Latest News

Regulations on local lockdown published

03 July 2020

The UK Government has published Regulations for Leicester which clarify that agents do not need to cease viewings or close branches in areas of local lockdown. Read More...

Fair Rents (Scotland) Bill no longer proceeding

03 July 2020

The Fair Rents (Scotland) Bill that was introduced to the Scottish Parliament on 1 June 2020, with the aim of controlling rent levels for Private Residential Tenancies has not been advanced to Stage 1 consideration. Read More...

Guidance launched to tackle COVID-19 rent arrears

03 July 2020

ARLA Propertymark has joined forces with other leading organisations from across the housing sector to support tenants and landlords facing rent arrears as a result of the COVID-19 outbreak. Read More...

GDPR: Keep calm and carry out an audit

Tuesday 12 December 2017

With a major change to data protection legislation looming in May 2018, there is a growing chorus claiming there will be calamity over compliance. Tales of being fined €20m and losing the ability to market to your existing client database are somewhat exaggerated though. Neil Manito, Product Owner at Reapit, offers a measured view of what GDPR means to estate agency and lettings…


With GDPR just a few months from becoming law in the UK, you could, theoretically, be fined 4% of your global turnover for serious breaches of this new data protection legislation. You will not be able to process personal data without consent or other lawful reason to do so without risk of sanction. They are threats though, designed originally by European lawmakers to ensure that GDPR got the attention of industry. The problem with this is there are now a myriad of suppliers seeking to win business by terrifying companies into throwing money at them to make them ‘GDPR compliant’.

Fortunately, the regulators and other authoritative entities on GDPR are now fighting back against this campaign of misinformation and the Information Commissioner – the Government body responsible for implementation of GDPR in Britain, is acting to dispel the myths and provide proper, relatively easy to understand, guidance on GDPR compliance. The ICO has plenty of powers at its disposal already, but is focused on help and guidance rather than sanction ordinarily. Only those who have ignored advice and warnings usually end up being fined and, in the commissioner’s own words:

“It’s scaremongering to suggest that we (the ICO) will be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

The Myth-Buster blogs on the ICO website are well worth a read if you are worried about GDPR:

Much of what we know to date about the practical implementation of GDPR is derived from ICO guidance, but it is important to note that full guidance on every aspect of GDPR has not yet been published. These could be important, because they will almost certainly provide a legal basis for certain estate agency and lettings activities. In particular, the guidance on Legitimate Interests could be key.


One of the things that we will be urging clients to do is ensure that all personal data is held in Reapit, so that it can provide that single truth on how your agency has processed an individual’s data. Moreover, the data itself needs to be secure and maintaining databases or documents, especially sensitive ones like ID check documents, in non-secure ways is the sort of thing which is likely to lead to breaches of GDPR.

As a CRM system, Reapit has a large part to play in the lawful processing of personal data under GDPR – it is that central point in your agency through which all contact information is processed. We have already been working on how we need to adapt our solutions for GDPR for over a year and we will be presenting more information on this in the New Year. There is plenty of work for us to do on this still, but GDPR is more of a business process challenge than a technology one.


Reapit will support clients extensively to help comply with GDPR, but agents still have to take responsibility for their own compliance. Full compliance will not be possible until we have full guidance and legislation, but in practical terms, these are some of the things that you may wish to consider doing now to get ready:

  • Appoint a data protection officer - if you have over 250 employees, then this will be a legal requirement; if your agency is not that big, it is still sensible to have someone look after GDPR compliance

  • Read the ICOs guidance and Myth Buster blogs – the ICO is THE authoritative source of GDPR information

  • Document your processes involving personal data – to stand any hope of being compliant, you have to first work out what you are currently doing with personal data; only then can you adjust processes to become compliant

  • Work out who you exchange data with – any third party who passes personal data to you, or who you pass personal data to, will need to work with you to ensure you are both compliant in exchanging personal data

  • Review your existing Privacy Policy in conjunction with the above two points – the likelihood is that you currently will be processing personal data in ways which you have not explained at the point you were given the data

  • Prepare your business – you will almost certainly have to change processes and procedures and this will involve training and support to ensure your team know what to do

Look out for our talks on GDPR in conjunction with ARLA Propertymark. For updates on this, please give us your consent to keep you updated here:

N.B Please note that nothing in this article constitutes legal advice and you should seek guidance from your own legal representative about compliance with GDPR and data protection legislation more generally.