GDPR – Keep calm and carry out an audit

November 21st, 2017

With a major change to data protection legislation looming in May 2018, there is a growing chorus claiming there will be calamity over compliance. Tales of being fined €20m and losing the ability to market to your existing client database are somewhat exaggerated though. Neil Manito, Product Owner at Reapit, offers a measured view of what GDPR (General Data Protection Legislation) means to estate agency and lettings.



Back in the late 1990’s, the prophets of doom professed to the world that the Millennium Bug, an issue with computers being confused by the year going from 99 to 00, would bring calamity to the computerised world. Headlines stated that this bug could cause planes to fall out of the sky, businesses to suffer catastrophic system failures and a general technological Armageddon. It didn’t quite turn out to be that dramatic, but that didn’t stop businesses ‘investing’ an estimated $600bn (Gartner Group) in protecting themselves from this missing digit menace.

Fast forward to 2017 and those same prophets have a new scare story and hardly an hour will go by without an unsolicited approach (an irony in itself) to agents about the threat posed by GDPR.

The threats are, to some extent, real. Theoretically, you could be fined 4% of your global turnover for serious breaches of GDPR. You will not be able to process personal data without consent or other lawful reason to do so without risk of sanction. They are threats though, designed originally by European lawmakers to ensure that GDPR got the attention of industry. The problem with this is there are now a myriad of suppliers seeking to win business by terrifying companies into throwing money at them to make them ‘GDPR compliant’.

Fortunately, the regulators and other authoritative entities on GDPR are now fighting back against this campaign of misinformation and the Information Commissioner – the Government body responsible for implementation of GDPR in Britain, is acting to dispel the myths and provide proper, relatively easy to understand, guidance on GDPR compliance. The ICO has plenty of powers at its disposal already, but is focused on help and guidance rather than sanction ordinarily. Only those who have ignored advice and warnings usually end up being fined and, in the commissioner’s own words:

“It’s scaremongering to suggest that we (the ICO) will be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

See more on the Myth Busters on the ICO blog: 



Much of the focus of those already working on GDPR is around the issue of consent; one of the conditions that can be used to lawfully process data under GDPR. At Reapit, we have been working hard on overhauling the contact record entity in our CRM software, so that it can act as a central record of what a contact has consented to and how data has subsequently been processed for that contact. GDPR places various requirements to record how data has been processed and, if your organisation has over 250 employees, this is quite detailed. Fortunately, the existing contact journal in our software is exactly the sort of thing that can provide this audit trail and we are enhancing this to record additional information plus digital interactions, as well as human ones.

Consent to send marketing materials to an individual is one of the hot topics. In reality, consent to marketing is already a requirement of Privacy and Electronic Communications legislation. GDPR places additional responsibilities on you to be more overt with your explanations of what you will do with someone’s data when you ask for consent.



Much of what we know to date about the practical implementation of GDPR is derived from ICO guidance, but it is important to note that full guidance on every aspect of GDPR has not yet been published. These could be important, because they will almost certainly provide a legal basis for certain estate agency and lettings activities. In particular, the guidance on Legitimate Interests could be key. The ICO wrote in August that:

“The rules around consent only apply if you are relying on consent as your basis to process personal data.”

“Consent is one way to comply with the GDPR, but it is not the only way.”

One of the other ways in which an organisation can process personal data and still comply with GDPR is through having a ‘legitimate interest’ to do so.

This is where things then get very subjective. For instance, you could argue that an agent has a legitimate interest to process data relating to a tenant in arrears – passing personal data to a collection agency for example. The tenant is unlikely to provide consent to do this and even if they had signed something to give consent originally, GDPR would give them powers to remove that consent. The likelihood is that an agent would still be able to process the data on the grounds that they had a legitimate interest to do so.

Once the ICO publish their guidance, we will hopefully have a clearer idea of how legitimate interest can be applied as a reason for processing personal data lawfully. I do think it is unlikely that Legitimate Interest will help with many of the marketing challenges with GDPR though. Sending email communication and other forms of marketing using personal data will be heavily reliant on permission to do so in the first place.



One of the things that we will be urging clients to do is ensure that all personal data is held in Reapit, so that it can provide that single truth on how your agency has processed an individual’s data. Moreover, the data itself needs to be secure and maintaining databases or documents, especially sensitive ones like ID check documents, in non-secure ways is the sort of thing which is likely to lead to breaches of GDPR.

This is actually where I do feel there is a significant risk to agents. You will have a legal duty to report any data protection breach within 72 hours. With that information in the public domain, the potential reputational damage could be significant.

In addition to the need to protect and report on breaches, GDPR also provides new rights to citizens to have access to the data you hold about them (subject access requests) and to request its removal (right to be forgotten). Having processes to accommodate these rights will also be important to remaining compliant.

As a CRM system, Reapit has a large part to play in the lawful processing of personal data under GDPR – it is that central point in your agency through which all contact information is processed. We have already been working on how we need to adapt our solutions for GDPR for over a year and we will be presenting more information on this in the New Year. There is plenty of work for us to do on this still, but GDPR is more of a business process challenge than a technology one.



Reapit will support clients extensively to help comply with GDPR, but agents still have to take responsibility for their own compliance. Full compliance will not be possible until we have full guidance and legislation, but in practical terms, these are some of the things that you may wish to consider doing now to get ready:


  • Appoint a data protection officer – if you have over 250 employees, then this will be a legal requirement; if your agency is not that big, it is still sensible to have someone look after GDPR compliance
  • Read the ICOs guidance and Myth Buster blogs – the ICO is THE authoritative source of GDPR information and they have made it very clear in a series of blog posts that you should not believe everything that you read elsewhere
  • Document your processes involving personal data – to stand any hope of being compliant, you have to first work out what you are currently doing with personal data; only then can you adjust processes to become compliant – this goes beyond marketing too
  • Work out who you exchange data with – any third party who passes personal data to you, or who you pass personal data to, will need to work with you to ensure you are both compliant in exchanging personal data
  • Review your existing Privacy Policy in conjunction with the above two points – the likelihood is that you currently will be processing personal data in ways which you have not explained at the point you were given the data
  • Prepare your business – you will almost certainly have to change processes and procedures and this will involve training and support to ensure your team know what to do
  • Look out for our talks on GDPR in conjunction with ARLA – for updates on this, please give us your consent to keep you updated here:


Please note that nothing in this article constitutes legal advice and you should seek guidance from your own legal representative about compliance with GDPR and data protection legislation more generally.