Estate agents handle significant amounts of personal data — names, addresses, financial information, identification documents, and more. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 set out how this data must be collected, processed, stored, and disposed of.
Non-compliance can result in enforcement action from the Information Commissioner's Office (ICO), fines of up to £17.5 million or 4% of global turnover, and serious reputational damage.
Are You a Data Controller?
Yes. As an estate agent, you determine why and how personal data is processed in connection with property sales and lettings. This makes you a data controller under the UK GDPR. You must register with the ICO (the annual fee for most estate agents is £40–£60) and comply with all data protection principles.
The Seven Data Protection Principles
- Lawfulness, fairness, and transparency — you must have a lawful basis for processing data and be open about how you use it
- Purpose limitation — collect data for specified, explicit purposes and do not use it for something incompatible
- Data minimisation — only collect what you actually need
- Accuracy — keep data accurate and up to date
- Storage limitation — do not keep data longer than necessary
- Integrity and confidentiality — protect data with appropriate security measures
- Accountability — demonstrate compliance with these principles
Lawful Bases for Processing
The most relevant lawful bases for estate agents are:
- Contract — processing data to fulfil your agency agreement with a vendor or landlord
- Legal obligation — processing required by law, such as AML identity checks
- Legitimate interests — processing data for your business purposes where this does not override the individual's rights (e.g., sharing property details with genuinely interested buyers)
- Consent — where no other basis applies, particularly for marketing communications
Practical Compliance Steps
Privacy Notice
Provide a clear privacy notice explaining what data you collect, why, how long you keep it, and who you share it with. This should be given to vendors, buyers, landlords, and tenants at the point you collect their data.
Marketing Consent
If you want to send property alerts, newsletters, or marketing emails, you need explicit consent under the Privacy and Electronic Communications Regulations (PECR). Keep records of when and how consent was given. Provide a simple way to unsubscribe.
Data Sharing
When you share buyer details with a vendor, or pass information to a conveyancer or mortgage broker, ensure you have a lawful basis. Do not share more data than necessary for the purpose.
AML Records
AML regulations require you to keep identity documents for five years. This is a legal obligation that overrides the general principle of data minimisation — but only for the specific data required for AML purposes. Do not retain other personal data longer than necessary.
Data When a Sale Falls Through
If a sale collapses, review what data you still need to retain. Delete buyer data you no longer need for any lawful purpose. Vendor data may need to be kept if the agency agreement is still in effect.
Subject Access Requests (SARs)
Individuals have the right to request a copy of all personal data you hold about them. You must respond within one calendar month. Have a process in place for handling SARs before one arrives.
Security
Appropriate security measures include:
- Encrypting laptops, phones, and portable devices
- Using strong, unique passwords and multi-factor authentication on all systems
- Restricting access to personal data to staff who need it
- Shredding physical documents containing personal data before disposal
- Ensuring your CRM and email systems are properly secured
Data Breaches
If a data breach occurs (e.g., an email sent to the wrong person, a laptop stolen, or a cyber attack), you must assess the risk. If the breach is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours. If the risk is high, you must also notify the affected individuals.
GDPR compliance is an ongoing responsibility, not a one-off exercise. The ICO website provides detailed guidance specifically for small businesses. If in doubt, seek specialist advice.