Data protection is something every independent inventory clerk, agent and landlord must handle—but too often, it feels wrapped in jargon, fear, and unnecessary paperwork. In our recent AIIC webinar, we were joined by Rob Cole (Senior Engagement and Policy Officer) and Jessy Jarvis from the Information Commissioner’s Office (ICO). Their message was reassuringly clear:

Small businesses must be compliant, but GDPR should be simple, proportionate, and practical—not a mountain of paperwork.

Below, we’ve summarised the most important points that apply directly to inventory clerks and those working in the private rented sector.

1. Understanding Data Roles: Controller, Processor, or Both?

One of the biggest areas of confusion is who is legally responsible for data. Rob Cole broke this down simply:

• Data Controllers decide how and why personal data is used.
  This includes sole traders and small businesses—size doesn’t reduce responsibility.
• Data Processors act only on the instructions of a controller.
• Joint Controllers share responsibility and must have clear agreements in place.
• Controller–Processor contracts must set out how data is used, secured, retained, and handled during a breach before any work begins.

Jessy added an important clarification, especially relevant to the inventory sector:

Property data alone is not personal data—unless it identifies a living individual.

For example:
A photo of an empty kitchen is not personal data.
A photo including a child’s school certificate is.

This distinction affects how clerks structure reports, manage images, and store data relating to sole-trader landlords, whose business contact details may also qualify as personal data.

2. Privacy, Transparency, and the Core GDPR Principles

Rob reminded us that the seven data protection principles sit at the heart of UK GDPR. The ICO emphasised three above all:

• Lawfulness
• Fairness
• Transparency

For clerks, this means being upfront about:

• what data you collect
• why you collect it
• who receives the report
• how long you keep information
• your legal basis for doing so

Providing a clear Privacy Notice isn’t optional—and the ICO made this easier than ever with their simple generator tool:

👉 ICO Privacy Notice Creator:
https://ico.org.uk/for-organisations/advice-for-small-organisations/privacy-notices-and-cookies/create-your-own-privacy-notice/

Rob also cautioned against defaulting to consent as the lawful basis. For most day-to-day clerk work, contract, legitimate interest, or legal obligation provide a more stable foundation—especially since consent can be withdrawn at any time.

3. Individual Rights and Subject Access Requests (SARs)

Subject Access Requests remain the most common interaction many small businesses have with GDPR.

Key points from Rob:

• Requests can be verbal or written.
• You have one month to respond (extendable to three for complex cases).
• You cannot charge a fee.
• Identity checks should be reasonable, not obstructive.
• Clarify what the requester actually needs—this avoids unnecessary work.
• Data should be provided in a commonly accessible electronic format.

Other rights—erasure, rectification, portability, and objection—may arise less frequently in the inventory world but still require a straightforward response process.

4. Data Breaches: Staying Calm and Acting Quickly

A breach isn’t always a cyber attack. In the inventory sector, simple mistakes like:

• emailing the wrong landlord
• losing a device
• uploading the wrong report
• sending access information to the wrong party

can all qualify.

Rob outlined the required approach:

1. Contain the issue (e.g., ask the unintended recipient to delete the file).
2. Assess the risk—does it put someone’s rights at risk?
3. Report to the ICO within 72 hours if that risk is significant.
4. Record everything, even if unreported.
5. Review and improve to prevent reoccurrence.

The ICO’s “ripple effect” campaign highlights how even small errors can cause real harm—so proportionate, prompt action matters.

5. Data Retention and Disposal: Keep It Only As Long As Needed

Jessy and Rob were clear:
Don’t keep data forever.

This is especially relevant for inventory clerks, whose photographs and reports can accumulate quickly.

Examples discussed:

• Some records (e.g., payroll) have legally mandated retention periods.
• Others—such as photos and reports—are determined by your business needs, often aligned with the tenancy length and deposit dispute timeframes.
• Tools like Inventory Base can automate deletion schedules to reduce risk.
• Not all data needs shredding—only content that identifies living individuals.

A simple, clear retention policy is enough, provided it is documented and reflected in your Privacy Notice.

6. ICO Registration and Fees

Most inventory clerks process personal data electronically and therefore must pay the ICO data protection fee—typically £52 per year for small operators. Exemptions do exist, and the ICO encouraged members to use their quick online tool:

👉 ICO Fee Self-Assessment:
https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/

Remember:
Having CCTV—even in a home office—automatically triggers the fee requirement.

