Definition

The UK data protection framework is made up of two principal instruments: the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Together they govern how any organisation that processes the personal data of people in the UK must collect, store, use, share and dispose of that information. The Information Commissioner's Office (ICO) is the UK's independent regulator.

For a surveyor, "personal data" is any information relating to an identified or identifiable living individual — a tenant's email, a client's home address, a site visitor log, CCTV footage and even a photograph of a property that shows a car registration plate.

Why this matters for Data Management

  • Level 1 knowledge: you must understand the seven data protection principles, the six lawful bases for processing, and the rights of the data subject.
  • Every surveying instruction involves personal data — client onboarding, KYC checks, agent correspondence, tenancy schedules, site inspections.
  • The ICO can impose fines of up to £17.5 million or 4% of global turnover, whichever is higher, for the most serious breaches.
  • A data breach is a reportable conduct matter under Rule 5 of the RICS Rules of Conduct (competent service) and can also trigger Rule 3 (integrity) concerns.
  • Clients increasingly require evidence of GDPR compliance before appointing consultants — your firm's privacy notice, data processing agreement and retention schedule are part of tender submissions.

Key principles and explanation

1. The seven data protection principles

Article 5 of the UK GDPR sets out seven principles that underpin every processing activity:

  1. Lawfulness, fairness and transparency — there must be a valid legal basis and individuals must be informed.
  2. Purpose limitation — data collected for one purpose cannot be repurposed incompatibly.
  3. Data minimisation — collect only what is adequate, relevant and necessary.
  4. Accuracy — keep data up to date; correct errors promptly.
  5. Storage limitation — do not retain data longer than needed.
  6. Integrity and confidentiality (security) — appropriate technical and organisational measures.
  7. Accountability — document compliance and be able to demonstrate it.

2. The six lawful bases for processing

Article 6 requires one of the following bases before any personal data can be processed:

  • Consent — freely given, specific, informed and unambiguous.
  • Contract — processing is necessary to perform a contract with the data subject.
  • Legal obligation — for example, anti-money-laundering record-keeping.
  • Vital interests — to protect someone's life.
  • Public task — rarely used by private surveying firms.
  • Legitimate interests — balanced against the rights of the individual; the most common basis for client management and marketing.

3. Individual rights

Data subjects have eight enforceable rights: right to be informed, right of access (Subject Access Request — one calendar month), right to rectification, right to erasure ("right to be forgotten"), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making. Surveyors most often field SARs from former tenants and employees.

4. Breach reporting

A personal data breach likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of becoming aware of it. High-risk breaches must also be notified to affected individuals without undue delay.

5. Controllers, processors and DPIAs

Your firm is usually the data controller for client instructions and the data processor when acting on behalf of a client (e.g. managing tenancy data on their property). A written contract under Article 28 is mandatory between controller and processor. For processing likely to result in high risk — such as large-scale CCTV or tenant profiling — a Data Protection Impact Assessment (DPIA) is required.

Assessor tip

Do not confuse UK GDPR with EU GDPR. They are broadly aligned, but since 1 January 2021 the UK regime is set out in the Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. International transfers to the EEA remain permitted under the EU's adequacy decision.

Relevant RICS guidance and legislation

  • UK General Data Protection Regulation (UK GDPR) — the retained EU Regulation 2016/679 as amended.
  • Data Protection Act 2018 — supplements the UK GDPR and covers law enforcement processing.
  • Privacy and Electronic Communications Regulations 2003 (PECR) — governs marketing emails, cookies and call-centre activity.
  • ICO Guide to the UK GDPR (continuously updated) — the primary practitioner resource.
  • RICS Rules of Conduct (effective 2 February 2022) — Rules 2 and 5 (competence and service) are engaged by data-handling obligations.
  • Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) — imposes a statutory data-retention period (commonly five years) that interacts with the storage-limitation principle.

Ethics and Rules of Conduct angle

Data protection sits squarely within Rules 2, 3 and 5 of the RICS Rules of Conduct. A failure to safeguard personal data is both a statutory breach — with possible ICO enforcement — and a professional conduct matter that RICS can pursue independently. Candidates should be able to explain how their firm documents lawful bases, trains staff, manages subject access requests, and maintains a breach register.

APC questions and answers

Q (Level 1)Name the seven data protection principles under UK GDPR.

Lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.

Q (Level 1)Within what timeframe must a personal data breach be reported to the ICO?

Within 72 hours of becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of individuals. Affected individuals must also be notified where the risk is high.

Q (Level 2)What lawful basis would you rely on for holding a former tenant's details to comply with AML rules?

Legal obligation under Article 6(1)(c) of the UK GDPR — the Money Laundering Regulations 2017 require firms to retain client due diligence records for five years after the end of the business relationship.

Q (Level 2)How would you handle a Subject Access Request from a former employee?

I would acknowledge receipt in writing, verify the requester's identity, log the request, ask colleagues and IT to search all likely systems (email, HR, finance, shared drives), review the results for third-party personal data or legally privileged material, redact as necessary under the exemptions in Schedule 2 of the Data Protection Act 2018, and respond within one calendar month free of charge.

Q (Level 3)A managing agent client has suffered a ransomware attack that encrypted tenant records you process on their behalf. What do you do?

As the processor I would immediately notify the client (controller) in line with our Article 28 contract. Jointly we would contain the incident, assess the scope of affected data, engage IT forensics, consider whether the breach is likely to pose a risk to individuals' rights and freedoms, and — if so — notify the ICO within 72 hours and affected tenants where the risk is high. I would update our breach register, run a post-incident DPIA review, and feed lessons into staff training. I would also consider PI insurer notification and, if criminal activity is involved, Action Fraud.