Do I need Cyber Essentials for my letting agency to handle tenant personal data alongside Certaby?

Question

Accepted Answer

Cyber Essentials is not legally required for UK letting agents under MLR-2017 or by ARLA Propertymark. The Information Commissioner's Office (ICO) recommends Cyber Essentials for any UK firm handling personal data under UK GDPR, and it is increasingly expected by insurers offering professional indemnity cover. The certification costs around £300 per year for self-assessment (Cyber Essentials Basic) and around £1,500-£3,000 for the audited Cyber Essentials Plus tier.

What Cyber Essentials actually covers:

1. Firewalls and routers configured correctly so attackers cannot reach internal systems through the network perimeter.

2. Secure configuration of devices and software. Default passwords changed, unused accounts removed, autorun disabled, devices set to update automatically.

3. User access control. Strong unique passwords, multi-factor authentication where available, admin rights granted only when needed and revoked promptly.

4. Malware protection. Antivirus or application allow-listing on every endpoint that handles customer data.

5. Patch management. Operating systems and applications updated within 14 days of security patches being released.

These five controls cover the most common UK small-business breach causes: phishing emails leading to credential theft, weak or reused passwords, unpatched browsers or office software, and devices without basic malware protection. The Federation of Small Businesses publishes annual reports showing these patterns dominate SME incidents.

What Certaby contributes to the personal-data side of GDPR. The /verify/<hash> public page never carries party PII (name, DOB, nationality, address); it carries only the verdict, the list versions used at screening time, the timestamp, the issuing firm, and the cert hash. The full party data lives in your operator dashboard under your firm's account; the cert hash lets a regulator confirm authenticity without exposing the individual's data. UK GDPR data-minimisation principles (Article 5(1)(c)) are satisfied at the public-verification layer by design.

Whether the AML tool itself needs to be Cyber Essentials certified. Certaby runs on UK AWS (London, eu-west-2) which is itself ISO 27001 + SOC 2 + PCI DSS compliant at the platform layer. Certaby as a vendor is ISO 27001-aligned at the application layer (encryption in transit and at rest, access control via Clerk, audit logging). The letting agent firm independently needs its own baseline (Cyber Essentials being the most pragmatic UK starting point) regardless of which AML tool they use; the vendor's compliance does not transfer to the buyer firm.

Practical recommendation for a small letting agency: budget around £300 a year for Cyber Essentials Basic self-assessment alongside whatever the AML tool costs. Insurers offering PI cover are increasingly making it a condition of policy renewal, especially for firms handling £100,000+ of client money or 50+ active tenancies. The cost is small relative to either the AML tool spend or the PI premium reduction it often unlocks.

Do I need Cyber Essentials for my letting agency to handle tenant personal data alongside Certaby?

Related