top of page
Strip backgrouynd showing a desk with paper, pen and coffee cup


Hot Topic Highlight - Ready for 2018? General Data Protection Regulation (GDPR)

RICS APC and AssocRICS mandatory competency business planning

Building a better you

Property Elite’s sole aim is to build better property professionals - supporting your career every step of the way, whether you are an AssocRICS or RICS APC candidate or a MRICS or FRICS Chartered Surveyor simply seeking engaging CPD.

We provide a wide range of training and support, so why not find out more on our website about how we might be able to support you? We work with candidates across all RICS APC and AssocRICS pathways, routes to assessment and geographic regions.

Don’t forget to sign up online for your free 15 minute AssocRICS or RICS APC consultation, including a review of your referral report if you have been referred. You can also book your bespoke training or support services directly through our web shop.

Not sure about signing up? Make sure you read what our recent successful candidates have to say in our Testimonials.

What is today's blog about?

This blog article will focus on what you need to know about the General Data Protection Regulation (GDPR). This is relevant to all property professionals and will be a hot RICS APC topic for Session 2 2017 onwards. Essential reading for RICS APC and AssocRICS candidates.

You can also listen to our CPD podcast on Anchor for more free AssocRICS and RICS APC training and support.

Why is this relevant?

GDPR and the Network & Information Security Directive (NISD) are EU Directives published in May 2016 with the aim of improving data protection for EU individuals.

They will build upon the principles of the Data Protection Act (DPA) 1998 and will be brought into UK law through the Data Protection Bill.

This will apply from 25 May 2018, so we need to prepare now to avoid business disruption and ensure compliance.

The importance of data security is confirmed by Verizon’s 2016 Data Breach Investigations Report, ‘no locale, industry or organisation is bulletproof when it comes to the compromise of data’.

What is GDPR?

Essentially an extension of the DPA 1998 to cover modern data and technology.

When did GDPR apply from?

25 May 2018.

Who does GDPR apply to?

Data controllers and processors. The former control how and why personal data is processed, the latter act on behalf of the controller.

If your data processing activities are covered by DPA, then you will also likely fall within the scope of GDPR. In simple terms, additional obligations are placed on those holding personal data by GDPR, over and above the DPA 1998.

What data will be affected?

Personal data - this goes further than the DPA to include personal data and identifiers, e.g. IP address.Sensitive personal data - some minor changes to the DPA, including genetic and biometric data.

It covers both electronic and manually held information, which could include business cards and written records.

What are the key principles of GDPR?

Article 5 of GDPR confirms that personal data must be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals

  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes

  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delayKept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

What are the 8 individual rights under GDPR?

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to data portability

  • Right to object

  • Rights in relation to automated decision making and profiling

How do DPA and GDPR differ?

  • Accountability to ensure that data is kept in accordance with the principles of GDPR

  • Tougher penalties for non-compliance

  • Wider definition of personal data

  • Non-EU organisations holding EU-related personal data will need to comply

  • Parental consent required for holding personal data of <16s

  • Active consent must be required to hold data, i.e. silence does not equal consent

  • Data breaches must be notified to ICO within 72 hours of awareness, unless exceptional circumstances apply

  • Risk-based reviews (Privacy Impact Assessments) must be undertaken for high risk activities

  • Right to be forgotten introduced

  • Requirements for electronic data portability if a data request is submitted

  • Compliance/privacy by design must be included within systems and processes, including staff training and contractual clauses

  • Additional liabilities placed on both data controllers and processors

What are the penalties for non-compliance with GDPR?

Fines of the greater of 4% annual global turnover or €20m.

In the worst cases, this could lead to insolvency so early preparation to comply with GDPR is essential. We understand that the highest penalty issued by ICO to date is £400k.

What about Brexit?

Irrespective of Brexit, the UK Government has confirmed they will be implementing GDPR.

10 tips to comply with GDPR

  • Prepare diligently to ensure compliance

  • Assess any privacy risks inherent in business processes/activities

  • Involve IT support to make appropriate changes

  • Provide staff training and support on data security

  • Appoint a Data Protection Officer if required by GDPR

  • Ensure you have adequate systems to deal with a breach and subsequent notification to the ICO (within 72 hours)

  • Do your systems comply with all GDPR principles, including the right to be forgotten

  • Update your internet security, e.g. virus protection, including on desktops, laptops and mobile phones

  • Ensure any data already held is up to date and compliant with GDPR

  • Can you release personal data promptly if a subject access request is made?

How can we help?

  • Head to our blog archive to access even more free CPD and AssocRICS and RICS APC training and support.

  • Download your free AssocRICS and RICS APC resources, including e-books and revision quizzes.

  • Find out more about our bespoke AssocRICS and RICS APC training and support, before booking your free 15 minute consultation and signing up for your services online.

Not sure about signing up? Make sure you read what our recent successful candidates have to say in our Testimonials.

Stay tuned for our next blog post to help build a better you

N.b. Nothing in this article constitutes legal or financial advice.


bottom of page