Home » Features » Lock up your data!
Regulation & Law

Lock up your data!

The General Data Protection Regulation (GDPR) is imminent – the new regulations come into force on 25th May. Workshops are filling up, consultants’ diaries are blocked out, yet, says, Andrea Kirkby, some agents haven’t started preparing for compliance.

Andrea Kirkby

GDPR image

Richard Jones of Foregenix believes the fact that most advice on the regulations has been tailored for larger companies hasn’t helped. “The danger is that smaller businesses were put off doing it because they couldn’t get their heads round it,” he says.

You need to look at where you collect data – the phone, the website, people who come into the office – document all those data processes. Daniel Lack, Growth Track.

Daniel Lack, Growth Track, imageDaniel Lack, at Growth Track, who is on the email marketing council of the Direct Marketing Association, says small businesses can’t do everything. “In a small business, data protection isn’t something you learn about. You learn everything about estate agency, whatever you need to do your job well, but no-one’s giving data privacy lessons, and if you’re running your business you don’t have time to learn about it.” It’s understandable that small agents are stymied – but compliance is still expected.

Dan Hare, Reapit, image

Dan Hare, Reapit

Reapit’s GDPR workshops have been fully booked. Daniel Hare says some agents have been working on GDPR for months and are just looking for confirmation they’re on the right track, while others admit they haven’t done anything yet and are hoping Reapit can help. “If you have left it late,” he advises, “don’t just stick your head in the sand! You still have time to get started.”


It will be a slog, he says. “There’s no getting around it, it’s a lot of work, but it can be prioritised. The area at highest risk is marketing, so start there, but remember GDPR touches every area of the business.” Working out the legal basis on which you’re marketing, putting good consent processes in place, and updating the privacy policy come first. Probably the next most important area is vetting contractors and suppliers such as EPC assessors, CRM companies, conveyancers and maintenance firms for compliance with GDPR – if they lose or misuse customer data, you’re responsible.

Forget what people say about GDPR – that it’s about mailing lists, or the right to erasure, or opt-ins, or only about customers. It’s all about personal data, including staff, customers and marketing contacts, and as Richard Jones advises, “The most important thing is to get your head round what data you have”. He says businesses need to ask basic questions: “What personal data do you need to acquire – including what data may be required legally – how you use it, how you’re storing it, and how are you protecting it. And also, could you find it, if someone wanted you to find it?” A small agency, he reckons, could get this job done over a weekend if they really put their heads to it. But he warns, “You have to look under the bonnet.” It’s not always easy to find the data, particularly if it’s held on several different systems.


Documentation of data collection and processing is crucial to achieving GDPR compliance. Data collection is often a mess since data can come through so many channels. Daniel Lack says, “You need to look at where you’re collecting data from: the phone, the website, from people who come into the office. Document all those data processes. Then look at what you do with that data. You’ll be more relaxed because you’ll know what you’ve got, you can show the ICO that you made an effort.” He suggests setting up a preference centre where contacts can use your web portal to choose which email lists they want to be on can help ensure compliance. When leads come in from portals, he says the simplest methods are best. “Pick up the phone, tell them about the property, ask if they’d like to go on your list”. That needs to be written into the job manual. “You need processes that are fluid, but robust,” he says.

In future, he warns, “You have to keep on top of your data.” That’s removing people from lists when they ask, or when you know they’re no longer interested, when they’ve bought or rented a property.


Most software suppliers are already helping their customers with GDPR compliance, for example, Dezrez has several articles on its website, taking you through the main points and translating the formal text of the regulations into plain English – which really does help – and focusing on the elements of the regulations that are most likely to apply to estate and letting agencies.

The first thing a data controller should do is to create a staff awareness programme. Unless they all understand the concepts behind GDPR, they won’t be able to do the job properly. Paul Davies, BriefYourMarket.

GDPR compliance isn’t the kind of task you can hand over to one person. Paul Davies, of BriefYourMarket, says that, “the first thing any data controller should do is create a staff awareness programme.” Unless staff understand the concepts behind GDPR, they won’t be able to carry out the job properly. In particular, all your staff members need to understand what constitutes a data breach (such as theft of client details, or sending documentation to the wrong person by mistake) – so that it can be reported and those affected can be contacted. He does advise though that even where a business is small enough not to be required to appoint a data protection officer, it’s worth upskilling one member of the team to handle compliance.

GDPR imageThe privacy policy also needs to be reviewed. Many agents’ websites carry boilerplate policies, but that’s no longer enough; contacts need to be told specifically what data you use, how you use it, and the lawful basis for processing it. It also needs to name third parties who are given access to personal data. “There is no generic one size fits all privacy policy,” Paul Davies says.

He also advises agents to look carefully at basic nuts and bolts like their use of email. “If you use Outlook, are you including sensitive personal data in the body of the email, which is easy for criminals to intercept?” he asks. Using a password protected portal, or password protected attachments, is more secure. (If that doesn’t sound serious, consider the growing number of cases in which emails between vendors, purchasers and their solicitors have been intercepted, and fake bank details sent by hackers to swipe the proceeds.)


Vetting suppliers and other third parties who get access to data is vital. Richard Jones explains, “You’ve got to make sure that those with whom you’re sharing data are contractually covered – that your agreements with them are robust and that they don’t form a weak link in your chain.” If you’re using one-person businesses like photographers, window cleaners or homestagers, they may not even have thought about GDPR.

