a reusable tenant privacy notice, secure document storage for Right to Rent and referencing files, a dated audit log of what was sent and when (useful evidence if a SAR or complaint lands), and structured records you can actually search when a request comes in. It does not replace registering with the ICO or taking advice on a specific dispute, but it removes most of the day-to-day ways landlords slip up.
Sources
2026 UK Landlord Compliance Cheat Sheet
Every Gas Safety, EICR, EPC, deposit and Right to Rent deadline on one printable A4 page. Updated for the Renters’ Rights Act 2025.
- Every UK statutory deadline by document type
- Maximum penalty per breach (HSE, MEES, RtR, deposit)
- What blocks a Section 8 / Form 6A possession claim
- Print-friendly A4 with checkboxes
Frequently asked questions
Do landlords have to register with the ICO?
Usually yes. If you process tenant personal data electronically for your letting business — referencing, rent software, tenancy documents by email — you generally must register with the ICO and pay the annual data protection fee. It is tiered from about £52 to £3,763; almost every private landlord is in the lowest tier (around £52, with a small direct-debit discount). Confirm the current fee on ICO.org.uk.
What is my lawful basis for handling tenant data?
For most letting activity it is contract (running the tenancy) and legitimate interests (referencing, chasing arrears, keeping records to defend a claim) — for which you should record a short Legitimate Interests Assessment. Right to Rent checks and keeping tax/safety records are legal obligation. Reserve consent for genuinely optional things like marketing, not for anything you need to run the tenancy.
How long can a landlord keep tenant data?
There is no fixed limit — keep it only while you have a reason to. In practice the tenancy plus about six years is the accepted default (the contract limitation period and HMRC record-keeping both point to six years). Keep Right to Rent copies for the tenancy plus one year, then delete, and delete unsuccessful applicants' data promptly.
What is a subject access request and how long do I have to respond?
A subject access request (SAR) is a tenant, ex-tenant or applicant asking for a copy of the personal data you hold about them. You must respond within one calendar month (extendable by up to two months for complex requests), usually free of charge. You can redact third parties' data, but you cannot refuse because the relationship soured.
