How many platforms does your agency log into before a market appraisal goes live? For most UK estate and letting agencies, the honest answer is somewhere between four and six. And the intelligence your team builds across those platforms — the contact trails, the transaction records, the landlord relationships — does not belong to you in any practical sense. It belongs to the platforms holding it.
For years, the assumption has been that there is nothing to be done about this. The contract says what it says; the export costs what it costs. The EU Data Act drew attention to the problem — but for a UK agency serving UK customers, it is not the law that governs the answer. Three strands of UK law and regulation do: UK GDPR, the Data (Use and Access) Act 2025, and the Competition and Markets Authority's findings on cloud switching. All three point in the same direction: barriers built to stop you taking your own data are on the wrong side of where UK regulation is heading.
The legal position differs depending on what kind of data you are trying to move. Here is the accurate picture for a UK agency, data type by data type.
Can a CRM vendor charge you to export your client contact data? For personal data — no.
Client contacts, lead histories, applicant records, and vendor communications are personal data, and they are governed by UK GDPR. Under the right to data portability (Article 20), individuals' personal data that you process must be available in a structured, commonly used, machine-readable format — and under Article 12(5), providing it must be free of charge except in narrow cases of manifestly unfounded or excessive requests.
The practical consequence for an agency: if your CRM vendor charges a fee specifically to export your core client contact records, or supplies them only in a deliberately unusable format, that practice sits in direct tension with UK GDPR's portability and access principles. This is not pending regulation. It has been the law since 2018.
Where vendors have historically found room to charge is the next category.
What about property histories, valuation logs, and landlord portfolio data?
Non-personal business data — property transaction histories, valuation records, campaign performance data, and the structural elements of landlord portfolio data — is where legacy vendors typically locate their extraction fees. UK GDPR's free-of-charge portability right does not extend to this category, and that gap is exactly where lock-in models live.
The relevant legislation here is the Data (Use and Access) Act 2025 (DUAA). The Act received Royal Assent on 19 June 2025, and the majority of its data protection provisions came into force on 5 February 2026 under the Commencement No. 6 Regulations. Its most significant feature for the lock-in question is the Smart Data framework in Part 1: powers allowing the government to mandate open, standardised data-sharing schemes sector by sector — the same architecture that produced Open Banking.
An honest reading requires one concession. Unlike the EU Data Act, which imposes a blanket ban on cloud switching charges from January 2027, the DUAA does not yet outlaw B2B data extraction fees outright. A vendor can still, today, charge a "reasonable" egress or extraction fee for non-personal business data if the commercial contract provides for it. Smart Data schemes for specific sectors require secondary legislation that has not yet been made for property technology.
But the direction is unambiguous. The legislative machinery for mandated open data sharing in the UK now exists, is in force, and has a proven model in Open Banking. The question for a vendor running a lock-in model is not whether the rules reach their sector — it is when.
| DATA TYPE | GOVERNING LAW | WHEN CAN YOU MOVE IT? | WHAT CAN A VENDOR CHARGE? |
| Client contacts, lead histories, applicant records | UK GDPR (Art. 20, Art. 12(5)) | At any time | Nothing — portability of personal data is free of charge |
| Property histories, valuation logs, campaign records, landlord portfolio structures | Data (Use and Access) Act 2025; contract law | Per your contract terms | "Reasonable" extraction fees remain contractually possible — for now |
| Data held by cloud infrastructure underneath your CRM | CMA findings; DMCCA powers | Per provider commitments | AWS and Microsoft committed in March 2026 to remove or reduce egress fees for switching customers |
Is the CMA actually acting on vendor lock-in and switching fees? Yes — with results.
The Competition and Markets Authority concluded its cloud services market investigation on 31 July 2025, finding that competition in the UK cloud market is not working well — and naming egress fees, the charges levied when a customer moves data out of a provider's environment, as a deterrent to switching. The investigation found that less than one per cent of customers move cloud providers in a given year.
What followed matters more than the finding. Rather than imposing binding designations, the CMA put remedies directly to the two largest providers. In March 2026, AWS and Microsoft responded with commitments that included removing or reducing egress fees for switching and multi-cloud customers. The CMA simultaneously opened a new investigation into Microsoft's corporate software services under the Digital Markets, Competition and Consumers Act — the legislation that gives the regulator its strongest powers over firms with entrenched market positions.
Two of the world's largest technology companies conceding the egress fee point under regulatory pressure is a more useful precedent for an estate agency than any amount of pending legislation. It establishes, in the UK, that fees engineered to stop a business moving its own data are treated by the competition regulator as a barrier to be dismantled — not a legitimate commercial term to be defended.
Does the EU Data Act still matter to a UK-only agency?
Not directly. If your agency serves only UK customers and your vendors do the same, the EU Data Act — including its January 2027 ban on cloud switching charges — does not bind anyone in your stack. A UK independent agency reading coverage that opens with EU regulation is right to ask whether it applies to them, and for purely domestic operations the honest answer is no.
It matters in two indirect ways. First, many UK PropTech and CRM vendors do serve EU customers, and the Act's extraterritorial reach binds them for those customers — meaning the engineering work for clean data portability is being done anyway, and a two-tier product that gives EU clients export rights it denies to UK clients is commercially difficult to defend. Second, the EU Act functions as a benchmark: it shows what a completed anti-lock-in regime looks like, and UK regulation — DUAA Smart Data powers, CMA enforcement under the DMCCA — is assembling the same outcome through different machinery.
What should you ask your CRM vendor before the next renewal?
The practical question for a UK agency is not which statute technically governs each clause of the contract. It is whether your vendor would pass the test that UK law and regulation are converging on. Four questions settle it:
- Can I export all personal data — every contact, every lead history — in a machine-readable format, free of charge, right now? (If the answer is anything other than yes, UK GDPR is the reference point.)
- What does the contract say about non-personal data — property logs, valuation records, landlord portfolio data — and what would extraction actually cost? Ask for the figure in writing.
- Is the export complete? A CSV missing half the fields, or data labelled "platform-generated" and withheld, is an export in name only.
- What is your position on Smart Data? A vendor that has thought about sector data-sharing schemes — and can describe how it would comply — is planning for openness. A vendor that has not is planning for retention.
Vendors built on genuine openness answer all four immediately. Vendors who hedge, redirect, or refer you to the terms and conditions are telling you exactly where their revenue model sits — and which side of the UK's regulatory direction they are on.
📌 KEY TAKEAWAY
Under UK GDPR, exporting your clients' personal data must be free of charge and machine-readable — already law, not pending. For business data such as landlord portfolios and valuation logs, the Data (Use and Access) Act 2025 (main provisions in force since 5 February 2026) builds the Smart Data machinery for mandated sector-by-sector openness, and the CMA has already extracted egress fee commitments from AWS and Microsoft. The era of holding an agency's data hostage is closing, statute by statute. propalt.ai is built on the principle that your data is yours — open formats, daily updates, no lock-in.
Sources
—Data (Use and Access) Act 2025 — Royal Assent 19 June 2025 — legislation.gov.uk
—UK: Commencement of the data protection provisions in the Data (Use and Access) Act — DLA Piper
—Right to data portability under UK GDPR Articles 20 and 12(5) — ICO
—Cloud Services Market Investigation — final report — Competition and Markets Authority
—CMA decision to shelve cloud services SMS investigations — Macfarlanes