Finding the appropriate lawful basis for sharing the data is important. In some cases, it will be based on consent, in others, it will be contractual. For instance, referral to a conveyancer will usually be based on consent, as it’s part of your marketing; sending the vendor’s details to a purchaser’s conveyancer, on the other hand, is part of sales progression, so the lawful basis is contractual.

Being ready to explain to clients exactly how you use their data will become increasingly important.

While some agents haven’t really got started on GDPR compliance, others have, but are making errors in implementation. For instance, Daniel Lack says, some of them are just emailing everyone they have ever dealt with asking for opt-ins to the mailing list. Daniel Lack warns, “Sending round an opt-in email is very dangerous. You can’t break existing data privacy laws to comply with GDPR.” You can send a re-permissioning email if consent has not been adequately recorded, but not if there was no original consent to receive marketing mails.

It’s worth noting that both Flybe and Honda Motor Europe have been fined by the ICO for breach of the Privacy and Electronic Communication Regulations for just this kind of email campaign.

Other agents have decided on root and branch data deletion to make their task simpler. But Daniel Hare warns that some data (like AML data or right to rent data) is required to be held for a defined period. “Just getting rid of the data isn’t the answer,” he says, “you need to think about the bigger picture. I’d rather have the ICO after me for infringement than the Inland Revenue!”


Jenny Tiffany, Let's Talk Strategy, imageGDPR has to be done, but can you get some value out of it, too? Jenna Tiffany, Founder & Strategy Director at Let’sTalk Strategy, thinks so, “GDPR provides an opportunity to take a long hard look at what you’re already doing,” she says. Getting processes shipshape allows businesses to adjust to future changes, whether in the law (for instance, the privacy regulations will be changing early next year) or in the business, such as outsourcing CRM or engaging new social media.

There’s been a huge change in the perception of the value of an email marketing list, but there’s too much interest in the vanity number. Jenna Tiffany, Let’s Talk Strategy.

Getting rid of old and useless personal data can be quite liberating. Richard Jones says one of his colleagues refers to ‘ROT’ – redundant, obsolete and trivial. “Many businesses have a propensity to hoard stuff – a fear of getting rid of it,” he explains. “But you have to get a little bit more ruthless. You hoard it thinking it’s an asset, but under GDPR it becomes a liability.”

That can deliver a much better quality mailing list. Jenna Tiffany believes GDPR is a great opportunity to refresh contact with the email base, and it’s a great talking point, if handled properly, showing customers you care about their privacy and their choices. “Re-targeting people can be a really effective marketing tactic,” she says. She points out, though, that you need to apply common sense, or you end up with nonsense like Amazon sending a customer who bought a toilet seat an email offering a splendid choice of “twenty other toilet seats like the one you bought”.

She believes a smaller, more engaged marketing list will always beat a big one stuffed with inactive names. “There has been a huge change in the perception of the value of an email marketing list, though there’s still too much interest in the vanity number,” she says; “GDPR will change the mentality from quantity to quality.”

Nick Jeffrey, Chief Marketing Officer at ActivePipe, also thinks GDPR can be “a fantastic opportunity to clean your database, and a chance to refresh your customers and nurture your leads.” While some businesses hold far too much data, others don’t hold enough; ActivePipe’s products include a data discovery survey, that asks contacts to specify where they are in the property market – just browsing, upsizing, downsizing, looking for investment properties?

He points out that gaining consent – both for email marketing and for tracking individuals’ use of your web site – is easier if you can show a benefit to the customer, such as reminding them of open house dates, or showing them properties similar to ones they’ve looked at before. If you know someone has looked at a particular property several times, “that enables a rich conversation,” he says; “I can tailor my conversation to be more relevant.”


The downside of not being ready for GDPR isn’t the possibility of being fined by the ICO; it’s much more serious than that, as the Facebook/Cambridge Analytica affair shows. Jenna Tiffany says after the news broke, “#deletefacebook was trending the following day. Immediately, consumers stopped trusting Facebook.” While consumers might not know exactly what GDPR is about, if they feel their personal data has been compromised or misused, a business’s reputation will suffer.

Being ready to explain to customers exactly how you use their data, without jargon or small print, will become increasingly important as customers wise up to data protection. GDPR treated purely as box-checking compliance won’t achieve that; but GDPR done properly is a step on the way to gaining consumer confidence.

While small estate agents probably aren’t top of the ICO’s list for enforcement, it would be wrong to be complacent about getting compliant, or at least, having made good progress towards compliance by the due date. For a start, Richard Jones says, agencies need to document what they’re doing to become compliant and try to toe the line as best they can, even if it’s not perfect. But, he says, “the big commandment is ‘don’t p*ss people off’ and don’t make them complain”. If the ICO gets a complaint, they will investigate and you’ll have to defend yourself. Being able to show that you tried might not avert enforcement action and a fine, but it might mitigate the severity of the fine.

It’s also worth noting that GDPR guidance is continually being produced and the interpretation of the regulations could well evolve as they bed in. For Daniel Hare, compliance is a journey that will start, rather than end, on May 25th and that’s after Reapit has spent a year-and-a-half working on GDPR and over £1m on new IT infrastructure.

Can you get from a standing start to compliance in short order? IBM or Facebook probably couldn’t. But Daniel Hare says, “For the smaller agent, you don’t have so much complexity within the business, so you have a good chance.” But, he stresses, it all depends on getting your data audit done, and getting started as soon as possible.

May 22, 2018

What's your opinion?

Please note: This is a site for professional discussion. Comments will carry your full name and company.

This site uses Akismet to reduce spam. Learn how your comment data is processed.