General Data Protection Regulations (GDPR)

European Union (EU) data protection laws came into effect from 25 May 2018, impacting businesses and changing how they must hold customer information. The General Data Protection Regulations (GDPR) applies to all UK businesses despite Brexit. Building on UK data protection legislation, GDPR is designed to strengthen data protection for individuals within the EU by handing the power back to the user and providing a ‘right to be forgotten’.

What you need to know about GDPR

To comply with GDPR you need to know what data you collect from people and make sure you can justify exactly why you collect it. You need to be able to evidence that you have obtained consent to collect, manage and store that data.


According to GDPR article 5, the data protection principles require that data should be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.


Companies that do not take action risk a fine of up to four per cent of global annual turnover or 20m euros. If a data breach takes place and your agency does not inform the relevant authority within 72 hours, you will face a fine of two per cent of global annual turnover or 10m euros. In order to be compliant you need to be aware of certain key/practical points:

  • Existing and prospective customers will have to provide consent in order for you to legally manage and process data for specific purposes.
  • Existing or prospective customers will have to give consent for the information to be held and used.
  • Companies will no longer be able to use lengthy, illegible terms and conditions full of legalese. Privacy notices must be presented in plain English and be easily accessible.
  • Personal data can be any information which allows an individual to be identified including name, address or any unique identifier used by an organisation.
  • Online identifiers such as IP address, cookies and tags also fall under the remit of personal data.
  • In certain circumstances, individuals will have the right to request their data be removed (the right to erasure) for reasons including withdrawing consent. However, there are a number of exclusions to this, e.g. the defence of legal claims.
  • It is essential that you have written contracts with any third party companies (including referencing agencies and external marketing agencies) who handle data on your behalf. These contracts need to outline the processes that are followed in handling data.
  • Certain types of data breach need to be reported to the relevant data protection authority within 72 hours.

Helping members comply with GDPR



This e-learning course focuses on educating employees about GDPR legislation.

More info...

Fact sheet


Our fact sheet highlights the changes and our checklist will help you get started.

More info...

Mobile phone


If you're a member and after some general advice on GDPR, use the free legal helpline.

More info...


Bitesize GDPR guides

GDPR guide

We have put together practical resources to help you understand GDPR, how the regulations effect your business and what you need to do to comply. There are four guides in total which can all be downloaded from the members' area. More info...

NEWS: Major GDPR fine sends warning to property professionals

UK agents should take stock of their data collection and retention procedures following the news that a Berlin property company has been fined more than €14.5m (£12.4m) due to a GDPR breach. Read more...