DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Surveyors and Valuers: A Practical Compliance Guide

#gdpr #privacy #property #compliance

Why GDPR Applies to Surveyors

Surveying is a data-intensive profession. Every time you accept a commission, you collect personal data: the client's name, address, contact details, financial position, mortgage lender details, and often sensitive information about the people who occupy the property you are surveying.

GDPR applies to any organisation that processes personal data about individuals in the UK or EU, regardless of size. That includes sole-practitioner chartered surveyors, small valuation firms, building survey practices, and RICS-regulated businesses of every scale.

The fact that your work is primarily about bricks, mortar, and market values does not reduce your data protection obligations. In many cases, it increases them — because property surveys regularly touch financial data, health-related access requirements, and the personal circumstances of people who are not your clients.

Types of Personal Data Surveyors Process

Understanding what data you hold is the starting point for compliance. Surveyors typically process:

Client data

  • Full name, address, email, and phone number
  • Instructions, correspondence, and fee agreements
  • Financial information (purchase price, mortgage amount, intended use)

Property owner and occupant data

  • If the property is tenanted, you may hold the landlord's details and the tenant's name
  • Occupants may not be your clients — they are third parties whose data you process without a direct relationship

Mortgage lender and solicitor data

  • Many surveys are commissioned on behalf of lenders; you hold their instructions and the borrower's details simultaneously
  • Lender-specific data handling requirements apply alongside GDPR

Health-related access information

  • Clients or occupants may disclose access requirements relating to disability or health conditions to arrange inspection access
  • This is Article 9 special category data under GDPR and requires explicit consent or a specific lawful basis beyond the standard options

Drone and photography data

  • Aerial survey images may capture neighbouring properties and, if people are present, individuals
  • This constitutes personal data if individuals are identifiable

Legal Basis for Processing

GDPR requires you to identify a lawful basis before processing personal data. Surveyors typically rely on three:

Contract (Article 6(1)(b))
The most common basis. When a client commissions a survey, you need their personal data to carry out that contract. Processing their name, contact details, and relevant financial information to complete and deliver the report is justified under contract.

This basis does not extend indefinitely. Once the contract is complete and the retention period has passed, you can no longer rely on it.

Legal obligation (Article 6(1)(c))
Regulatory obligations under RICS standards, AML (anti-money laundering) requirements, and professional indemnity requirements may require you to retain certain records. Where processing is necessary to meet a legal obligation, this basis applies.

Legitimate interests (Article 6(1)(f))
Used for activities that are not strictly required by the contract but serve a reasonable business purpose — for example, maintaining client records for reference in the event of a future dispute, or sending relevant updates to past clients. Legitimate interests requires a three-part test: identify the interest, confirm the processing is necessary, and balance it against the individual's rights. If the individual would reasonably object, legitimate interests is unlikely to hold.

Explicit consent (Article 9(2)(a))
Required for special category data such as health information. If a client or occupant discloses a disability to facilitate access, you should obtain explicit written consent before recording and retaining that information beyond the immediate practical need.

Sharing Reports with Third Parties

Survey reports are professional documents, but they contain personal data — and sharing them is a data transfer under GDPR.

Mortgage lender instructions
Where a survey is commissioned for a lender, the lender is typically a joint client or the primary client. Sharing the report with the instructing lender is covered by the contract basis. Sharing with a different lender, or a third party not named in the instruction, requires a separate basis.

Solicitors
Solicitors acting for your client may receive a copy of the report. This is generally covered by contract or the client's explicit direction. Ensure your terms of engagement specify who the report may be shared with.

Estate agents and other parties
Estate agents often ask for sight of survey findings to facilitate a renegotiation. Before sharing any report content — even a summary — confirm you have the client's explicit instruction to do so. Verbal agreement is difficult to evidence; a brief written confirmation is better practice.

Data Processing Agreements
If any third party processes personal data on your behalf — a VA handling correspondence, a cloud report platform, a valuation software provider — you need a Data Processing Agreement (DPA) in place. This is a contractual requirement under GDPR Article 28, not optional.

Drone Surveys and Photography

Drones present a distinct GDPR challenge for surveyors. An aerial survey of a roof or boundary may capture:

  • Neighbouring properties and gardens
  • Individuals who are present in or around the property
  • Vehicles with visible registration plates

Where images capture identifiable individuals or their property in detail, this is personal data. The Information Commissioner's Office (ICO) guidance on drones confirms that drone operators processing personal data must comply with GDPR.

Practical steps:

  • Notify property occupants and, where practicable, neighbours before conducting a drone survey
  • Minimise image capture to the survey subject
  • Establish a retention period for drone footage and delete images once the survey is complete and any dispute period has passed
  • Include drone data handling in your privacy notice

Photography of properties for reports should be handled similarly. Images showing occupant possessions, vehicles, or people should be reviewed and, where not relevant to the survey, deleted.

Digital Survey Tools and Platforms

Many surveyors now use software platforms for report writing, valuation databases, and client management. Where these platforms process personal data on your behalf, you are the data controller and they are processors.

