Latest News

Small agencies could benefit from FREE world-class training programme

14 January 2019

Cass Business School, in partnership with the University of Oxford and Bocconi University, have launched Strategy Insight Lab, a three-month business support programme for UK based microbusinesses and start-ups. Read More...

Fresh impetus for Propertymark charity, Arbon Trust

14 January 2019

In the Autumn of 2018, Chris Brown FNAEA pp NAEA (Honoured) retired from the Arbon Trust after leading the charity through significant change over the past few years. Read More...

NAEA Propertymark joins new taskforce to tackle economic crime

14 January 2019

The Home Secretary and Chancellor have today jointly chaired a new Government taskforce which will work with senior figures from the UK financial sector to tackle economic crime. Read More...

Our joint response to Scottish Government proposal to increase tax for additional property

14 January 2019

ARLA Propertymark and NAEA Propertymark have issued a joint response in response to the Scottish Government's proposals to increase the Additional Dwelling Supplement. Read More...



General Data Protection Regulation is coming

Monday 17 July 2017

As of May 2018, General Data Protection Regulation (GDPR) will apply to all UK businesses.

After four years of preparation and debate, the EU General Data Protection Regulation was finally approved by the EU Parliament on 14 April 2016. Replacing the 1998 Data Protection Act, GDPR will come into force on 25 May 2018 and will directly apply to all European Union members states. 

The GDPR has been designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

With new elements to contend with, it could take months for UK businesses to get ready. That is why it is important to start putting measures into place now, to ensure that you and your business are prepared. Those who are non-compliant by the implementation date could face heavy fines.

What you need to know

This is the biggest shake up to Data Protection since the introduction of the Data Protection Act in 1998, and whilst May 2018 may seem a long way off, it will be here before you know it. The key articles of the GDPR to be aware of are:

  • GDPR will apply to all UK businesses despite Brexit.
  • You must have a valid lawful basis in order to process personal data.
  • Companies will no longer be able to use long illegible terms and conditions full of jargon.
  • Customers will have the right to request confirmation as to whether or not personal data concerning them is being processed and for what purpose. When requested, companies are required to provide a copy of the personal data, free of charge, in an electronic format.
  • Customers have the right to request their data be removed and further distribution ceased in specific circumstances (e.g. where the individual withdraws consent).
  • The collection of online identifiers such as IP address, cookies and tags also fall under the remit of 'personal data'.
  • The use of external marketing agencies will require you to have an official written contract to ensure they are fully compliant with the new law.
  • Notifiable data breaches need to be reported to a data protection authority and the people affected within 72 hours, where feasible.

Companies that are not GDPR-ready by May can face fines of up to four per cent of their global annual turnover, and if a notifiable breach takes place and your agency does not inform the supervisor authority within 72 hours, you could be fined up to two per cent of your global annual turnover.

What you need to do

Map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process. Here’s 11 steps to take now -

  • Inform the decision makers and key people in your organisation that the law is changing.
  • Document what personal data you hold, where it came from and who you share it with.
  • Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  • Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format.
  • Update your procedures and plan how you will handle access requests and provide any additional information within the new timescales.
  • Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  • Review how you seek, record and manage consent and whether you need to make any changes. You will need to refresh existing consents now if they don’t meet the new GDPR standard.
  • Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  • Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
  • Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
  • If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Whatever stage of implementation you are at, the ICO has created a self-assessment toolkit to help you evaluate your level of compliance with the new data protection regulations, and find out which areas within your business you need to develop to get ready for GDPR.