Data Protection changes

18th Oct 2016

Key points in summary:

•    The regulations on data protection in the UK will change significantly on 25th May 2018
•    Organisations are being urged to prepare for compliance with the new regulations
•    New ICO guidance focuses on how customers are informed about processing of their data
•    Uncertainty remains over implications on marketing and other areas of estate agency
•    Reapit is consulting with clients and industry groups to devise an approach


The Information Commissioner’s Office has published a new code of practice for privacy notices to explain what businesses should do to inform consumers about how their personal data is processed.

This is the first piece of guidance from the commissioner that, in part, addresses the forthcoming changes to data protection law. On 25th May 2018, the EU General Data Protection Regulation (GDPR) will come into force across Europe and in the UK, superseding the 1998 Data Protection Act.

Why is GDPR important?

Failure to comply with the new regulations (the old version was merely a directive) could prove ruinous for a company with applicable fines of up to €20 million or 4% of their annual turnover – whichever of the two is higher. 

The core principles of data protection do not fundamentally change with the introduction of GDPR, but there are a significant number of other obligations that it introduces around security, consent, and accountability.

The more detailed nuances of what these regulations mean in practical terms are still the subject of much debate in legal circles and this first output from the ICO forms a sensible starting point for businesses to review their existing practices in preparation for compliance.

New ICO code of practice

Most companies provide detail of how they process personal data through a privacy policy. These weighty tomes, that few people actually read, tend to be hidden away on websites and referenced in other documentation, including contracts.

The new code of practice supports the statement in the GDPR that the information you provide to people about how you process their personal data must be:

•    concise, transparent, intelligible and easily accessible;
•    written in clear and plain language, particularly if addressed to a child; and
•    free of charge

Although a full privacy policy is likely to remain the authoritative record of how an organisation processes personal data, greater consideration will need to be given to the specific circumstances of when and how consumers are informed about specific uses of their personal data.

For example, when registering a new applicant, an agent would need to inform them of the specifics of how they will process personal data in relation to matching properties and other activities like passing data to third-parties. 

The new code of practice seeks to promote transparency on how data is used by organisations and that basically means being up-front with customers about the specifics of how their data will be processed rather than hiding things in pages of legalese.

Marketing Consent

Telling consumers about how you process their data is different from getting their permission to do so. Consent is just one of a number of conditions that can be used to justify the processing of personal data. The code states that: 

“Consent may not be needed to undertake direct marketing by post or phone call (unless the individual is registered with the Telephone Preference Service) if another processing condition can be relied on, but the ICO considers gaining consent to do this to be good practice and the most advisable approach.”

Marketers can rely on other processing conditions like Legitimate Interests to justify their actions instead, but this creates challenges in proving that those interests were balanced with those of the person whose data is processed. Whatever condition you use to justify processing, informing the consumer is mandatory.

What about email?

Digital marketing is specifically excluded from the guidance as The Privacy and Electronic Communications Regulations 2003 – itself based on a different EU directive, already stipulates an organisation’s obligations in this respect. It is widely expected that this separate legislation will have to be updated to align it with GDPR. 

What about Brexit?

Some have questioned the need to worry about GDPR after the referendum to leave the EU, but as there are less than two years until the GDPR comes into force, the UK will almost certainly be beholden to it for a time at least.

There is a possibility that the legislation could be repealed, post-Brexit, but the ICO has made a number of statements to suggest that they will be in no hurry to replace it. The fact that the new guidance future-proofs their position on certain elements of GDPR speaks volumes in this respect.

What next?

Much debate is still to be had on this complex topic and the legislative text blends good practice with the regulations themselves. For example, there are recitals in the GDPR banning the use of
pre-ticked boxes on consent forms, but because this ban is stated as a recital to the regulation rather than a regulation itself, it is not technically legally binding.

Carefully considered guidance is still in short supply and Reapit is engaging with experts and industry bodies to better understand what changes may be needed to our software solutions to ensure compliance.

If you would like to be kept informed of developments in this respect and find out more about the impact of GDPR on estate agency, then please submit your details here:

Data Protection Updates

Your data will only be used to send you other communications on this topic and we will store it in our email and CRM software. That’s the transparency bit! Our full privacy policy (which you will read of course) can be found here.