Skip to content

News & opinion

20 MAR 2020

Keeping data as safe as houses

The new Data Handling and Prevention of Cybercrime Professional Statement will set out best practice and 24 mandatory obligations that RICS professionals and regulated firms must comply with. Ensure your business is ready by following our experts’ advice, and familiarise yourself with the Statement at

Everyone is responsible for ensuring data remains secure

Kevin Brogan FRICS is principal, valuation policy and compliance at CoreLogic in Adelaide

The principles set out in the Professional Statement will have a major impact on the role of the valuer, which has always involved large amounts of data handling, analysis and interpretation.

Transaction data and certain transaction types may be confidential in some markets and, if collected for valuation purposes, must be kept securely and used solely for the purpose intended. Valuers may receive sensitive data not intended for a valuation – for example a landlord’s credit history or bank statements as part of an instruction for a mortgage security valuation – that cannot be retained and therefore must be removed or deleted.

Similar to health and safety, data handling and security is everyone’s responsibility, and firms can support this by creating a compliant data-handling framework. Effective prevention of cybercrime will also require training, awareness and vigilance.

Valuers need to ensure they capture, store and share data only using approved devices and via a secure connection with robust passwords and encryption. Greater awareness and understanding of more stringent data handling often reveals a significant number of potential vulnerabilities, so it is critical that the new policy framework and practices are kept under constant review.

Asset managers must secure their commercial and financial data

Dominik Brunner FRICS is real estate investment adviser at Arelio in Munich

Property asset managers need to store a constantly increasing volume of data to stay competitive. Investors want more insights into the assets they own, or co-own; new proptech platforms, used by individuals and companies to research, buy, sell and manage real estate, require larger data sets, for example via tenant portals.

The RICS Professional Statement will give asset managers a concrete industry standard for data handling to adhere to, which is a critical component of a GDPR audit. The threats arising from cyber security are an important aspect of data handling and the discussion around GDPR rightly brought the subject to a wider audience.

The threats arising from cyber security are an important aspect of data handling and the discussion around GDPR rightly brought the subject to a wider audience


Dominik Brunner FRICS

Apart from protection of personal data, property asset managers must secure commercial and financial data against unauthorised "read" leaks and "write" access, such as ransomware that targets operational and financial data. The Professional Statement sets guidelines for backup strategies, password protection, usage of malware detections and encryptions, and provides checklists to help a real estate organisation secure itself appropriately.

IT infrastructure is exposed to a plethora of cyber attacks from various sources. It is vital, therefore, that firms address any shortcomings that could lead to a leak.

Smaller businesses with limited resources may struggle to comply

Justin Sullivan FRICS is managing director at London-based project management and surveying firm Adair

Meeting these cyber security requirements is going to be a big ask for smaller businesses that lack the required IT resources and skills.

I run a business with about 25 employees and, because we work on government contracts, we were compelled to go through an IT upgrade. This meant buying new computers, moving systems to the cloud, creating a secure encrypted environment with password protection, and ensuring our data segregation is GDPR compliant.

It was a lot of work, and I suspect that most micro firms, which make up around 80% of RICS members, haven’t gone to these lengths and don’t have an IT manager or IT department. Also, understanding of data policy is currently lacking; I still get emails that show other recipients’ email addresses, in breach of GDPR.

Many building surveyors and valuers at SMEs are unaware that photographs and notes taken when they visit sites are classified as personal client data and, according to the Statement, must be stored differently. I suspect most just store them on the same server as everything else, to which any employee can gain access.

Most SMEs will need to employ an IT company to complete the work. Yet standard terms of services for IT companies offer little protection to firms in the event of a cyber security breach, which will probably mean taking extra measures to insure against it.