Alastair Gilchrist

Chief Technology Officer

The National Residential Landlords Association (NRLA) is now the UK’s largest membership organisation for private residential landlords in England and Wales, supporting and representing over 100,000 members.

From landlords renting out a single property to those with larger portfolios, we provide our members with the expertise, support, and resources needed for a rental sector that works for everyone. We represent our members and actively recognise the contribution landlords make to the rental sector and the wider society, in the provision of safe, legal, and secure homes.

Founded: In 2020 two competing trade associations merged (the NLA and the RLA) to form the NRLA – but have been in business for a couple of decades
Size: 130

The Challenge

What challenges were you and your team experiencing prior to working with us – what prompted you to seek a solution? The organisation was formed from a merger of two competitors in 2020, and we’re now a national trade association for landlords and private rental with around 102,000 members. We have been growing consistently since we started as the private rental sector has grown and developed. We provide information, advice and guidance as well as commercial deals for landlords in the sector.

What our members like is the ability to access our telephone advice line, we get up to 3000 calls a week. So we handle a reasonable amount of personal data. This year, we’re about to launch a service that will give landlords the ability to enter much more information about their portfolios into our systems which will significantly increase the amount of personal information we store.

As we’ve scaled, we’ve done what we thought is a reasonable job at trying to cope with GDPR and it’s implications, but there were still a lot of things we felt we could do better. We wanted to take the opportunity to reflect on what we had done previously, bring it up to date and make sure we were observing best practices.

Since GDPR was introduced, we have been trying to go it alone but we felt it was time to take stock and commission a third-party data protection audit of our status. We had a forthcoming audit and risk committee that meet quarterly and we wanted to discuss data protection with them – but I thought it would be a good idea to get an external data protection officer to ‘kick the tyres’ and provide an evaluation of our existing status and what we needed to do to improve on what we do.

If you’re experiencing similar challenges within your organisation and you’re unsure whether to hire a DPO internally or to outsource, we have a really useful article that will help you make that decision: Should you outsource your DPO? 

How did you go about searching for the solution and services? We spoke to a few companies that might be able to help us and decided to engage Evalian, as we liked their approach and they demonstrated a good understanding of our needs. We also found out that Evalian provides services to England Squash, which is a similar-sized trade association organisation and provided an excellent reference for Evalian which was useful in finalising our decision.

Please describe the reasons you decided to work with us. From our initial call with our consultant, Neil Scott, we knew that there was a good connection between us. He really seemed to understand who we were and what we do. The overall data protection package pricing is absolutely worth it for what we get with Evalian.

Did you have any expectations going into the process? We invested with Evalian initially just to do some “tyre kicking” in the form of an audit, but the knock-on monthly guidance and annual support turned out to be very useful to us as well.

What we’ve derived from the DPO engagement is comfort and certainty that what we’ve done before was worthwhile and that we were generally doing the right things. It has been helpful to get an expert evaluation and be able to build seamlessly on our existing progress.

Overall, the engagement has been a lot easier than we expected, a smooth process. I feel perhaps we underestimated the amount of time it would take to create all the required documentation, but we completed the audit in a timely fashion.


Can you describe the process we took your business through and anything you learnt about your own business through working this way? Evalian came in and conducted an initial Gap Analysis, this demonstrated that we had done more than most and had a good foundation of data protection and a framework of documents we could point to which sped up the initial process. We had previously done some DPIA work, so we had something tangible, rather than a blank sheet of paper.

Were there any challenges you found along the way and how did you feel we or your consultant, helped to support you through that? We had a slightly clunky start in that I felt we’d built up a rapport with our initial consultant Neil, and then we were going to be engaging with another consultant, however, after airing my concerns, this was resolved with no issues and Evalian and Neil were very accommodating.

Data protection & cyber security solutions for construction & property industry


What has been the most significant achievement for your business facilitated by using our services? We’ve definitely gained confidence that what we were doing before and what we’re doing now, is right and that we are fully compliant. Neil came in and gave an awareness training session to our Board and this has really helped give them the reassurance they need, to know our compliance framework is robust and up to date.

We would definitely consider using Evalian for services such as cyber security in future. We’re confident in our engagement with them, and with some more regular check-ins going forward, we’d be happy to explore further engagements.

  • This field is for validation purposes and should be left unchanged.


Talk To Us:

If you’ve had a data breach, are confused about DPOs, or would like to discuss penetration testing or cyber incident response training, please give us a call or email us. We promise no hard sell and only real-world guidance.

We love to talk privacy and security and we’d be delighted to discuss your requirements. If we can’t help for any reason, we’ll probably know someone who can.

Get In Touch