Blog Home

We’re rapidly approaching the deadline for General Data Protection Regulations, or GDPR for short, which is in force from the 25th of May 2018. If you haven’t already heard, GDPR is the biggest overhaul of individual data handling in two decades. We covered this after attending Legislation Live in 2017. GDPR applies to all businesses, no matter how small, and the penalties will either be up to 10 million euros, or 2% of annual global turnover (whichever is higher) or up to 20 million euros, or 4% global turnover (again, whichever is higher). The fines are on two separate tiers as GDPR will be enforced on a case-by-case basis, and the tiers depend on a list of certain breach criteria.

Consent and Transparency

The most important aspect of GDPR is the issue of consent in data protection. With the new regulations, consumers must freely give their consent and know what information they’re being asked for. For example, you may have been in a coffee shop and want to access their ‘free’ Wifi, but when you attempt to connect you’re asked for a long list of information such as your email address, phone number, gender, residential address (most draw the line at shoe size). The GDPR will mean that companies must tell you why they need that information and you must give your consent for each purpose i.e. if you give consent for your personal data to be used as part of signing a contract with an agent, it doesn’t mean you’ve given explicit consent to be contacted for marketing purposes. Companies will have the burden of proof when it comes to proving that a customer has given their consent, and they may also be required to name any, and all, third parties that they would share your information with.

The regulations won’t just apply to new data after the 25th of May 2018, it will also include existing data held by companies. This means that companies are reaching out to obtain consent from existing customers to retain their personal data. It’s a good opportunity for you, as a consumer, to re-consent to companies to find out, and control, how your data will be used. GDPR also means that consumers will, under Article 17, be able to ask for their personal data to be deleted by a company under the Right to be Forgotten. Any unnecessary data must be deleted if a consumer requests it.

For the property industry, there are a few key applications:


  • Tenant applicant data can be kept but you must have consent
  • Under the Right to be Forgotten, data that must be deleted would not include Right to Rent ID checks
  • Letting agents must be careful about contacting landlords for marketing purposes, as consent must be given.


Upad’s Compliance with GDPR

Here’s what Upad are doing in response to the GDPR:

Improving registration process

We’re updating our processes so you can adjust your communication preferences from the get go, in order to receive relevant marketing information and confirm your consent.

Customised communications

Every communication you receive from Upad will be personalised and customised based on what you’ve told us about yourself, and your interest in property management, legal obligations, tax and financial advice.

No irrelevant communications

You won’t receive any marketing information that’s not relevant to you or your circumstances.

Sharing information

We don’t share any of your information with third parties.

For more information on GDPR, ARLA Propertymark have a useful factsheet and checklist

Previous article Next article

By Lucie Geller
26 Mar 2018

Categories: Upad, News, Legal, Letting Agents, ARLA Propertymark, GDPR



Subscribe to the Blog


How much can you get for your property?

Free rental valuation calculator