Skip to content
Search

Property valuation

Property valuation

This factsheet addresses the particular issues facing the property valuation business.

Purpose of this factsheet

The GDPR (General Data Protection Regulation) came into effect on 25 May 2018. It changes, updates and extends the scope of data protection law across the whole of the EU. There are many helpful guides as to the general requirements, including those provided by country regulators.

These factsheets have been developed by DLA Piper in collaboration with RICS to give professionals more insight into the specific ways in which GDPR will impact their business.

This factsheet addresses the particular issues facing the property management business. We have a range of other factsheets tailored to the business needs of other professionals, which you can access here.

Key features of GDPR

The main areas for firms and individual professionals to address can be summarised as follows:

  • Transparency
  • Accountability
  • Processes and controls
  • Enforcement and fines
  • Data subject rights
  • Ongoing nature of obligations

Transparency

You must be clear with your clients, marketing prospects, sub-contractors and employees about:

  • What data you're going to collect and use
  • Why you need this data - the purposes for which you need to process the data
  • How you're going to process the data and in which countries will data be processed
  • Whether you need to transfer the data to third parties

You must have clear, updated notices for all the relevant groups of people whose data you use. These notices must be easily found and always available and you must notify people appropriately of the existence of these notices (e.g. on your website, with your terms and conditions, at a sensible stage in any online purchasing process, and embedded in your HR recruitment processes).

Accountability

  • Demonstrate that you have a clear view of the data flows across your entire business.
  • Identify the lawful basis for processing data in each case. For example:
  1. to fulfil contractual obligations
  2. to satisfy a legal requirement
  3. legitimate interests
  4. consent
  • If you are relying on consent, demonstrate it was freely given and is capable of being withdrawn.
  • For individual RICS professionals within firms, you will be able to rely on the firm processes and governance, provided you have reasonably satisfied yourself that it is being conducted in a diligent and compliant way.

Processes and controls 

  • Governance Framework: you need to manage your compliance. This will include setting policies, running training and the potential appointment of a Data Protection Officer (DPOs): For example, if a significant proportion of your work is for local government, or other authorities, you should consider voluntarily appointing a DPO.
  • Privacy by design: you should incorporate a stage into your decision-making process to assess whether there will be any significant data aspects to new projects, systems or processes and, if so, evaluate what that impact will be.

Enforcement and fines

  • Regulators have a mandate to enforce compliance with the GDPR and greater enforcement rights. For example, regulators may impose a large fine of up to the greater of €20 million or 4% of annual global turnover in the event of particularly harmful breaches.

Data subject rights

  • You need to have processes in place to change or update data on request.
  • Individuals may request a copy of the data you hold on them at any time. You should ensure you have systems in place which can identify, retrieve and securely deliver responses to any requests.

Ongoing nature of obligations

  • Compliance with the GDPR is best achieved when it is adopted by the executives of your organisation and disseminated downwards.  Depending on the focus of your business, your surveyors and marketing executives will all need training to enable them to take responsibility for data security and management and to adopt good practice in how they carry out their roles.

Related Valuation training

Case Study: Property valuation

cenario:

  • Company A carries out property valuations for its investor clients.  The potential portfolios include commercial and residential property.  The clients are represented by the usual third parties, including brokers and panel managers.

Issues:

  • Market information about rent yields is derived from both internal sources and data licensed from third parties;
  • Client data (actual and prospective) is stored across a variety of CRM systems and local spreadsheets. A centralised CRM system, hosted in the US, is used and accessible across the entire group;
  • Periodic valuations (e.g. for regulatory reporting and accounting purposes) are performed for existing clients but the data is not segregated.

GDPR points to note:

  • This is an overview of some key considerations: it is not an exhaustive list of the steps to take in order to ensure GDPR compliance.
  • It is assumed in each case that there is a comprehensive governance structure in place, and, for example, considerations of data retention and minimisation are embedded in the policies, systems and processes adopted by the organisation.
  • Employee data issues also need to be considered and addressed in every case: this is a significant area for most businesses.
  • Review of data processing activities: Company A must identify all the personal data it collects, uses and transfers in the course of its activities.  In relation to the market data, much if not all of this information is likely to be financial rather than personal data.  However, likely categories of personal data include:
  1. client contact information
  2.  information about residential properties and details of tenants
  3. photographs of residential properties
  4. contact details for individuals brokers and managers
  • Record of data processing activities: Company A must have a clear view of all the systems and applications it uses to store and process data, including: where located and backed up, which are using third party systems and which are owned by the company. Company A must create or update records which track this information. For example, market information from third parties that contains any personal data will not be within company A's sole control, so it will need to understand how the data is accessed, secured and transmitted.
  • Lawfulness of processing: Company A must identify the legal basis on which it is relying for processing personal data in each case. In relation to corporate clients as it conducts valuations and in relation to contact details for the representatives from the client companies, company A is likely to have a legitimate interest in storing and processing their data in the course of performing its contract with those clients. In respect of marketing data, company A may be able to show it has a legitimate interest or it may rely on consent. 
  • It is important to understand whether data is being re-used for different purposes, and company A has to identify the separate legal basis on which it is relying in each case. Where company A wants to obtain consent, it must follow the requirements, namely: consent must be separate from other terms, freely given and not a pre-requisite for receiving services. In addition, there must be no pre-ticked opt-in boxes.
  • Governance:  Company A should have a governance framework in place to manage its processes, policies and compliance.
  • Transparency: Company A must ensure it is transparent with individuals about how it is processing their data. This may involve updating privacy notices, contract or engagement terms with clients, brokers, panel managers and other third parties.
  • The third party data sources are unlikely to contain personal data, although company A should verify this. Any such data feeds, if permitted by the licence terms, can be co-mingled with internal data for the purposes of producing an opinion for clients.
  • It is very common for a relatively unmanaged suite of CRM applications and approaches to co-exist, particularly where local teams are incentivised to manage accounts and hit targets. This does not excuse company A from its obligations under the GDPR to have a comprehensive picture of:
  1. what personal data it processes
  2. where that data is held
  3. what conditions/justifications exist for the processing
  4. how data flows in and out of systems are managed and operate

DLA Piper