Skip to content

Building surveying

Building surveying

This factsheet addresses the particular issues facing the building surveying business.

Purpose of this factsheet

The GDPR (General Data Protection Regulation) came into effect on 25 May 2018. It changes, updates and extends the scope of data protection law across the whole of the EU. There are many helpful guides as to the general requirements, including those provided by country regulators.

These factsheets have been developed by DLA Piper in collaboration with RICS to give professionals more insight into the specific ways in which GDPR will impact their business.

This factsheet addresses the particular issues facing the building surveying business. We have a range of other factsheets tailored to the business needs of other professionals, which you can access here.

Key features of the GDPR

The main areas for firms and individual professionals to address can be summarised as follows:

  • Transparency
  • Accountability
  • Processes and controls
  • Enforcement and fines
  • Data subject rights
  • Ongoing nature of obligations


You must be clear with your clients, marketing prospects, sub-contractors and employees about:

  • What data you're going to collect and use
  • Why you need this data - the purposes for which you need to process the data
  • How you're going to process the data and in which countries will data be processed
  • Whether you need to transfer the data to third parties

You must have clear, updated notices for all the relevant groups of people whose data you use. These notices must be easily found and always available and you must notify people appropriately of the existence of these notices (e.g. on your website, with your terms and conditions, at a sensible stage in any online purchasing process, and embedded in your HR recruitment processes).


  • Demonstrate that you have a clear view of the data flows across your entire business.
  • Identify the lawful basis for processing data in each case. For example:
  1. to fulfil contractual obligations
  2. to satisfy a legal requirement
  3. legitimate interests
  4. consent
  • If you are relying on consent, demonstrate it was freely given and is capable of being withdrawn.
  • For individual RICS professionals within firms, you will be able to rely on the firm processes and governance, provided you have reasonably satisfied yourself that it is being conducted in a diligent and compliant way.

Processes and controls

  • Governance Framework: you need to manage your compliance. This will include setting policies, running training and the potential appointment of a Data Protection Officer (DPOs): For example, if a significant proportion of your work is for local government, or other authorities, you should consider voluntarily appointing a DPO.
  • Privacy by design: you should incorporate a stage into your decision-making process to assess whether there will be any significant data aspects to new projects, systems or processes and, if so, evaluate what that impact will be.

Enforcement and fines

  • Regulators have a mandate to enforce compliance with the GDPR and greater enforcement rights. For example, regulators may impose a large fine of up to the greater of €20 million or 4% of annual global turnover in the event of particularly harmful breaches.

Data subject rights

  • You need to have processes in place to change or update data on request.
  • Individuals may request a copy of the data you hold on them at any time. You should ensure you have systems in place which can identify, retrieve and securely deliver responses to any requests.

Ongoing nature of obligations

  • Compliance with the GDPR is best achieved when it is adopted by the executives of your organisation and disseminated downwards.  Depending on the focus of your business, your surveyors and marketing executives will all need training to enable them to take responsibility for data security and management and to adopt good practice in how they carry out their roles.

Related Building Surveying events

Related Building Surveying journal articles

Case study: Building surveying


  • Partnership D is a small business conducting residential surveys in a local area.
  • Its clients include a purchaser of a property from a family with a severely disabled child who have made adaptations to the family home over the years.


  • In the course of conducting surveys, the partnership will collect large volumes of personal data, both of the clients for the surveys, and the sellers.
  • In the case of the family with the disabled child, information regarding health is a 'special category' of personal data.

GDPR points to note:

  • This is an overview of some key considerations: it is not an exhaustive list of the steps to take in order to ensure GDPR compliance.
  • It is assumed in each case that there is a comprehensive governance structure in place, and, for example, considerations of data retention and minimisation are embedded in the policies, systems and processes adopted by the organisation.
  • Employee data issues also need to be considered and addressed in every case: this is a significant area for most businesses.
  • Review of data processing activities: the partnership will need to identify all the categories of personal data currently being processed and for which it is the data controller and should also identify the purpose of the processing and the systems and locations in which it is held. This could include, for example: details of its clients, information about the sellers (e.g. their addresses and other contact details constitute personal data under the GDPR), and contact information for any other third parties. There is a risk of retaining special category data (e.g. in relation to the adaptations to the property), which means additional considerations and controls apply. In these circumstances, the partnership may decide it is better not to retain such data.
  • Record of data processing activities: the partnership must create or update appropriate and compliant records of all the data processing activity identified in the first step.
  • Lawfulness of processing: in order to continue processing this data, the partnership must identify the relevant legal groundin each case. For example, in relation to its clients, this is likely to be justifiable in the performance of the contracts with those clients. In relation to the sellers, the partnership might consider that they have a legitimate interest in processing this data. It is important to understand whether data is being re-used for different purposes, and the partnership has to identify the separate legal basis on which it is relying in each case. Where it wants to obtain consent, it must follow the requirements, namely: consent must be separate from other terms, be freely given and not a pre-requisite for receiving services and there must be no pre-ticked opt-in boxes.
  • Transparency: the partnership should review and, where appropriate, update all documentation relating to its processing activities. This will include fair processing notices on its website and associated with its terms of business, contract terms with its clients, suppliers and employees, and its own policies.
  • Governance: the partnership needs to have a governance framework in place to manage its processes, policies and compliance.

DLA Piper

  • DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at

    This publication is intended as a general overview and discussion of the subjects dealt with and does not create a lawyer-client relationship. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication.

    This may qualify as “Lawyer Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

    Copyright © 2018 DLA Piper. All rights reserved.