Skip to main content
Book a call — £89
Menu

Landlord GDPR Notices UK: Tenant Data Duties (2026)

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofUK Property Law Guide

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
If you let residential property in the UK, you hold personal information about tenants, guarantors and sometimes prospective applicants. That puts you squarely within the scope of the UK GDPR and the Data Protection Act 2018, whether you manage a single flat or a portfolio. A lot of landlords I speak to assume these rules only bite on large agencies, but the legal position is the same: if you decide how and why tenant data is used, you carry duties as a data controller. This page walks through what those duties look like in practice, from auditing the information you already hold to drafting a privacy notice and getting it into tenants' hands. It is written for private landlords who want to get this right without drowning in jargon, and it flags where a short conversation with an experienced legal adviser can help you feel sure about your approach.

What this document is

A landlord's GDPR framework is really a set of connected documents and habits that show you handle tenant information lawfully, fairly and transparently. The central piece is a privacy notice, which is the written statement you give tenants and guarantors explaining what data you collect, why you collect it, how long you keep it, who you share it with and what rights they have.

Behind that notice sits a data audit, which is a practical stocktake of everything you hold, from referencing reports and bank details to right-to-rent copies, deposit scheme records and CCTV footage if you operate any. You will also need a covering letter or email to actually deliver the notice to existing tenants and to include in onboarding packs for new ones.

Together these elements demonstrate accountability, which is the principle the Information Commissioner's Office looks for when something goes wrong. Getting the framework in place once, then refreshing it periodically, is far less painful than reacting to a complaint or subject access request without it.

How to use this document

  1. Map the data you already hold. Work through every place tenant and guarantor information sits, including email inboxes, spreadsheets, paper files, letting agent portals, referencing platforms and deposit scheme accounts. Note what the information is, where it came from, why you have it and how long you have kept it. This audit is the foundation for everything else.
  2. Identify your lawful basis for each use. Under UK GDPR you must have a valid reason for processing personal data. For landlords this is usually a mix of contract (to perform the tenancy), legal obligation (such as right-to-rent checks) and legitimate interests (for example, chasing rent arrears). Record which basis applies to which activity so you can justify it later.
  3. Draft a clear privacy notice. Write a plain-English document covering the categories of data you hold, your lawful bases, who you share information with (referencing agencies, guarantors, HMRC, deposit schemes, contractors), retention periods and the rights tenants can exercise. Avoid legalese where you can: clarity is part of the legal test.
  4. Deliver the notice to tenants and guarantors. Send the privacy notice to everyone whose data you hold, not just new sign-ups. A short covering letter or email explaining what it is and why you are sending it helps avoid confusion. Keep a record of when and how you delivered it, because you may need to prove this later.
  5. Review and update at sensible intervals. Data protection is not a one-off job. Revisit your audit and notice at least annually, and whenever you change letting agents, adopt new software, install CCTV or take on a new category of tenant. If you suffer a data breach, know in advance when you need to report it to the ICO.

Common questions

If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Common questions

Q Do I really need to register with the ICO as a landlord?
In most cases, yes. If you process tenant personal data electronically, which almost every landlord does through email, spreadsheets or property software, you are likely required to pay a data protection fee to the Information Commissioner's Office. The fee tier depends on your size and turnover. Check the current fee and exemption criteria on the ICO website before assuming you are outside the regime.
Q What counts as personal data in a tenancy context?
Personal data is any information that identifies a living individual, directly or indirectly. For landlords this typically includes names, addresses, dates of birth, employment details, bank information, referencing outcomes, correspondence, right-to-rent document copies, guarantor details and CCTV footage. Some of this, like health information disclosed during a tenancy, counts as special category data and needs extra care.
Q How long should I keep tenant information after they leave?
There is no single statutory retention period for tenancy records. The general rule is to keep data only as long as you have a lawful reason for holding it. Many landlords retain core tenancy records for around six years after the tenancy ends to cover potential contract claims, then securely delete. Document your retention periods in your privacy notice so your approach is consistent.
Q What happens if a tenant makes a subject access request?
A tenant can ask for a copy of the personal data you hold about them. You generally have one calendar month to respond, and in most cases you cannot charge a fee. You will need to gather information from all your storage locations, redact third-party details where appropriate and provide it in an accessible format. Having a tidy data audit makes this far quicker to handle.
Q Am I responsible if my letting agent mishandles tenant data?
You may share responsibility. The legal relationship between landlord and agent is usually controller-to-processor or joint controller, depending on who decides what. You should have a written data processing agreement with your agent setting out their obligations. Even with an agent in place, tenants can still direct complaints and subject access requests to you as their landlord.
Q Do I need consent from tenants to process their data?
Usually not. Consent is only one of six lawful bases under UK GDPR, and for most landlord activities other bases fit better, such as performing the tenancy contract or meeting a legal obligation. Relying on consent can actually weaken your position because it can be withdrawn. Your privacy notice should explain which basis you rely on for each processing activity.
Q What should I do if I suffer a data breach?
If personal data is lost, stolen or disclosed without authorisation and there is a risk to the people affected, you generally must notify the ICO within 72 hours of becoming aware. If the risk is high, you also need to tell the tenants concerned. Keep an internal log of all breaches, even those you decide not to report, because the ICO can ask to see it.
If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.