By using this website, you agree to our use of cookies to enhance your experience.


GDPR Weekly: What security measures do agents need to take?

The General Data Protection Regulation (GDPR) - which replaces the Data Protection Act 1998 - has now become effective and is something which all businesses are expected to comply with.

The new system has now been formally introduced, but this is just the beginning. Going forward, agents will still need to review and maintain their data protection processes in line with the GDPR.

To help you on this road, in association with The ValPal Network, our panel of experts will regularly continue to answer GDPR-related questions.


If you have a question you'd like to ask our experts, please get in touch on press@estateagenttoday.co.uk.

In relation to the GDPR, what additional security measures that need to be taken? What if our staff work from home?

Annemarie Proudfoot, head of customer relations at BestAgent:

In relation to the GDPR, what are the additional security measures that need to be taken? What if our staff work from home?

There are many additional security measures that the GDPR requires in theory for all businesses who hold data. In this context, the most important would be to ensure that your staff are properly trained in the new rules, so that they don’t inadvertently breach them. 

That being said, the most practical and relevant steps for estate and letting agents can be found here. 

Because each agency has its own policies and unique liberties for its staff, our GDPR handbook outlines the most commonly asked questions in a way that should save you from the most common mistakes. Also, it discusses staff education about the GDPR.

Jon Baines, data protection advisor at Mishcon de Reya LLP:

GDPR does not substantially change the requirements regarding security of personal data. Under previous law it was seen as an important factor, and that remains the case.

GDPR says that personal data should be processed "in a manner that ensures appropriate security….including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".

To understand what are "appropriate" measures, it is important to be aware of guidance from the Information Commissioner's Office (ICO) on things like carrying out information risk assessments, introducing encryption and having suitable policies in place.

Employers should have a home-working policy, which informs staff what they can and can't do, and they should ensure that policy is publicised and enforced. The actual contents of such a policy will depend on the level of information risk present, but as general good practice it will be likely to recommend carrying documents in sealed and opaque containers (possible lockable ones), ensuring that data is kept locked in a drawer or safe when at home, and making sure that all portable mobile devices are fully encrypted.

It will also be likely to recommend that personal devices are not used, or, if they are, that approved software is used to partition personal use from business use.

Information security has always been an area which attracts scrutiny from the ICO, and fines for when things go badly wrong. There is no reason to think that will be any different under GDPR.

The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.


Bernard George, solicitor for Socrates Training Ltd:

The GDPR does not change your duty to keep information secure, which was already very strict. You certainly need clear rules about staff working out of the office. 

GDPR Weekly: What security measures do agents need to take?The biggest risk is not home working, but people using unencrypted internet connections in public places. Someone nearby with a scanner may be able to read and copy whatever they are doing.

What you can allow depends very much on how sensitive the information is. The mere phone number or email address of a client is no big deal.

But if you are dealing with your firm’s HR records, or banking details, or truly confidential information about clients, you may want to ban it being worked on at all out of the office.

*If you would like to receive further guidance from any of our GDPR experts, please click here

Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.

Angels Media Ltd Legal Disclaimer: 

The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.

While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.

Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.


Please login to comment

MovePal MovePal MovePal
sign up