Letting agents
GDPR Compliance for Letting Agents: A Practical Guide
Letting agents hold some of the most sensitive personal data around: identity documents, immigration status, financial and referencing information, sometimes data about children and health. That makes GDPR compliance for letting agents a core duty, not an afterthought. This guide covers the practical essentials under UK GDPR and the Data Protection Act 2018.
This is general information, not legal advice. For complex processing or a data breach, take specialist data-protection advice.
Register with the ICO
If you process personal data — which every letting agent does — you almost certainly need to pay the data protection fee and register with the Information Commissioner’s Office (ICO). The fee depends on your size. Keep your registration current.
Get your lawful basis right
You need a lawful basis for each processing activity. For lettings the common bases are:
- Contract — taking steps to enter into or perform a tenancy (referencing an applicant who has applied, managing the tenancy).
- Legal obligation — Right to Rent checks, AML and sanctions screening, safety duties.
- Legitimate interests — fraud prevention, recovering debts, limited marketing to existing clients (with a balancing test).
Avoid defaulting to consent for core activity — it can be withdrawn and is rarely appropriate where you have another basis.
Referencing, Right to Rent and special data
Identity and immigration data gathered for Right to Rent, and any special-category data (such as health information in a reasonable-adjustment request), need extra care: collect the minimum, restrict access, and do not retain copies longer than the law requires.
Data minimisation and retention
- Collect only what you need, and tell people what you do with it in a clear privacy notice.
- Delete unsuccessful applicant data promptly.
- Keep a documented retention schedule — including the set retention periods for AML records.
- Be ready to handle subject access requests within the statutory timescale.
Breaches
A personal data breach likely to risk people’s rights must be reported to the ICO without undue delay and within 72 hours where feasible. Keep an internal breach log even for incidents you do not report.
How Vantage helps
Vantage keeps compliance data and documents in one access-controlled, audit-logged place with encrypted document storage, so you hold less data in scattered inboxes and spreadsheets and can evidence who accessed what. It sits within the broader letting agent compliance picture alongside AML duties.
Frequently asked questions
Do letting agents need to register with the ICO?
Yes. Letting agents process personal data and almost always need to pay the data protection fee and register with the Information Commissioner's Office (ICO). The fee tier depends on the size of the business. Failure to register when required can itself attract a penalty.
What is the lawful basis for processing tenant data?
Most letting-agent processing relies on 'contract' (steps to enter or perform a tenancy), 'legal obligation' (Right to Rent, AML, safety duties) or 'legitimate interests' (referencing, fraud prevention). Consent is rarely the right basis for core lettings activity and should not be the default. Special-category and criminal-offence data need additional conditions.
How long can a letting agent keep applicant data?
Only as long as necessary for the purpose. Successful tenancy records are typically kept for the tenancy plus a period to handle disputes and meet legal duties (for example AML records have set retention periods). Unsuccessful applicant data should be deleted much sooner. You should have a documented retention schedule rather than keeping everything indefinitely.
Stop struggling with lettings compliance
Vantage gives every property a 0–100 compliance score, recommends and guides actions by priority, and reminds you before each obligation is due. For just £0.80 per property per month.