Surveyors handle personal data constantly — tenant contact details, client financial records, employee files, site visitor logs and marketing lists. For your APC, assessors expect you to demonstrate an understanding of your legal obligations under the UK data protection framework as they apply to everyday surveying practice.

The Legal Framework

The UK's data protection regime rests on two pillars. The UK GDPR is the retained version of the EU GDPR, incorporated into UK law by the European Union (Withdrawal) Act 2018. It sits alongside the Data Protection Act 2018 (DPA 2018), which supplements it for specific contexts. The regulator is the Information Commissioner's Office (ICO), with powers to investigate, issue enforcement notices and levy fines of up to £17.5 million or 4% of global annual turnover.

Lawful Bases for Processing

Every time you process personal data you must identify one of the six lawful bases under Article 6 of the UK GDPR:

  1. Consent — clear, specific, informed and unambiguous agreement
  2. Contract — processing is necessary to perform or prepare a contract with the individual
  3. Legal obligation — required by law (for example, HMRC reporting or health and safety records)
  4. Vital interests — necessary to protect someone's life
  5. Public task — necessary for a function carried out in the public interest or under official authority
  6. Legitimate interests — necessary for your legitimate purposes, provided they are not overridden by the individual's rights

In practice, surveyors most frequently rely on contract, legal obligation and legitimate interests.

The Seven Data Protection Principles

The UK GDPR sets out seven principles that must govern all processing:

  • Lawfulness, fairness and transparency — there must be a valid legal basis and individuals must be informed
  • Purpose limitation — data collected for one purpose cannot be repurposed incompatibly
  • Data minimisation — collect only what is adequate, relevant and necessary
  • Accuracy — data must be kept up to date and corrected promptly
  • Storage limitation — data must not be retained longer than necessary
  • Integrity and confidentiality — appropriate security against unauthorised access, loss or destruction
  • Accountability — you must be able to demonstrate compliance, not merely assert it

Data Subject Rights

Individuals hold several enforceable rights:

  • Subject Access Request (SAR) — a copy of all personal data held about them; you have one calendar month to respond
  • Rectification — the right to have inaccurate data corrected
  • Erasure — the right to request deletion where data is no longer necessary
  • Restriction — limiting processing while a dispute is resolved
  • Portability — receiving data in a structured, machine-readable format
  • Objection — objecting to processing on grounds of legitimate interests or direct marketing

Practical Surveyor Scenarios

Block management portfolio. You hold tenant names, lease terms and bank details. Your lawful basis is contract and legal obligation. Issue a privacy notice at the start of the tenancy and maintain a retention schedule — typically six years post-tenancy to cover limitation periods.

CCTV on a development site. Footage is personal data. You need clear signage, a defined retention period (commonly 30 days), a legitimate interests assessment and a policy governing access.

Marketing emails to prospective clients. The Privacy and Electronic Communications Regulations 2003 (PECR) apply alongside UK GDPR. Prior consent is generally required unless the soft opt-in applies to existing clients.

Sharing data with a valuer or lender. When you pass data to a third party acting on your instructions, they are a data processor. A written data processing agreement under Article 28 is mandatory, confirming they will only act on your instructions and maintain appropriate security.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is mandatory before processing likely to result in a high risk to individuals' rights. Triggers include large-scale processing of special category data, systematic monitoring of publicly accessible areas, or combining datasets in ways that could produce unintended privacy effects. A DPIA documents the processing, assesses proportionality and records mitigation measures.

Breach Reporting and Practical Controls

Where a breach is likely to result in a high risk to individuals, you must notify the ICO within 72 hours of becoming aware of it. Where the risk to individuals is high, you must also notify those individuals without undue delay.

Practical controls to have in place:

  • Encryption of devices and file transfers
  • Role-based access controls so staff only access data relevant to their work
  • A documented retention schedule, reviewed regularly
  • Staff training records, updated at least annually
  • Privacy notices issued at the point of data collection
  • Data processing agreements with every third-party processor — solicitors, valuers, managing agents, IT providers

APC Interview Tip

  • Name the UK GDPR and the Data Protection Act 2018 as the two limbs of the framework, with the ICO as regulator.
  • Practise recalling the seven data protection principles in order — assessors sometimes ask you to list them unprompted.
  • Anchor answers to your own experience: how your firm handles tenant data, SARs or third-party processor relationships.
  • On breach scenarios, lead with the 72-hour notification obligation to the ICO and explain when individuals must also be notified directly.
  • Know the difference between a data controller (your firm, determining purpose and means) and a data processor (a third party acting on your instructions) — it arises frequently in shared working arrangements.