• news-banner

    Expert Insights

Residential Property: Top 5 Data Protection Tips

The top 5 data protection considerations for those involved in the residential property and housing market, including landlords and managing agents

1. Get the basics right – including privacy notices

  • Whether you are a landlord, a managing agent or another service provider, if you use, store or share personal data (including information relating to your tenants), you will very likely be subject to UK data protection law (primarily, the UK GDPR) as a data controller (for example, landlords in relation to tenant data they hold) or a data processor (for example, managing agents in relation to tenant data they hold on behalf of the landlord).
  • For example, a landlord or managing agent may hold image data collected by their CCTV systems, contact details and financial data of their tenants or potentially biometric data or marketing preferences if technology enabled entrance systems or property management apps are used.
  • Taking active steps to comply with the UK GDPR may be considered an expensive and daunting distraction. However, ignoring its requirements is a risky strategy.
  • At the very least, basic compliance and security measures should be taken. Addressing certain ‘easy-win’ public facing compliance measures can go a long way to stave off unwanted scrutiny.
  • Examples include: (a) ensuring that controllers have appropriate privacy notices drafted and made available and (b) ensuring that employees who have regular or permanent access to personal data are made aware of their responsibilities, including through appropriate training.

2. Use of CCTV

  • CCTV may capture personal data of tenants, people visiting a property or those who work there. The use of CCTV in communal areas and publicly accessible areas (inside or outside) will likely be subject to the UK GDPR.
  • As such, care should be taken to ensure that signs are clearly displayed to inform individuals that CCTV is in operation. Its use should then be explained in further detail in relevant privacy notices, including details of how the data will be recorded, used, stored and retained.

3. Subject access requests

  • Related to the above point, individuals who want to exercise their right to access and receive a copy of their personal data can make a data subject access request (DSAR). The UK’s privacy regulator, the
  • Information Commissioner’s Office (ICO) has published detailed guidance on the Right of access under Article 15 UK GDPR.
  • If you are a data controller, you must comply with a DSAR without undue delay and, at the latest, within one month of receiving the request.

4. Security and data breaches

  • If you are a data controller and discover a personal data breach, depending on the seriousness, you may be required to notify the ICO within 72 hours.
  • You must describe the nature of the breach and, where possible, the categories and approximate number of individuals affected as well as the name and contact details of the Data Protection Officer (DPO) or other contact point for more information, the likely consequences and the measure taken or proposed and any measures to mitigate its adverse effects.  

5. Data processing agreements

  • If you are a data controller (for example, a landlord) who engages a data processor (for example, a managing agent), you will need a written contract covering a number of specific issues, including that the data processor will take appropriate measures to ensure the security of the personal data and act only in accordance with the data controller’s instructions. This is a legal requirement under the UK GDPR.

For more information on the above please contact Marc-Us Ong or your usual Charles Russell Speechlys contact.

Our thinking

  • IBA Annual Conference 2024

    Charlotte Ford


  • Tortious liability: Supreme Court brings relief for directors

    Olivia Gray


  • Stephen Burns and Katie Bewick write for New Law Journal on shareholders’ rights after Zedra

    Stephen Burns

    In the Press

  • Rhys Novak writes for Solicitors Journal on what legal advisors need to know about dawn raids

    Rhys Novak

    In the Press

  • Employment Law & Worker Rights - The Conservative Party’s Manifesto

    Nick Hurley


  • "Has anyone seen my cat?" - Pet-Nups and Pet Disputes between Unmarried Couples

    Jessie Davies

    Quick Reads

  • Employment Law & Worker Rights - The Liberal Democrats Manifesto

    Nick Hurley


  • The Africa Debate: Africa’s role in a changing global order

    Matthew Hobbs

    Quick Reads

  • Re UKCloud: The importance of exercising control over a fixed charge asset

    Cara Whiffin


  • Bloomberg quotes Dominic Lawrance on pledges to scrap preferential tax treatment for non-doms

    Dominic Lawrance

    In the Press

  • Consumer Duty Board Report

    Richard Ellis


  • Standard of repair put to the test - Estates Gazette Q&A

    Emma Humphreys


  • LIDW: Is arbitration an effective process for disputes involving state interests: a panel discussion of concerns raised in Nigeria v. P&IDL [2023] EWHC 2638

    Richard Kiddell


  • The Leasehold and Freehold Reform Bill gains Royal Assent

    Laura Bushaway

    Quick Reads

  • Injunctions against potential protesters - Estates Gazette Q&A

    Samuel Lear


  • Michael Powner, Isobel Goodman and Hauwa Ottun write for Law 360 on the Tips Act

    Michael Powner

    In the Press

  • LIDW: An Era of Constant Change – an event to explore the General Counsel’s role in delivering sustainable growth whilst managing global ESG risks

    Caroline Greenwell


  • Emily Chalkley writes for The Times on how best to use employee influencers

    Emily Chalkley

    In the Press

  • LIDW: Liability imposed on UK Directors and how to mitigate the risks

    Claudine Morgan


  • The Lawyer covers our Training Contract support, in light of the shift to the SQE

    Karen Stages

    In the Press

Back to top