Under GDPR, estate and letting agents will be deemed as ‘data controllers’. What is this and what does it mean?

Every time a customer gives you their personal information, you become responsible for what happens to it; you literally control that data. You’re responsible for its safety, for who it is shared with and for choosing a software provider, or “data processor” that is compliant with the rules. If your software provider breaks the rules, you are ultimately liable for this breach, as the data controller.


Do estate and letting agents now need consumer consent for all direct marketing?

Basically yes, with one useful exception. For each person you directly contact, you must have recorded GDPR-adequate consent, unless they have already signed terms of business with you.

 You need to contact everyone in your existing database to ask for consent to stay in touch before 25 May. This way, if Mrs. Adams asks you why she’s receiving a list of properties from your agency, you can say, “because on X date you consented to hear from us, and here’s a copy of the email.”

 The reason this new rule cannot be ignored is not because the ICO will start fining Agents, they almost certainly won’t. It’s because this is the most likely reason that professional complainers will lodge complaints about you with the ICO, causing you real hassle and creating question marks about your business’ compliance record.

If you are marketing services to someone who has recently transacted with you for a similar service, who was also given the chance to opt out but did not, then they fall under the soft opt-in exception and you can continue to direct market to them.


How can agents show evidence/documentation of a consumer’s consent to direct marketing?

This depends on how you obtain it. Most common is when a visitor on your website submits their contact info for marketing purposes: Include a non-pre-ticked box that the individual must check in order to submit their information, which consents to be contacted for marketing purposes.  Record that in your system. Always provide an opt-out/unsubscribe option in your mailouts.


What is a soft opt-in and can it be used by estate and letting agents?

The soft-opt in exception explains that consent is not required if (a) you are sending marketing messages about similar products/services to someone, who (b) you already transacted with, and (c) they were given the option of opting out of marketing communications, but did not do so.  The theory behind this exception is that such processing is based on legitimate interests of doing business. Only the party that collected the details may use them, not third parties.


What is a legitimate interest and how does it relate to estate and letting agents’ services?

A legitimate interest is a basis for processing data – one of the several alternatives to consent as a means for holding and processing personal information. An example of this is: A debtor stopped making payments, moved house without informing the creditor, and now the creditor-company passes the debtor’s personal information to a collection agency to attempt to recover payment.

A signed terms of engagement demonstrates the agency has a legitimate interest in processing the customer’s data in order to fulfil its business obligation. When a person is already a “client” of the agency, then the agency has a legitimate interest to process their information – but be careful about passing their data to third parties, because you must ask yourself whether the data subject could reasonably expect you to process his/her data, and for the purpose that you are doing it.

Are agents still allowed to send unsolicited emails and letters to homeowners?

Mail post to a residential address to a homeowner is one thing, as that doesn’t rely upon personal data.  But an unsolicited email, which isn’t necessarily to a particular individual, is a hard no. This is direct marketing, and without consent or another legal basis to contact these individuals, this is precisely what GDPR seeks to prohibit. In fact, you are not meant to even retain email addresses unless you have a proper purpose for doing so, pursuant to the GDPR. It is also worth noting that the GDPR does not change the requirements of cross-checking with the Telephone Preference Service and Mailing Preference Service lists.

 Are agents still allowed to pass consumer information on to third parties? If so, do these organisations need to be named?

If you are passing along leads to third parties (for commission or not), you absolutely must stop doing so unless you have:

  1. Consent recorded: In order for this to be GDPR adequate, you must be specific about to whom you have passed their information; OR
  2. A legitimate business interest for doing so (you sold their house and the third party supplier is legitimately involved in facilitating completion of that transaction).

You had better record to the names of these third parties, because if/when someone asks to see how their data has been processed, they have a right to see to whom they have been passed.


 When gaining a consumer’s consent, does this need to obtained in writing?

You must have a record of what they agreed to and when. So yes, either in writing or ideally in electronic format (for example, an email). If you get it telephonically and do not follow up with an email, make sure you have a record of the “script” you read them (informing them of their rights, exactly what the scope of the consent was) and the date on which they said “yes.”


 When taking customers’ contact details over the phone and subsequently adding them to a database, do agents need to mention GDPR and gain consent?

Customers need to be informed of their rights under the GDPR, so while agents don’t need to necessarily mention the GDPR by name, in explaining their rights this will likely come about. If the agent wants to be able to pass along the customer’s information, they must gain consent to do so. If the customer is providing the agent their details for marketing purposes or property search purposes, the agent should notate this purpose. All future communications (especially for marketing) must have the ability to opt-out and/or change subscription settings.


 It’s advised that our databases now need to be ‘granular’ and ‘delineated’, what does this mean?

As you know by now, the more specific you can show your consents to be, the more you have “CYA” under the GDPR. Granular consent just means consent given to a specific purpose, and delineated just means organised. In order to ensure GDPR compliance (especially as it comes to consent), the more organised and properly indexed (by purpose, for example) your database, the better.


How frequently should an agent ask its customers to update their marketing consent preferences?

As frequently as it makes sense to do so. This is a business decision, not a legal one. However, any changes to your system that affect customers need to be promptly communicated to them. Customers must be able to change their preferences at any time.



*For more information on GDPR please check out BestAgent’s GDPR Data Bible here.