By using this website, you agree to our use of cookies to enhance your experience.
Graham Awards


GDPR compliance - three key questions every agency must answer

There’s been a new warning to estate agents to check they are fully compliant with GDPR regulations following a European case which has sent shockwaves through the industry.

The latest warning has come from The Guild of Property Professionals and follows a similar statement last week by NAEA Propertymark.

Both are reacting to a GDPR breach by German property company Deutsche Wohnen, has led to a fine of 14.5m Euros, or some £12.4m - the largest ever received by a property company. 


Deutsche Wohnen manages 170,000 properties and currently has funds of 600 million to buy an addition 8,000 properties to let – it is made up of 50 separate companies so holds a tremendous amount of personal data.

A statement from The Guild says that while this is very different to a single office estate agency, the principle is the same and the fine provides a timely reminder to ensure effective document retention processes. 

“The exorbitant fine is a stark reminder of how vital it is for estate agents to have procedures in place to avoid a GDPR breach at all costs,” says Paul Offley, In-house compliance officer at The Guild.

“While the [UK] Information Commissioner’s Office has not yet made any formal comment on the ruling, firms need to be pro-active in reviewing their own policies when it comes to data collection and retention. It is imperative that firms clearly set out their retention policy, which should be detailed in their privacy policy. If estate agents, haven’t done so recently, it is a good idea to review their privacy policy and ensure it meets the necessary requirements.”

He adds that when agreeing to retention policy timescales, estate agents need to be mindful of their legal requirement to retain documents, such as the five-year stipulation for anti-money laundering personal data as required under HMRC guidance. 

“At the end of the required retention period, there must be a process in place ensuring that the personal data is confidentially destroyed. Estate agents must ensure this documented and understood by all concerned parties” says Offley. 

“All Data Protection Officers should be responsible for ensuring effective controls relating to bot data retention and disposal.”

According to Offley there are three questions that every estate agency should ask and be able to answer confidently to avoid possible penalties:

    1    What is our retention policy?

    2    What is the process for destroying data at the end the retention period?

    3    How effective is your retention policy?

“If an estate agency does not have the answers to the questions, they need to make changes and get on board before they are faced with a fine that could put them out of business. It is better to learn from other people’s mistakes than to become the lesson” Offley concludes.

  • Wings TWO i IT

    Informative read on the importance of GDPR compliance...


Please login to comment

MovePal MovePal MovePal
sign up