The information gathered from your reference checks is all data that is protected under GDPR.
Data such as name, contact info, financial info, tenancy references, credit checks,
You must inform the tenant how you will be storing their data and how long for. You should provide them with a privacy statement outlining how you are going to use and store their data.
The privacy notice should tell people what you expect to do with the information.
For most landlords this will be to take up references and to be able to contact the tenant for the duration of the tenancy.
You should provide this to tenants at the point where you start taking their personal data. For example, when they first apply for your property.
If you have a website, this privacy notice should available there as well.
Having a privacy notice is important if you are relying on the contractual gateway as your legal basis for processing data - which most landlords will be doing.
For guidance on what to include on a private notice, please see ICO privacy-template.
You should take the below into account when assessing if you are complying with GDPR.
- How the data comes into your possession.
- What the data is. Is some of it sensitive personal data?
- How you store the data.
- Who you share the data with.
- How long you retain the data.
- How you dispose of the data.
The best way to do this is carrying out a data audit. Here is an ICO Data Audit Template from the ICO website.