Estate agents occupy an unusual position under UK GDPR. You're collecting personal data at high volume — names, phone numbers, financial circumstances, chain positions — from people who are at their most stressed and distracted. Mistakes are easy. ICO enforcement in the residential property sector has increased every year since 2021.
This guide covers the practical obligations: what lawful basis applies to lead data, how long you can keep it, what your AI tools must do, and where agencies most commonly get it wrong.
1. Which lawful basis applies to estate agent lead data?
UK GDPR requires a lawful basis for every processing activity. Estate agents typically rely on two:
Once a buyer or vendor has instructed you (or is in the process of doing so), processing their data is necessary to fulfil that contract. This covers CRM records, viewings management, offer progression, and conveyancing liaison. It does not cover marketing to people who enquired but never engaged further.
Used for follow-up communications with leads who haven't yet instructed you. Requires a Legitimate Interests Assessment (LIA) and a balancing test. You must give people a clear way to object and honour any opt-out promptly. This basis is under greater scrutiny since the ICO's 2024 direct marketing guidance.
Many agencies use consent as their lawful basis for qualification conversations, then fail to record it properly. If you claim consent, you need a timestamp, the exact wording shown to the person, and evidence of opt-in — not a pre-ticked box.
2. What must your privacy notice cover?
Your privacy notice must be provided at or before the point of first contact. It must be concise, transparent, and in plain English. Key fields the ICO expects estate agents to cover:
| Required field | What to include |
|---|---|
| Identity of controller | Your agency's full legal name and ICO registration number |
| Purpose and lawful basis | Why you're processing (e.g., "to qualify your property search requirements"), which lawful basis, and — if legitimate interests — what that interest is |
| Data recipients | Third parties who receive data: CRM providers, AI tools, conveyancers, referral partners (mortgage brokers, solicitors) |
| Retention period | How long you keep data and why (see section 3) |
| Rights | Access, rectification, erasure, restriction, portability, objection |
| Right to complain | ICO contact details: ico.org.uk, 0303 123 1113 |
Layer your privacy notice: a short summary on your website chatbot or enquiry form, linking to a full notice. The ICO's "just-in-time" approach means notices should appear at the moment data is collected — not buried in footer links.
3. How long can you keep lead data?
There's no single rule — retention depends on what happened with the lead:
Most agencies retain for 6 years post-completion to cover limitation periods for potential complaints or disputes. This is generally defensible under legitimate interests.
After this point, the legitimate interest in holding the data weakens significantly. Review your CRM for "stale leads" regularly and purge or re-engage with a documented re-consent process.
If you hold someone purely for newsletter or property alert purposes, you need documented consent or a valid legitimate interest. Annual review and suppression-list management are expected.
4. AI qualification tools and GDPR: what to check
AI chat-based qualification tools process significant personal data: financial circumstances, buying position, chain status. Before deploying any AI tool, you need answers to these questions:
4.1 Is the AI vendor a data processor or a data controller?
If the AI tool processes personal data on your behalf and under your instructions, they are a data processor. UK GDPR Article 28 requires you to have a written Data Processing Agreement (DPA) with them before processing begins. If they use your data to train their models, the relationship may be more complex.
Some AI vendors' standard terms allow them to use customer conversation data for model training. If a lead's financial circumstances are in a training dataset, that's a data breach waiting to happen. Always check the DPA and model training clauses explicitly.
4.2 Where is data processed?
UK GDPR restricts transfers of personal data to countries outside the UK without adequate safeguards. If your AI vendor uses US-based cloud infrastructure or LLM APIs (OpenAI, Anthropic, Google), check:
- Whether they have UK IDTA (International Data Transfer Agreement) or UK Addendum in place
- Whether sub-processors are listed and covered by the same agreements
- Whether data is processed in the UK or EU, even if the vendor is US-headquartered
Sift processes all conversation data in UK/EU infrastructure, never uses lead conversations for model training, and provides a signed DPA as standard. Our privacy notice template for estate agents is available on request.
4.3 Automated decision-making
UK GDPR Article 22 gives people the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Lead qualification scores are unlikely to cross this threshold — but if your AI tool automatically rejects leads or removes them from follow-up pipelines without human review, you should document why this doesn't constitute Article 22 processing.
The safest approach: use AI to flag and score leads for human review, not to make final decisions about who gets followed up. This is also better for conversions.
5. Subject access requests and the right to erasure
Leads can submit a Subject Access Request (SAR) at any time. You have one month to respond (extendable by two months for complex requests). Estate agents must be able to provide:
- A copy of all personal data held about the individual
- The purpose for which it's processed
- Who it's been shared with
- How long it will be retained
If your data is spread across a CRM, an AI tool, email, and a mortgage referral partner's system, fulfilling a SAR is complex. Maintain a data map of where lead data lives across your tech stack.
Leads can request erasure where: the data is no longer necessary; they withdraw consent (if consent was your lawful basis); they object under legitimate interests and your interests don't override. You can refuse erasure where processing is necessary for legal claims or legal obligations. Document all erasure decisions.
6. Telephone and SMS — PECR still applies
The Privacy and Electronic Communications Regulations (PECR) layer on top of UK GDPR for direct marketing by phone, email, and SMS. Key rules for estate agents:
- Automated calls: require explicit consent
- Live calls to individuals: consent required unless the number is not on the Telephone Preference Service (TPS) register — check the TPS before every unsolicited call
- SMS messages for marketing: require consent
- Transactional messages: (e.g., "your viewing is confirmed at 2pm") are not marketing and don't require consent, but must not include promotional content
Unsolicited SMS campaigns and failure to screen against TPS have been the primary enforcement targets in the residential property sector. The ICO levied four fines against property-adjacent businesses for PECR violations in 2025 alone.
7. GDPR compliance checklist for estate agents
Use this as a quarterly review framework:
- ICO registration: up to date, fee paid, processing activities accurate
- Lawful basis documented for each processing activity in your Record of Processing Activities (RoPA)
- Privacy notices current, plain English, accessible at point of data collection
- DPAs in place with all processors: CRM, AI tools, email marketing, referral partners
- Data map current — you know where every category of personal data lives
- Retention schedule documented and actioned — stale leads purged or re-engaged
- SAR process documented with named owner and one-month SLA
- Staff training completed in the last 12 months
- TPS checks before any outbound call campaign
- Breach response plan — you can notify the ICO within 72 hours if needed
This guide is for general information only. For advice specific to your agency's circumstances, consult a solicitor or a DPO. The ICO's guidance at ico.org.uk is comprehensive and free.
How Sift handles your leads' data
Sift is purpose-built for UK estate agents and designed with ICO compliance in mind from day one. Every conversation includes a pre-qualification consent gate — buyers see clear disclosure that their responses are being collected before any PII is recorded. We provide a DPA as standard, process data in UK/EU infrastructure, and never use your leads' data to train our models.
If you're evaluating AI lead qualification tools and want to see our DPA and security documentation before signing up, start a free trial and request our compliance pack through the dashboard.