This means:

  • You must have a DPA in place with the platform provider
  • You should know where data is stored geographically (UK, EU, or third country)
  • If data is processed outside the UK or EU, you need appropriate transfer safeguards (adequacy decision or standard contractual clauses)
  • You remain responsible for the data even though the platform holds it

Common platforms used by surveyors — valuation portals, report writing tools, e-signature services, and CRM systems — should all be reviewed against this framework. Do not assume compliance because the platform is well-known.

Email Marketing to Past Clients and Developers

Many surveyors maintain relationships with property developers, housing associations, and professional introducers. Marketing to these contacts requires a lawful basis.

Under GDPR (and PECR for electronic marketing):

  • Emailing individual past clients for marketing purposes requires their prior consent unless the "soft opt-in" rule applies — they are an existing client, you are marketing similar services, and you offered an opt-out when you first collected their details
  • Marketing to businesses (at a company email address) has slightly more flexibility, but marketing to named individuals at those businesses still engages GDPR
  • Unsolicited marketing emails to individuals without consent or a valid soft opt-in basis are a PECR breach, not just a GDPR issue

Best practice:

  • Maintain a marketing consent register separate from your client file
  • Include an unsubscribe mechanism in every marketing email
  • Review your contact list periodically and remove contacts who have not engaged or who have opted out

Data Retention for Survey Reports and Correspondence

One of the most common compliance gaps in surveying practices is the absence of a defined retention policy.

Survey reports are professional documents that may be referenced in dispute proceedings. RICS guidance acknowledges the need to retain records, and professional indemnity insurance considerations point toward longer retention periods. However, GDPR's storage limitation principle requires that personal data is not kept longer than necessary.

Practical framework:

  • Survey reports: Retain for the duration of your PI insurance run-off period, typically six years from the date of the report, aligned with the Limitation Act 1980 for professional negligence claims. Some practices retain for up to 15 years where structural surveys are involved.
  • Client correspondence: Retain alongside the report; delete at the same point
  • Lender instructions: Follow lender-specific requirements, which may specify their own retention periods
  • Marketing correspondence: Retain only while the contact remains active; delete promptly after opt-out or disengagement
  • Drone footage: Delete once the survey is delivered and the standard dispute period has passed (typically 30–90 days post-delivery)

Document your retention schedule. A one-page policy stating what you keep, why, and for how long is sufficient for a sole practitioner. Firms should have a more formal retention schedule reviewed periodically.

RICS Guidelines and Data Protection

RICS does not operate as a data protection regulator, but its professional standards interact with data protection obligations in several ways.

The RICS Rules of Conduct require members to maintain appropriate professional standards, which includes handling client data responsibly. The RICS consumer protection requirements require transparency about how client information is used.

AML obligations under the Money Laundering Regulations require you to verify client identity and retain verification records for at least five years — this retention is a legal obligation basis under GDPR, not discretionary.

RICS-regulated firms handling mortgage valuations must comply with lender panel requirements, which often include specific data security standards. These are contractual obligations but failure to comply may also indicate inadequate technical and organisational measures under GDPR Article 32.

Compliance Checklist

Sole Practitioners

  • [ ] Register with the ICO (required if you process personal data as a data controller — annual fee applies)
  • [ ] Publish a privacy notice on your website covering what data you collect, why, legal basis, retention period, and data subject rights
  • [ ] Document the lawful basis for each type of data you process (client data, lender data, health/access data, drone imagery)
  • [ ] Establish a retention schedule for survey reports and correspondence (align with PI run-off period)
  • [ ] Review any software platforms that process client data on your behalf and confirm DPAs are in place
  • [ ] Introduce a separate consent process for special category data (access requirements, health disclosures)
  • [ ] Ensure marketing emails include an opt-out and maintain a consent record
  • [ ] Establish a simple data breach procedure — you have 72 hours to report a serious breach to the ICO

Surveying Firms

Everything above, plus:

  • [ ] Appoint a data protection lead (you are unlikely to require a formal DPO unless you process large volumes of special category data, but having a named lead is good practice)
  • [ ] Maintain a Record of Processing Activities (RoPA) — a formal register of all data processing operations, required under GDPR Article 30 for organisations with 250+ employees, but best practice for any regulated firm
  • [ ] Conduct a Privacy Impact Assessment (PIA) before introducing new technology that processes personal data (new valuation software, drone programmes, AI report tools)
  • [ ] Train staff annually on data protection obligations and your internal procedures
  • [ ] Review DPAs with all processor suppliers annually
  • [ ] Implement role-based access controls so staff only access data they need for their specific function
  • [ ] Maintain a documented data breach log, even for incidents you do not report to the ICO

Where to Start

If you are a sole practitioner or a small firm and have not yet addressed GDPR compliance, the most important first steps are: register with the ICO, publish a privacy notice on your website, and identify the lawful basis for your main data processing activities.

For a faster starting point, run a free scan of your website at app.custodia-privacy.com/scan. Custodia identifies trackers, missing cookie consent, and privacy policy gaps in under 60 seconds — no signup required. It is a practical first step before you work through the broader compliance framework for your practice.

This article provides general guidance on GDPR obligations for surveyors and valuers. It does not constitute legal advice. Your specific obligations depend on your jurisdiction, the nature of your practice, the types of data you process, and your regulatory requirements. Consult a qualified data protection adviser or your professional body for advice tailored to your practice.

Top comments (0)