The BestAgent GDPR Data Bible

Preserving your customer information.

The three, plain English golden GDPR rules for Estate and Lettings Agency data are:

  1. Don’t send newsletters to anyone who has not “opted-in”, even if they are customers.
  2. Don’t contact anyone who wouldn’t expect to hear from you.
  3. NEVER pass on people’s information to ANY third party for marketing purposes without their express permission.


What happens if I ignore the GDPR?

As you are probably already aware, estate and lettings agencies are “data controllers” because you control your data, or you determine how and for what purpose the personal data that you receive is stored and processed, and this comes with certain important obligations under the GDPR.

While this would put you in immediate breach of the new regulations, in the short term nothing much is likely to happen because the ICO is focused on major data controllers such as Facebook, WhatsApp and Google. No small agent is ever going to be fined £20m, which is cited as the maximum fine for a breach.

However, many of your customers will be aware of the new rules and are likely to cause you real headaches if they believe you are ignoring the GDPR. This will be harmful to your reputation and will create hassle and work for you if they choose to report your breaches to the ICO.

The basic idea behind the GDPR is to prevent businesses from pestering people who don’t want to be pestered, and to protect people’s privacy. For the reputation of your business and the wider industry as a whole, BestAgent recommends that doing your best to comply with these rules will actually be good for your business in the long run.


Which clients and potential clients can I keep in contact with?

Vendors in your area 

  1. Owners who bought property through you: You have to maintain accounting records for 7 years anyway. Since you’ve transacted with them, you can market them about similar services, as long as you provide an unsubscribe option.  As long as they have not told you to stop sending them your market newsletter since you last transacted with them, you can continue to do so as long as you provide an unsubscribe option.
  2. Owners who sold through you: You have to maintain accounting records for 7 years anyway. Since you’ve transacted with them, you can market them about similar services, as long as you provide an unsubscribe option.  As long as they have not told you to stop sending them your market newsletter since you last transacted with them, you can continue to do so as long as you provide an unsubscribe option.
  3. Vendors who you’ve pitched, but who instructed another agent: If they told you they are going with someone else, you may keep pitching until and unless they ask you to stop. If they successfully sold through another agent (and have therefore moved) you must then either record their permission to stay in touch, or delete their information. You cannot add them to your newsletter/general property marketing list without their consent.

Landlords in your area 

  1. Landlords who are actively using your services: Keep all of their information and contact them as you please. Contact them about all things related to their potential needs. If you send them direct marketing information, ensure to provide an unsubscribe option.
  2. Landlords who formerly used your services: These are people who likely fall into the soft-opt-in exception, as you have previously transacted with them, and it is therefore reasonable to market them similar services as long as they have not told you to stop contacting them.
  3. Landlords who are not yet actively using your services: Ask them (easiest by email) to confirm that they are happy to still be receiving information about your services. In our experience, about 75% of those who respond will say yes, because it is in their interest for you to work for them. By the letter of the law, you are required to record their consent. However, in our view, no landlord will claim breach if you continue to try and get them tenants, i.e. income, until and unless they tell you to stop contacting them (in which case you must delete them from your database).


  1. Applicants registered for property updates: You may continue to send them relevant properties until they ask to be removed, as long as there is an unsubscribe option in your communications.  You can call them about their search requirements if they supplied their telephone number, until and unless they tell you to stop.
  2. Applicants with something to sell in your area: If an applicant informed you at the point of registration that they need to sell a property in order to move, and they live in your coverage area, it is okay to pitch them your selling services without needing extra permission. If they are not interested, do not push the matter further.
  3. Valuation Referrals: If they live outside your area and you wish to refer them to another agent for the purposes of a valuation introduction, you MUST obtain and record their permission to refer them first. You cannot simply pass them into any lead referral system without their consent. This would be a clear breach of GDPR.

Property management contacts 

  1. Tenant information: If they are tenants of your active landlords, you clearly need to keep their information for legitimate business purposes. But, you cannot market new services to them unless you have gained their opted-in consent.
  2. Property Maintenance Contractors: Contacting these people for the purposes of property maintenance does not require any GDPR consent, as they are relevant and required for the purposes of carrying out your normal property management activities. But again, you may not send them marketing communications unless they have opted-in.


Mailing Lists/Property Market Update Lists

  1. If you have a mailing list of people who checked a box to opt in and to be contacted, you can keep everyone on that list (just be sure to give them an unsubscribe option).
  2. If, when signing up for your mailing list, the “contact me” consent was pre-checked, this is not adequate GDPR consent to contact. So, unless they have transacted with you before and you are marketing similar services, providing the option to unsubscribe, then you have to re-gain their positive opted-in (meaning they have to tick the box, it is not pre-ticked) consent to continue to market them before 25 May.
  3. What about general marketing leaflets in paper form? If they are not addressed to anyone, i.e. contain no personal information, and are just for “homeowner of XYZ street,” then this is fine.


Lead Referrals

If you are passing along leads to third parties (for commission or not), you absolutely must stop doing so unless you have:

  1. Consent recorded: In order for this to be GDPR adequate, you must be specific about to whom you have passed their information; OR
  2. A legitimate business interest for doing so (you sold their house and the third party supplier is legitimately involved in facilitating completion of that transaction).

An important note on consent and lead referrals**

This is probably where GDPR is going to cause the biggest headache. You may never pass along information without a legitimate reason for doing so (point b above). If you do not have a legitimate business interest, you must specifically record consent for passing along their information.

You must be explicit to the customer about to whom you intend to pass their information. You must also record each third party to whom you actually send their information.  
If the customer ever withdraws consent, it is your responsibility to relay this to all third parties.  Without a record of the consent, you will (a) not be able to properly erase them when asked; and (b) not be able to provide them with the information you are processing about them if you are asked.


People you absolutely must delete from your database without question.

Everyone who has ever asked to be deleted from your database.

Archived applicants: These are applicants who registered but never moved into a client’s property and have asked to no longer be sent property details.

If you want to be able to keep in touch with archived applicants because you now know they own property in your area, you must obtain and record their permission to do so, before May 25.


Your risk of liability as a data controller if your processor (software provider) is not in compliance with GDPR.

Estate and letting agencies control the data that their software providers process. According to the ICO’s Data controllers and data processor’s guidance, estate and letting agents are ultimately responsible for ensuring that their software providers process their databases in compliance with the GDPR. (See also the ICO’s draft guidance on GDPR contracts and liabilities.)  

If your software provider continues to pass along its contacts from your database to third party companies for leads, and those companies then contact individuals who have not actively consented to marketing, this will be a violation of the GDPR, for which the agency could be liable.  

Your processor should also make it easy for you to retrieve all personal data that you have on a customer, if and when the individual requests to see it. Your processor must delete anyone who requests to be deleted. They must not process personal data for any other purpose than what was consented to, or what falls under a legitimate business interest. (There are other legal bases for processing, but they are generally not relevant to your business.) This is all to say that it is in your best interests, as a data controller, to pick a GDPR-secure and compliant processor (software provider), because if not, you risk being ultimately liable for any violations.