Skip to main content

The biggest shake-up in data protection regulation in two decades, the GDPR, came into effect on 25 May 2018. Estate agents now have to ensure that they are operating in a compliant manner, making sure their data protection processes, systems, policies, contracts and technologies are aligned with the GDPR.

Competitive estate agents will view GDPR compliance as an opportunity to improve their business continuity and productivity. However, GDPR compliance will also help estate agents avoid sticking their head above the parapet and into the sights of the UK data regulator and enforcer, the Information Commissioner’s Office (ICO).

The aim of the new data protection regulation is to increase data privacy rights for EU citizens in our increasingly digital world, where people feel they have less and less control over their personal data. The UK will continue to enforce GDPR compliance post-Brexit.

Estate agents not yet compliant GDPR will need to focus on several key areas of their business, to make sure they’re protecting themselves, their clients, their employees and other stakeholders and third parties.

Primarily, they’ll need to audit and map existing data so they can demonstrate lawful reasons for processing under the GDPR. Where they cannot do that, the personal data must be deleted. Fundamental to GDPR compliance is proof of compliance. You must be able to track the entire life cycle of all the personal data that you hold and process. And you must delete data as soon as you no longer have an active use for it under GDPR.

Where consent is the lawful process for collecting and processing data – as is the case with direct emails and SMS for marketing – estate agents will need to adjust their privacy policy – also called a privacy notice at the bottom of their emails/messages- so people can understand quickly and simply how they plan to use their data and consent as they wish – or not.

The same applies when someone signs up to your website as a potential buyer or tenant. For GDPR compliance, you must clearly publish your privacy policy and make it as easy to withdraw consent as it is to give it. Note that if someone has signed up solely to receive information on a few properties, you’ll be in breach of GDPR compliance if you then email them your newsletter or event information, for example.

The one exception to that rule is where you have collected personal data in the course of a sale. You are then permitted to send electronic marketing to that person if the content relates to similar goods or services. That’s called a ‘soft opt-in’.

Image with text

But consent is not the only lawful means of processing. You will have a contractual obligation for data handling of tenants, for example. GDPR compliance will also cover, say, property managers who have contact details of everyone living or working in a building, or where images are captured of these people entering and existing the property.

Under the new data protection regulation, anyone whose data you hold has the right to request to see all that data within a reduced period of 28 days. Called a Subject Access Request (SAR), this used to cost a £10 fee to the person requesting it but will now be free.

This and the increase in public awareness of their personal data rights, is likely to increase the number of requests. Estate agents who hold and process personal data on a large-scale should make sure their systems and processes are prepared.

People can also ask you to amend or even delete their data – back-ups and all – under the extended ‘right to be forgotten’ rules. Or ask you to make it present it to them in an electronic format so they can transfer their data elsewhere.

As data controllers, estate agents will now also be responsible for third party processors such as cloud companies, payroll or outsourced managers, for example. GDPR ready estate agents will review and amend contracts and terms and conditions for GDPR compliance.

As well as their website, for GDPR readiness, estate agents will need to review their data reporting capabilities and the robustness of their technology so personal data isn’t at risk of a data breach or data theft through cyberattack or basic poor resilience. This includes infrastructure and systems such as CRM or, for larger businesses, HR and marketing systems.

Larger estate agents are likely to be required to appoint a Data Protection Officer who can help get the business GDPR ready and maintain GDPR compliance.

Image with text

Whatever the size of your business, if you suffer a data breach and personal data is likely to be at risk, under the GDPR this must be reported to the ICO within 72 hours. For serious breaches, the individuals at risk must also be contacted.

Me Learning, in conjunction with specialist data privacy lawyers Clayden Law, has developed a portfolio of flexible, online courses for GDPR compliance. To find out how we can help your business, click here.

Do you have a question?

Whether it’s a technical question or a sales enquiry, our helpdesk and sales teams will be happy to help.