What Real Estate Agencies Need to Fix Before the Privacy Act Changes Hit

Real estate businesses handle a lot of personal information. More than most.

From open homes and inspections through to tenancy applications, identity checks, contracts and ongoing client communications, agencies sit at the intersection of high-volume data, fast-moving operations and growing regulatory scrutiny.

And now, that scrutiny is increasing.

From 1 July 2026, many real estate businesses will fall under new obligations as part of the Anti Money Laundering reforms, bringing Privacy Act responsibilities into sharper focus, often for the first time.

For many agencies, this is not just a compliance update. It’s a reality check.

This is where things usually break down

Most real estate agencies don’t have a “privacy problem” because they’re careless. They have a problem because their processes have evolved organically. A bit here. A workaround there. A system added. A folder created. A policy downloaded.

Over time, it becomes something like this:

• personal information collected at open homes in different ways by different agents
• tenancy application data spread across inboxes, CRMs and shared drives
• ID documents saved “for now” and never revisited
• privacy policies that don’t reflect what actually happens on the ground
• no clear ownership of who is responsible for what

Individually, none of this feels catastrophic. Collectively, it creates risk. Not just regulatory risk, but operational and reputational risk too.

Because when someone asks, “What do you collect, where is it, and why do you have it?” …most agencies don’t have a clean answer.

What actually needs to be fixed

The good news is that this is not about reinventing your business. It’s about tightening the fundamentals. Here are the areas real estate agencies should be focusing on now.

1. Inconsistent data collection at open homes

This is one of the biggest exposure points. Different agents collect different information, in different formats, for different reasons. Sometimes it’s written down. Sometimes it’s digital. Sometimes it’s “just in case”. The problem isn’t just what’s collected. It’s the lack of consistency and justification.

What to fix:

• standardise what information is collected and why
• remove unnecessary fields, so you’re not collecting more than you need
• make sure staff understand what they should (and shouldn’t) collect

2. ID handling that goes too far

Many agencies collect and store full copies of ID documents. Passports. Driver’s licences. Utility bills. Often indefinitely. Under the new expectations, that approach becomes harder to justify.

What to fix:

• review whether you actually need full copies of ID
• move toward storing only the information required
• define clear rules around when ID is collected, stored and deleted

3. Data spread across too many places

This is where most agencies lose control. Personal information ends up across inboxes, shared drives, CRM systems, property management platforms and third-party tools. No single view. No clear ownership.

What to fix:

• map where personal information sits across the business
• understand who has access
• reduce duplication where possible

If you don’t know where the data is, you can’t manage it properly.

4. Privacy policies that don’t reflect reality

Most agencies have a privacy policy. Very few have one that reflects how the business actually operates. That gap matters. Because regulators don’t just look at what you say. They look at what you do.

What to fix:

• align your privacy policy with real-world practices
• update collection notices where needed
• make sure staff understand what the policy actually means in practice

5. No clear ownership

Privacy is often “owned” by no one. Or by everyone. Which usually means it’s handled reactively.

What to fix:

• assign clear responsibility for privacy and data handling
• define who owns policies, processes and reviews
• make privacy part of business operations, not just documentation

6. Retention and deletion are an afterthought

Data gets collected. Then it gets saved. For months. Years. Sometimes indefinitely.

This is one of the fastest ways to increase risk.

What to fix:

• define how long different types of information should be kept
• implement a process for deletion or de-identification
• stop keeping information “just in case”

You can’t breach what you don’t have.

This is not just about compliance

It’s easy to frame this as a regulatory issue. But it’s bigger than that. Real estate is a trust-based industry. People hand over sensitive personal information with the expectation that it will be handled properly.

When that trust is broken — whether through poor practices or a data incident — the impact is real. That’s why this shift matters. Not just because the rules are changing.

But because expectations are rising.

The real opportunity

Most agencies will respond to these changes reactively. They’ll update a policy. Run a training session. Fix things just before they need to. A smaller group will take a different approach. They’ll:

• get clear visibility over their data
• align their processes
• assign ownership
• and build something that actually works day-to-day

Those agencies won’t just be compliant. They’ll be easier to run, easier to scale, and easier to trust.

The Privacy Act changes are not the problem. They’re the trigger. The real issue is whether your current way of managing personal information can stand up to scrutiny.

For many real estate agencies, the honest answer is: not yet.

The good news? This is fixable. But it’s much easier to fix before the pressure hits.

Need help getting your ducks in a row?

de.iterate helps real estate businesses bring privacy, cyber security and compliance into one practical system, connecting policies, registers, risks, evidence and reporting in one place.

So compliance becomes something you can manage and maintain, not something you scramble to prove.

Book a demo to see how it works.