GDPR for Estate Agents

GDPR for Estate Agents. 5 Top Tips

This Month: The Estate Agent…

Welcome to the sixth article in our series of professionally-themed insights for 2019.

Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.

This month, we’re covering the need-to-knows, good-to-knows and no-nos (!) for all you Estate Agents out there.

We hope it makes your GDPR life that little bit easier.

Dear Estate Agent…

Now that summer’s on its way, the next few months are a popular time for those looking to buy, sell, rent or lease property. And that means you’ll most likely have plenty to be getting on with!

What about your GDPR commitments though? Are you on top of them?

Because – with all the personal data you routinely process as part of your job – the last thing you need during one of your busiest times of year is having to worry about whether your GDPR house in order.

So here’s some basic guidance and gentle reminders on how best to manage your data protection role with clients and landlords…

GDPR Tips for the Estate Agent

Being an estate agent not only involves lots of past, present and prospective clients, it also includes plenty of liaison with other professional agencies.

And, regardless of whether an initial enquiry progresses all the way to a successful sale, purchase or let, that’s a huge amount of data to think about!

Here are some things to consider:

1. Only process information you definitely need

Property transactions generate a huge amount of personal data processing: from basic personal and contact details in the early stages all the way through to banking and passport information (and even health details) at the other end of the process.

In these situations, it can be very tempting to gather as much information as possible, just in case they come in handy and prevent further delays down the line; but if they’re really just supplemental, there’s no need to have them.

Because, remember, you need to be able to justify why you need them.

If you can’t or they’re no longer relevant (e.g. you still have someone’s old contact details), delete them. Simple as that.

Are you collecting or storing any non-essential data?

2. Keep track of everything you process and share

In the same way that there are plenty of buyers and sellers in a property chain, there’s also a huge chain of information that gets passed on to other agencies such as banks, solicitors, conveyancers and landlords.

Yes, it’s done to ensure smooth transactions but it’s still personal data that belongs to others. So, if something happens to it (think data breach), you need to be able to identify exactly what information may have been compromised; or, in the case of a Subject Access Request, be able to declare precisely what data you hold on that person and who else you may have shared it with.

Doing an audit to map all your data is a great way of keeping on top of this – and should record everything from individuals first giving you consent to process their personal information to everything else that you then go on to do with it.

Whether you store it electronically or print and file it the old-fashioned way to keep track, it’s entirely up to you. Just remember that if you store it via a third party, it’s worth checking that their data protection security measures are as stringent as the GDPR recommends – especially if it’s outside the EU.

Do you know exactly what personal data you keep and who else you’ve shared it with?

3. Make sure you’ve informed clients what information you have on them and why, and what else you’ve done with it.

Handling people’s personal and sensitive data is both a huge privilege and responsibility. That’s why data controllers and processors should be nothing less than 100% transparent in what they do with it.

So, if you’ve mapped all your data properly (see #2 above), this part should be relatively easy. Using either your terms of engagement and/or your privacy policy, it should enable you to openly state everything you do with that person’s information: what details you process, why you need them, and what else you’ve done with it all; as well as informing clients of their data protection rights. And, if you’re emailing them regularly, it’s good practice to remind them each time why you’re getting in touch (for instance, about new properties because they consented to receiving those types of marketing emails).

How open and transparent are you with clients on what you do with their data?

4. Encourage and help others show their GDPR-compliance…

Due to you sharing information and collaborating with other agencies, it’s useful to have an appreciation of what good GDPR practice looks like for them too.

Take landlords, for example. How many of those that you work with know that, because they handle tenants’ data, they’re classified as a data controller and should be registered with the ICO? They too need to be GDPR-compliant and handle personal information in an appropriate and lawful manner. And, in the same way that your privacy policy should clearly lay out everything for your clients, they too need to have a landlord privacy policy that they share with all their new tenants.

How much are you encouraging good GDPR practice with others?

5. Even Big Brother is covered by the GDPR!

Finally, here’s something that very few landlords and property managers realise: personal data doesn’t just cover names, addresses and telephone numbers, but also IP addresses and other online identifiers. So, if a building provides free Wi-Fi and collects the IP addresses of all users, it falls under the GDPR.

Similarly, if a property manager holds the contact details of every person working or living there or can monitor individuals’ entry to/exit from the building, they too are governed by the GDPR.

Even the use of CCTV comes under this and needs to be registered with the ICO!

How aware are other professionals you work with of their GDPR responsibilities?

In-the-Know… Summary

The Need-To-Knows

  • Only process data that’s essential to the service you provide. Otherwise, delete it!
  • Be able to demonstrate what data you process and why, and who else you’ve shared it with.
  • Be 100% transparent on what you do with your clients’ data.

The Good-To-Knows

  • Property managers and landlords also have a key GDPR role to play.
  • All landlords must be registered with the ICO.
  • Even public Wi-Fi and CCTV are governed by the GDPR!

The No-Nos!

And whatever you do, please…

  • Don’t dismiss the GDPR or not find time to take it seriously.
  • Retain information ‘just in case’ – even though it’s no longer relevant.
  • Don’t put off asking for help if you need it.

Help and support is only a quick email away

If you’re feeling like the king of your castle with your GDPR responsibilities, smashing – it’s yet another reason why your clients should love you!

However, if the very thought of it all has left you feeling a little ‘flat’ (sorry ?), don’t despair. Despite the fast-approaching silly season, we can help you get sorted in no time.

Just get in touch and we’ll be right round…


Next month in GDPR and The Healthcare Professional

The information and remarks provided in this article represent insight and guidance for best practice which is correct or valid or appropriate at time of publication.

Latest News & Events

What Is a Data Leak and How Do They Happen?

Data leaks are a serious problem for organisations and individuals. In this day and age, individuals freely provide personal information to organisations, therefore a data leak can have a significant impact on both the company and the person. They often involve the exposure of personal data (such as name, address and financial details), with additional damage to the company or organisation in terms of potential financial loss and reputational damage.

Read more

Register for News from Databasix

If you would like to stay up to date with the latest news and events from Databasix please click below, add your details and you will be added to our mailing list.

Contact Databasix

Tel 01235 838507

Databasix UK Ltd
is a registered company in England & Wales
Registration No. 08771007

Harwell Innovation Centre
Building 173
Curie Avenue
Harwell Oxford
OX11 0QG

Supported by Business Resilience secured by OxLEP Business
Supported by Business Resilience secured by OxLEP Business