GDPR: General Data Protection Regulations for Estate & Letting Agents

The General Data Protection regulation becomes law on May 25th, 2018. It will replace the current UK Data Protection Act 1998 legislation and will give far greater protection to individuals over what personal data is held on them and how it is used.

GDPR affects all businesses in the UK, EU and globally If they hold any form of personal data relating to an individual that resides in the EU. This could be a little as a name and an email address. If you hold personal data then you are liable for that data if it is lost or stolen.

You must ensure that you, and your staff, are aware of where your client personal data is held, where it goes and who has access to it. Your current data protection policies should be reviewed sooner rather than later to make sure you have time to make any changes before the deadline.

There are many key points that need to be addressed to become GDPR compliant, too many to cover in this article alone, below are a few that stand out:


Key members of staff and decision-makers need to be aware of GDPR and the impact it is likely to have on your business. They should be sufficiently aware of the new regulation so that they can train other staff in compliance. All staff should also be regularly updated on procedures to follow to maintain data securely and what to do if there is a data breach detected.

Know the Information You Hold

Any personal data you hold on an individual will need to be documented if the processing of the data could result in a risk to the rights and freedoms of the individual. You must record:

  • name and details of your organization (and where applicable, of other controllers, your representative and your data protection officer);
  • purposes of the processing;
  • description of the categories of individuals and categories of personal data;
  • categories of recipients of personal data;
  • details of transfers to third countries including documentation of the transfer mechanism safeguards in place;
  • retention schedules; and
  • description of technical and organizational security measures.

You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.

IT Security

IT security is at the forefront of GDPR and making sure that all your IT equipment is as secure as possible is the best way forward. There are a few best practises that can be implemented with little or no effect to increase security:

  • Ensure that all equipment is up-to-date with all latest patches
  • Increase password complexity
  • Limit sharing of computers between staff
  • Limit access to company data across the network
  • Lock computers when they are un attended
  • Do not have computers that auto login
  • Increased email security
  • Valid anti-virus from a leading supplier

Individuals rights

Some of the main changes in GDPR include the following changes to rights for subjects:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure (the right to be forgotten)
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling.

Review your procedures now to ensure they are compliant with individual rights, including how you will delete personal data, or how you will provide the electronic or digital data if a Subject Access Request is made.

Subject Access Requests (SARs)

Under GDPR you will have one month rather than the current 40 days to respond to a SAR. Review your SAR procedures now and plan how you will implement the new timescales in your business. You can no longer charge for supplying the data (you can charge a reasonable admin fee if it is a complex request) and if you refuse a request you must inform the subject why it has been refused.


If you don’t already, you will need to review how you request, record and manage consent and whether you need to make any changes to your policies. Estates IT will be making changes to contact and registration pages on websites to require positive opt-ins for consent. We are also making lots of changes in PCHomes that will require you to have obtained consent to store personal data. The new regulations also require you to have an uncomplicated way for consent to be withdrawn. Contrary to some misconceptions you are not required to automatically refresh consent where it already meets GDPR requirements.

Lawful basis for processing personal data

GDPR requires a lawful basis for processing personal data. If a person has requested a service from your business and you take their details and store them during the course of supplying a service to them, this is a lawful basis for holding the data. However, storing data forever will no longer be allowed, so if you have personal details of old applicants stored in PCHomes who you have had no contact with for years, now would be a great time to review and clean up your database. As a general rule of thumb, if there has been no contact for 2+ years you should delete the information. However, where you have old tenant or landlord details who you have financial history or records for, this would constitute a lawful basis for holding the data.

Data breaches

GDPR will require data breaches to be notified to the ICO. However, you only need to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals; if for example it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Privacy by design

Data controllers must put technical and organisational measures in place to minimise personal data processing. They must also only process and store data that is necessary. Estates IT are putting measures into place that will enable you to record consent within PCHomes, and to remove or anonymise sensitive personal information where necessary.

Data Protection Officers

This shouldn’t affect the majority of estate agents, as companies who employ under 250 staff have no need to appoint a DPO. If you do want to have an appointed person who deals with GDPR the consensus is that you shouldn’t call them a DPO, but instead a data protection administrator or similar as once you have employed a data Protection Officer they will be wholly responsible for GDPR at your company.

The penalties for falling short of GDPR compliance are higher than ever and fines of up to 20 Million Euros or 4% of annual global turnover have been mentioned. However, in practice, this is highly unlikely to happen except in the most severe data breaches. The ICO state on their blog that fines will be proportionate, and won’t be issued in the case of every infringement. They also say that if a data breach isn’t likely to result in a risk to people’s rights and freedoms there will be no need to report the breach.

The current Data protection act is woefully outdated and the new GDP regulations are sorely needed. Treat your client’s and staff data as you would like your data treated by other companies.

Please take the time to read the below links and find out how GDPR affects your business and what you need to do to become fully compliant.

Above all, make sure you understand your own obligations in becoming GDPR compliant, as there is only so much your software provider can do for you. The rest is up to you.

Scroll to Top