7. Upcoming Legal Changes: What Clerks Should Watch For

Rob highlighted two legislative updates:

• The Data Use and Access Act 2025 – strengthening transparency and expanding obligations in phased rollouts.
• The Renters Rights Act – introducing new expectations for landlords and agents handling tenant information.

The ICO will continue to update its guidance as these changes take effect, and AIIC will ensure members remain informed.

8. The Light-Touch Approach: What Clerks Actually Need

The ICO made it clear that small businesses do not need corporate-level documentation. Instead, they need:

• A simple privacy notice
• A short retention policy
• Clear processor agreements
• Secure storage and sensible operational practices
• Transparency with tenants
• A calm, proportionate breach response plan

And importantly:

You can link to your Privacy Notice and Retention Policy directly in your report disclaimers to streamline compliance.

This aligns perfectly with the realities of inventory work: practical, efficient, and easy to implement.

Final Thoughts

The webinar confirmed what the AIIC has long advocated: compliance doesn’t have to be complicated. With clear processes, proportionate documentation, and the free tools the ICO provides, independent inventory clerks can remain compliant without drowning in paperwork.

Over the coming months, the AIIC will continue to provide templates, short guides, and sector-specific advice to help members stay confident and compliant.

If you missed the webinar, a replay will be made available to members shortly.

Further resources

If you’d like to view the notes from the meeting you can find them here

We have produced a Light Touch data retention policy that you can amend for your own use. Download below

We’ve also produced a simple, step by step guide for smaller businesses that want to stay compliant. Find it below

Links

The ICO have a wealth of resources to help and you can find them here

https://ico.org.uk/for-organisations

Find the fee self-assessment tool here

https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment

You’ll find the Privacy Policy generator tool here

https://ico.org.uk/for-organisations/advice-for-small-organisations/privacy-notices-and-cookies/create-your-own-privacy-notice/privacy-notice-generator-for-customers-or-suppliers

Protecting AIIC Members from Phishing Attacks

Phishing attacks are on the rise in the UK and pose a serious threat to independent inventory clerks, landlords, and agents. Criminals impersonate trusted organisations to steal personal data or gain unauthorised access, leading to financial loss and reputational damage.

What Is Phishing?

Phishing is a form of cyber-crime in which attackers masquerade as legitimate entities—often via email, text, or phone—to trick recipients into providing sensitive information (e.g. login credentials, bank details, identity documents) or clicking malicious links.

A Real-Life Example

Here’s a phishing email received by AIIC staff, spoofing HMRC’s VAT service:

Notice the subtle grammar errors, the urgent tone, and the “Update” button that leads to a fake portal.

UK-Specific Statistics

• 3.4 billion phishing emails are sent globally every day.
• Phishing accounted for 79% of fraud cases recorded by the National Crime Agency (NCA).
• HMRC saw a 178% increase in phishing reports during 2023, per Proofpoint data.
• Over 1 in 4 UK adults report receiving a suspicious message each month, according to the National Cyber Security Centre (NCSC).

How to Protect Yourself

• Verify the sender. Hover over links and check where it is pointing to. You can see this usually in the bottom left-hand corner of your mail program. The email addresses should match legitimate domains (e.g. @hmrc.gov.uk).
• Be sceptical of urgency. Phishers often claim your “account will be closed” or “you’ll face fines” to rush you into mistakes.
• Never click unexpected links or attachments. Instead, go directly to the organisation’s official website.
• Use multi-factor authentication (MFA). Add an extra layer of security to all critical accounts.
• Keep software up to date. Apply OS and application patches promptly to close security gaps.
• Report suspicious messages. Forward phishing emails to report@phishing.gov.uk (HMRC) or report via the NCSC’s Reporting Service.

Stay Safe Out There

Keep your business and personal information safe by following our guidelines and think about signing up for CyberEssentials certification. It’s free and could save you a lot of heartache!

Further UK Resources

• National Crime Agency (NCA) – guidance on fraud prevention and reporting
• National Cyber Security Centre (NCSC) – advice, alerts, and technical guidance
• Email HMRC Phishing Service at report@phishing.gov.uk for VAT and tax-related scams
• Information Commissioner’s Office (ICO) – data-protection and privacy guidance