Key Terms Under GDPR

Key Terms Under GDPR

Part 1

There's no hiding from the fact that GDPR is coming, and with it the biggest shake up to Personal Data laws in the last 20 years.

GDPR Video Series – Storing and Processing Data in CRM
GDPR Video Series – What’s next, what do I need to know?
GDPR is coming – How does it affect Estate Agents

There’s no hiding from the fact that GDPR is coming, and with it the biggest shake up to Personal Data laws in the last 20 years. There’s a lot of information to digest, so we’ve written a short series of articles to help guide you through the legislation and the things you need to be looking at ahead of 25th May 2018.

In this first of our series of articles we look at some the key terms under GDPR.

There are many key terms under GDPR that you will need to be familiar with:

GDPR Personal Data

  1. Personal Data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This could include:

  • Name
  • Email address
  • Location Data
  • Online identifiers (e.g. IP addresses)
  • Cookies

Don’t forget that you could be holding personal data in multiple places – software systems, emails, filing cabinets – its’s really important to do an audit so you know what you are holding, and more importantly whether that data is relevant or whether it is even necessary to hold that data.

Each person to which Personal Data relates is a Data Subject.  Remember that you are likely to hold Personal Data relating to many different types of data subjects – Tenants, Landlords, Applicants, Vendors. Don’t forget that you will also hold Personal Data on employees.


Sensitive Personal Data

  1. Sensitive Personal Data

 It is unlikely that as an estate agent you will need to hold any sensitive personal data, which is defined as  genetic data, and biometric data where processed to uniquely identify an individual.

Data on criminal offences has its own special category.


data controller estate agents

  1. Data Controller

A data controller determines the purposes and means of processing the personal data.

As the estate agent, you will be the Data Controller for the data you collect and hold on your customers.


Data processor

  1. Data Processor

Data Processors are those who process data on behalf of the Data Controller.

Dezrez acts as a Data Processor on behalf of you, the estate agent. There could be any other number of processors that you utilise as an estate agent, including tenant referencing companies,  other software providers, HR systems among others.


lawful basis for processing

  1. Lawful bases of processing

To process Personal Data, you will need a lawful basis for processing that data.

There are six lawful bases for processing Personal Data, and no bases is better than any of the others. It is up to you to choose the most appropriate basis for processing that data. The six bases are:

  • Contract
  • Legitimate interests
  • Consent
  • Legal Obligation
  • Vital Interests (unlikely as an estate agent)
  • Public task (unlikely as an estate agent)

Depending on the data you hold and how you intend to use it a single piece of data may have more than one basis for processing, for example, an email address may be :

  1. Used to confirm viewing appointments (contract)
  2. Used to upsell financial services (consent or another legal basis)

We’ll be talking more about lawful basis for processing in a future article.


Individual Rights

  1. Individual Rights

Under the GDPR, individuals have a number of rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.



  1. Privacy and Electronic Communications Regulations (PECR)

Alongside GDPR there is a piece of legislation called PECR. This governs electronic communications (email, text, phone calls, cookies). There is some overlap with the GDPR and its important to understand (and comply) with both pieces of legislation.


Privacy policy

  1. Data Protection Documentation and Privacy Policy

Underpinning all of the data you hold is documentation – internal documentation recording :

  • what data you hold and how you process, store and delete data,
  • dealing with data breaches and subject access requests.
  • as well as external facing policiesMost organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.
  • as well as external facing policies

We see plenty of examples where companies have a great looking website built, but the link to the privacy policy goes nowhere!

Regardless of whether or not you have a privacy policy or not, you need to review and update it. To do this, you need to do the work above about understanding your data. The ICO have a great guide and tempaltes for documenting your processing activities


data officer

  1. Data Protection Officers

Only organisations with 250 or more employees need to appoint a Data Protection Officer, however it is best practice to have a nominated internal contact to deal with GDPR issues that all staff can refer to.


Further guidance:

Disclaimer: This article is based upon our understanding of the General Data Protection Regulation (GDPR).  There are still some aspects of the GDPR which are undetermined or are awaiting guidance from the ICO.  This should not be relied upon as legal advice nor how GDPR may apply to your organisation.  We encourage you to work with a legally qualified professional to understand GDPR, how it applies specifically to your organisation, and how best to ensure compliance.