Estate agent

Risky move: Estate agents least likely to have cyber security in place

Many small and medium sized estate agencies are putting themselves and their customers’ data at risk, by failing to implement adequate data protection strategies, an expert in cyber security has warned.

Despite strict new data protection rules that came into force in May 2018, a YouGov poll has revealed only 35% of small and medium sized businesses have a basic data protection policy and those working in real estate are the least likely to have cyber security measures in place.

According to Lionel Naidoo, director at Dragon Information Systems, this leaves agents vulnerable to attack and could also see them landed with hefty fines for non-compliance.

Lionel explains: “The General Data Protection Regulation (GDPR) came into force a year ago and with it came the risk of substantial financial penalties for businesses whose systems are not up to scratch. We are now starting to see the first fines being dished out and this should act as a wake-up call for any estate agencies who have yet to take action.”

He continued: “When you’re a small team with limited time and resources, data protection may be far down your to-do list, while you concentrate on the day job – selling properties. But it’s a very risky strategy to take, especially with cyberattacks on the rise. A breach could not only hit you financially, but also damage your reputation, which could have long lasting implications for the business.”

The Cyber Security Breaches Survey 2019 shows that already this year 32% of businesses have identified breaches or attacks. The most common form being phishing emails (80%), others impersonating the organisation online (28%), and viruses or other malware, including ransomware (27%). The average cost to businesses who lost data or assets following a breach is reported as being £4,180.

Lionel continued: “When we first start working with estate agents, they often don’t fully appreciate the dangers and how best to manage them. Our advice is to treat data protection as you would any other legal requirement.

“For example, you are required by law to take copies of passports and other important identification for money laundering purposes. You can’t make a sale without them. How you store and manage that data – which would be highly prized on the dark web as it is an easy route to identity fraud – is just as important an obligation.

“You have a duty of care to protect it, and that means having robust systems in place and providing training for team members, so they understand the importance of data security and how it applies to them day-to-day.”


Top tips for data protection

Here is Lionel’s advice for estate agents, on data protection and getting GDPR compliant:

  • Know what data you’re holding – It doesn’t matter how big or small your company is, if you conduct business in the UK then GDPR applies to you. Firstly, you need to understand what personal data you hold and collect, how you are acquiring it, how you are storing it and who has access to it. You need to have a ‘legal basis’ (an acceptable reason as described under GDPR) for having the data, and you should only be keeping hold of it for as long as you need to.
  • Update your processes – You need to think about your systems and to introduce a framework that has privacy at its core. How are you protecting the data you hold, including against cyberattacks? Things to consider here include the types of devices being used by team members (such as laptops and mobile phones), servers, back-ups and how/where they are stored, encryption, password policies, antivirus software and how you manage people leaving the company.
  • Think about consent – One of the biggest changes under GDPR is that individuals have more rights when it comes to their data. You must only use data for the purpose it has been provided and must be able to prove that explicit consent if questioned. So, if you have an enquiry about a house you are selling, you cannot automatically add that person’s details to your mailing list, without their consent. There’s no using automatic opt-ins or pre-ticked boxes either.
  • Introduce regular training – A large part of keeping your business and the data you hold safe, lies not only in having the right systems in place, but in making sure everyone in the team is aware of them and using them correctly. Have data protection training form part of the induction for all new starters and ensure it is repeated and updated yearly for all team members. It’s vital everyone knows how important it is.
  • Get help – If you are at all unsure about any of the issues raised here and how best to manage them, then the safest course of action is to seek the support of a reputable organisation, who can help you ensure you are fully compliant and have everything covered. You will also find lots of helpful information on the ICO website.


Dragon IS, based in Milton Keynes, is an IT support company and cyber essentials certified supplier.
Established over a decade ago, we specialise in working with small and medium sized businesses within the estate agency, financial and legal sectors.
For more information, please call us on 0330 363 0055.