7 ways to make sure your letting agency is staying compliant with GDPR

2 February 2018

Letting agents need to constantly monitor the way they process and store the personal data of their customers and leads to ensure they're compliant with GDPR.

The General Data Protection Regulation (GDPR) was the biggest upheaval of European data regulations since 1998’s Data Protection Act and it will continue to have an impact on just about every kind of business you can think of, even after Brexit.

How will GDPR affect estate and letting agents?

Letting agents need to constantly monitor the way they process and store the personal data of their customers and leads to ensure they're compliant with GDPR. The repercussions for those who don’t could be extremely damaging, with serious violators facing fines of up to €20m or 4% of turnover - whichever is greater. Here are eight ways you can make sure your agency stays compliant with GDPR.

1. Audit your current data

Take the time to run regular, thorough audits of your customer information. What data do you hold and what do you do with it? How is it collected, and who is responsible for it? What data is held explicitly by your agency (local spreadsheets, for example) and what is stored via a third party (such as a cloud-based property management system)?

You need to be able to clearly demonstrate how data flows into, through, and out of your agency, as well as processes for deletion and justification for retention, to ensure you are compliant with the data protection rules for estate and letting agencies.

2. Opt-in forms - record and manage consent

It hasn't been  acceptable to provide pre-checked ‘opt in to marketing’ (or unchecked opt out) tick boxes when people choose to provide you with their personal data via your website or a landing page since GDPR came into effect.

People need to explicitly opt in to receiving future marketing communications from you, so make sure your contact forms have an empty checkbox and a corresponding invitation to tick it in order to stay up to date with your news, offers, or anything else in your marketing arsenal.

You will also need to track this consent and be able to demonstrate how and when it was obtained, so ensure that any CRM tool you use is set up to do this.

While an opt-in only approach may lead to a slow down in mailing list growth in terms of pure numbers, think of the positives - it should ensure that those who do subscribe have a genuine interest in your agency and what you may have to offer.

3. Secure your website

If your website involves the transfer of any kind of personally identifiable data, it will need to have an SSL certificate (https).

So whether it’s a form that a potential tenant can fill out to register for property alerts or live chat support functionality, if your site allows a user to send you their personal information then that data needs to be secure.

4. Take a good look through your filing cabinets

The focus of GDPR is frequently on digital records, however it is important not to ignore the impact it has on paper documents as well.

One of the key principles of the GDPR is the right to be forgotten - that is, the right for any individual to request the removal of any data an organisation may hold about them when it is no longer relevant ‘without undue delay’.

Can you confidently say you’ll be able to fulfil this obligation? 

5. Check your partners and suppliers

They need to be GDPR compliant too. When it comes to the personal information of your customers, you are the data controller.

Chances are, however, that you outsource some of the processing of this data to third party data processors, such as suppliers of cloud-based CRM or property management systems.

You will need to obtain confirmation of their GDPR compliance and ensure any contracts are updated accordingly - the data controller is ultimately responsible for ensuring that the data is processed correctly.

6. Have a breach response plan in place

If the worst happens and you suffer a data breach involving the loss of customer details, you will need to notify the relevant authority within 72 hours. You may also have to let the data subject know ‘without undue delay’ as well, so it’s important that you have a process in place whereby you can fulfil these obligations in a timely manner.

7. Put GDPR at the heart of everything

The GDPR is not just for legal or IT teams to worry about - it’s a responsibility for anyone who handles any kind of personal data, however seemingly insignificant. Because of this, everyone at your agency needs to assess the personal information they capture, how it is used, and where it is held. Under the GDPR there will be no excuse for not knowing about particularly well-hidden data, or your obligations as as whole.

It's important to note that this article is intended as a guide-only. It is not exhaustive, doesn't constitute legal advice for ensuring compliance with the GDPR. Learn more about staying compliant with GDPR at ico.org.uk.

Further reading