GDPR: Don’t let anyone scare the living daylights out of you

Not a day has gone by without some ‘expert’ or other telling us about the GDPR May 25 ‘deadline’ and of course the potential for a €20m penalty for breaching the Regulations.

Having been around compliance for far too many years it amuses and irritates me in equal measure, because it happens every time there is any new legislation.

Here’s my take on it. There is not an agent in the UK that will ever be issued with a €20m penalty. It is simply not possible! The figure is bandied around just to scare the living daylights out of businesses. And, given the calls I have had from agents, it has definitely done that.

Furthermore, the concept of a May 25 deadline gives the impression that agents will be penalised on May 26 if they haven’t put everything in place to comply. This again is nonsense. No agent will be penalised on May 26, even if they have done absolutely nothing to upgrade compliance.

Elizabeth Denham, the Information Commissioner, said in a statement: “I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear. GDPR compliance will be an ongoing journey. It’s an evolutionary process for organisations.”

I believe that it is almost inconceivable that Information Commissioners Officers will proactively enforce the legislation in the early stages for several reasons.

First, because they will not have the manpower or resources to do so. I know of only three agents that had ICO action taken against them under the Data Protection Act in the past five or six years.

Secondly, the Regulation covers ever single business in the EU that holds even a small amount of personal information about individuals, and so does anyone really believe that little estate agency businesses will be anywhere near the top of any priority list? Of course, they won’t.

Thirdly, there are multiple interpretation issues still to be resolved and more will arise as matters progress.

Lastly and probably the most important is that the ICO have far bigger fish to fry than small estate agency businesses.

We have all heard of the problems these large international organisations have had in the past with compliance to the Data Protection Act. They are the ones that should worry, because surely, the ICO will focus on them – if only because that is where the big penalties are lurking!

Look back at Anti-Money Laundering enforcement by HMRC. They only really had estate agents to think about and who did they hit early on? The corporates. Why? Big penalties!

I don’t want any agent to think that they can be complacent, because that would be trivialising the obligation changes, when they are important. I also do not want agents to think it will be fine to sit back and wait, because it won’t be.

The biggest risk for agents will be email marketing and the potential for complaints to be made. If the correct route isn’t taken when consumers’ personal data is obtained or when consumers tell agents they want to ‘opt out’ or be ‘forgotten’, it will leave agents open to a complaint. In these cases, you may be looking at paying compensation, so get that right. Oh, and watch out for the professional compensation chasers.

Given the points made above I do not believe that 100% compliance is possible currently, but implementing a set of basic changes over the next couple of months will get most agents into a reasonably compliant state and this can be improved, where necessary, in the months that follow.

With this in mind Compliance-Matters have put together a compliance pack specifically aimed at agents. It includes an audit form to complete, which gives advice where a non-compliance is indicated. It also includes several template documents and clauses for agents to adapt to fit with their business model, including a policy template.

EYE readers can buy this pack until May 1 at a 50% discount by quoting Property Industry Eye. Simply click HERE for more information or for an application form.

David Beaumont runs EYE’s free compliance helpline (0161 727 8191) for our subscribers, and heads up Compliance-Matters, a business specialising in providing compliance services to agents on the many requirements agents must meet


Email the story to a friend


  1. ChumpExecutive

    We have engaged Bird & Bird, a city firm with a long standing expertise in this area to guide us and our franchisees through the GDPR maze. We have lots of technical points which we are boiling down into some simple FAQ’s to issue to our franchisees early April followed by roadshows, but if I can say one thing on this forum; “look busy”. Bird & Bird have said that the information commissioner will want to see that you are taking it seriously, looking at your cyber security (customer data in the cloud, behind a firewall), training your staff to respect other people’s data in their daily work, and having a documented process in place to deal quickly with customer complaints about inappropriate use of their data – can you suppress a customer record so that the unwanted emails and texts stop?

    Bird & Bird make the point that the GDPR legislation mirrors banking legislation from the early noughties, which forced a compliance culture on the banks by ensuring that they got “busy with” compliance matters. None of the principles of GDPR are really radically different from data protection law which have existed in the UK for 10-years (except that if a customer data breach occurs an organisation must “grass itself up” to the information commissioner, whereas currently it can keep mum) but the intention is to get us all to pay real attention and not just lip-service.

    1. DarrelKwong43

      The requirement to “grass” yourself up, already exists CE

      As the ICO CEO said about GDPR, this is all about:

      “Great transparency, accountability, and greater rights for individuals”

      As woodentop comments, this is all about whether or not a tenant/landlord/vendor/purchaser/applicant, wants to complain when you have sent them to many marketing emails, when they have potentially not consented, or a third party you have passed such personal data onto, misuses such personal data, and you have no evidence of their GDPR compliance.

  2. Woodentop

    “Having been around compliance for far too many years it amuses and irritates me in equal measure, because it happens every time there is any new legislation”.


    Hear, hear. Agents do not need to panic. Obviously someone in the organisation needs to look at the legislation and implement as required, but panic over someone coming into your organisation and checking …. you have more chance of winning the lottery. You need to be sure you are doing the right thing and only panic when a complaint is made, because that is more likely the only time the IC will ever contact you. That’s doesn’t mean you can put it off till tomorrow … we all know tomorrow ends up never!

    1. P-Daddy

      When action is brought against agents, previous cases in whatever area of compliance have always been given priority to the larger and corporate agents. If they get their knuckles wrapped, they will immediately warn, train and issue notes which will spread around the market quickly…job done! Action against the tiny 1 man band will get lost in the noise, unless it is a criminal issue. As pointed out earlier in this article, the so called max fine is 10% of global turnover..not even the big boys are doing enough to be at risk of 20m Euro

      1. Woodentop

        And this is where the likes of Property Industry Eye are an invaluable source of communication for the industry, particulary the small agents and one person band.

  3. Bless You

    Can eye put out a fact sheet for £5 ? I’ve tried researching it but there is nothing out there in plain English.

    Is this about getting i.d. from buyers or sellers or having a record proving your not harvesting your clients emails and making up trustpilot reviews??

    Bless our govt. For they are shhite

  4. NickTurner

    Initially I was looking at how we would deal with clients information but having been to a really excellent presentation by a regional firm of solicitors here in the west country, WBW in Exeter, the area of influence is much wider including employee records, Privacy Electronic Communications Regulations on your websites and many others.How many of us have client information on our mobile devices such as phones and i pads going back some time? Also contractors that we use all the time – we must make sure they are GDPR compliant.

    However the one thing that also came across is for us not to panic;the Information Commissioner will have larger fish to fry !( but may eat a few spratts from time to time) and it is across the whole of EU business not just estate agents.

  5. Dom_P

    To echo Nick Turner, the implications of GDPR are wide reaching, but manageable. Consider the following in your business:

    Staff Data, customer data, third party data (business contacts etc.), contracts detailing your processing activity with partners/service providers, marketing lists, CRM software, IT and infrastructure, paper storage in your office, can employees plug USB drives into laptops/PC’s and get data etc.?

    I would recommend auditing your data processes and establishing where your areas of risk are and tightening processes and procedures accordingly.




You must be logged in to report this comment!

Comments are closed.

Thank you for signing up to our newsletter, we have sent you an email asking you to confirm your subscription. Additionally if you would like to create a free EYE account which allows you to comment on news stories and manage your email subscriptions please enter a password below.