Data Management — RICS APC Competency Revision Guide
Data management is a mandatory RICS APC competency that has grown in prominence as the profession has become more data-dependent. It covers how data is collected, stored, maintained, and used within a surveying practice — and the legal, ethical, and professional obligations that surround those activities. The UK GDPR and the Data Protection Act 2018 provide the legislative framework. The RICS data management guidance note sets out the profession-specific standards. Assessors expect candidates to understand not just data protection law but also data quality, data governance, and the surveyor's responsibility when handling client or commercially sensitive information.
12 articles in this competency · Browse with filters on the main library
What is the RICS data management competency?
Data management is a mandatory RICS APC competency covering how surveyors collect, store, protect and use data in professional practice. It is underpinned by the UK GDPR and the Data Protection Act 2018, and the RICS Data Handling professional standard, which require surveyors to process personal and client data lawfully, fairly and securely — including during remote working, cloud storage and the use of artificial intelligence tools.
Key RICS data management principles
- Six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, legitimate interests.
- Data subject rights: access, rectification, erasure, restriction, portability and objection.
- Security measures: encryption, access controls, secure disposal, backups and breach-response plans.
- Retention and disposal: a documented retention schedule matched to legal, regulatory and contractual duties.
- Third-party data sharing: written data-processing agreements and due diligence on sub-processors.
What the RICS APC expects at each level
L1 Knowledge
At Level 1, you should understand the key principles of UK GDPR: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. You should know what constitutes personal data, what a data controller and data processor are, and the conditions for lawful processing. Familiarity with the RICS data management guidance note and the concept of data quality — accuracy, completeness, and timeliness — is also required.
L2 Application
Level 2 evidence comes from applying data management principles in your day-to-day work. Diary examples might include: conducting a data audit on a property database, identifying and correcting an error in a client record, handling a subject access request, implementing a data retention schedule, or identifying a potential data breach and following the firm's incident response procedure. The key is that you took action based on your understanding of the principles, not simply that you followed instructions.
L3 Reasoned advice
At Level 3, assessors expect you to give reasoned advice when data management issues arise in a professional context. They may ask how you would advise a client on the data risks of a proposed PropTech solution, how you would respond to a data breach affecting client information, or how you would balance data retention obligations against a client's right to erasure. You should be able to identify the legal basis for processing, quantify the professional risk, and recommend a proportionate course of action.
Level 1 — Knowledge & Understanding articles
Foundational articles on Data Management. These cover the principles, definitions and documents assessors expect a Level 1 candidate to know.
Cyber Security and the RICS Surveyor: Practical Obligations
Surveyors hold client financial data, KYC files, BIM models, valuations and tenant records — all attractive targets. Cyber security is the o…
10 Examples of How Surveyors May Use Data
Here are 10 examples of how an RICS surveyor may use data, use this as a prompt to come up with your own examples specific to your daily...
Benefits, Challenges and Dangers of BIM
Benefits: Improved design and planning: 3D models and simulations allow for better visualisation, clash detection, and optimisation of...
Computerised Central Project Databases (CCPDs)
Benefits: Improved information access and sharing: All project data is stored in one central location, easily accessible to authorised...
Electronic Database Systems
Here's a concise explanation of electronic database systems and how they work: An electronic database system is a collection of organised...
GDPR and Data Protection Obligations for RICS Surveyors
Surveyors handle personal data constantly — tenant contact details, client financial records, employee files, site visitor logs and marketing lists.…
How Can Data be Used in Your Business?
The way data is collected, analysed, and stored within an RICS surveyor's organisation can vary depending on the...
How is Project Information Stored?
The way project information is stored within a surveyor's organisation can vary depending on several factors, such as the size of the...
Legislation Applicable to Data Management and Data Access
The current legislation applicable to data management and data access varies depending on your location and the specific type of data...
RICS APC Data Management Competency: A Summary
The RICS Data Management competency is essential for all aspiring RICS professionals, regardless of their chosen pathway. It assesses...
Setting Up and Using Technical Libraries
RICS surveyors rely heavily on accurate and up-to-date information to make informed decisions and provide reliable services. Technical...
What is Building Information Modeling (BIM)?
Building Information Modeling (BIM) is a process for creating and managing information about a building throughout its lifecycle, from...
Frequently asked questions
What are the key UK GDPR principles that RICS data management tests?
The seven principles under UK GDPR are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. For the APC, you should be able to explain each principle and give a practical example of how it applies to surveying work — for instance, that data minimisation means only collecting the client information you actually need to deliver the service.
What is the RICS data management guidance note and what does it cover?
The RICS data management guidance note provides profession-specific guidance on collecting, storing, and using data in surveying practice. It covers data quality standards, governance frameworks, data security, and the professional obligations that arise from handling commercially sensitive or personal data. Candidates should understand its key themes and be able to reference it when explaining how their practice approaches data governance.
How do I handle a data breach under UK GDPR for the APC?
A personal data breach that is likely to result in a risk to individuals' rights and freedoms must be reported to the Information Commissioner's Office within 72 hours of becoming aware of it. Where the risk is high, affected individuals must also be notified. In practice, this means having an incident response procedure, documenting the breach, assessing the risk, and acting promptly. At Level 3, assessors may ask how you would balance the notification obligation against the reputational risk to your firm.
What is the difference between a data controller and a data processor?
A data controller determines the purposes and means of processing personal data — typically the surveying firm acting on its own instructions. A data processor processes data on behalf of and under the instruction of a controller — for example, a cloud software provider hosting your practice management system. The distinction matters because controllers bear the primary legal responsibility under UK GDPR, whilst processors must operate under a written contract that specifies their obligations.
A client asks you to retain their property transaction files indefinitely, including personal data about former tenants. Your firm's retention schedule says destroy after seven years. How do you handle the conflict?
You explain to the client that UK GDPR's storage limitation principle requires that personal data is not kept longer than necessary for its original purpose. Retaining former tenants' personal data indefinitely has no lawful basis once the relevant limitation period for any dispute has passed. Your firm's seven-year schedule is likely set with this in mind. You can retain documents in redacted or anonymised form for longer if the client has a legitimate business reason, but you cannot override data protection law at a client's request. You document this advice in writing.
Related competencies
These competencies share themes and often come up together in APC interviews.
Unlock all 11 Data Management articles
Lifetime access to all 181 articles across the 11 mandatory competencies for £25. Updated every week.
Get Instant Access £25