We #StandWithUkraine, find out how to help here.
Last updated: 19.12.17

5 GDPR facts you need to be aware of as a housing provider

The General Data Protection Regulation (GDPR) is coming, and it will have an impact on your business whether you’re operating within the UK or the European Union (EU).

As of May 25th 2018, the current Data Protection Act will be updated and replaced with the GDPR. Not only will the new regulation detail existing laws surrounding data protection, but it will also contain laws regarding newly enhanced technology, and obligations and responsibilities organisations will have when it comes to handling the data they hold on EU citizens.

Across Britain, MPs and government authorities are urging businesses to prepare for the upcoming regulation to avoid facing fines of €20 million or four per cent of a company's annual global turnover – whichever is higher. Ahead of this, it is crucial that businesses understand and are fully aware of the facts surrounding GDPR.

For a Housing Provider who collects large quantities of data about their tenants, which can be passed on to building contractors or resident organisations, there is a need for increasing awareness of the changes and how it affects those employed by the organisation. Let’s take a look at those changes:

1. How ‘personal data’ is defined

The definition of ‘personal data’ will be expanding further, to include any information that can be used to identify an individual, such as business contact data, genetic, mental, cultural, economic and social information.

Under the new legislation the burden of personal data protection lies with those who ‘own’ the personal data – in other words data controllers. This means that housing providers will be held accountable for any data privacy breaches of customers’ personal data that happens along the supply chain.

This needs to be kept in mind within merger processes, as well as when dealing with suppliers. Once you understand how your suppliers will handle personal data, you need to have adequate record-keeping processes and procedures in place.

2. Appointing a Data Protection Officer

If your business allows the processing of data on a large scale, whether this is carried out by public bodies or other entities, you will need to appoint a Data Protection Officer (DPO). It doesn’t matter how large your organisation is but, instead, depends upon the amount of data that you are processing on a regular basis.

This means that SMEs and small businesses may have to hire somebody to ensure that personal data processes, systems and storage conforms to the GDPR and can also be evidenced should a data breach occur. Your DPO will be the main point of contact for staff queries on how to comply.

Anyone handling an individual’s data in any way, whether they are looking after customer accounts or collecting customer emails for marketing purposes, needs to be aware of what the GDPR is and what it does.

Everyone involved in these activities should undertake at least a basic overview training session, while staff members who are directly responsible for data security will require more substantial training.

3. Privacy Impact Assessments

Because the risk of a data breach has increased, Privacy Impact Assessments (PIAs) will be introduced to businesses to facilitate taking steps to mitigate the knock-on risk to individuals. Projects within a business that involve personal data must have a PIA carried out ahead of this. The DPO will then have to make sure they comply with the GDPR during the project.

For housing providers, all breaches will have to be reported to the regulator within 72 hours and you must notify any individuals affected.

4. Documenting ‘valid consent’

Housing providers will now have to gain consent to hold details about a tenant and you will need to clearly outline where information is coming from and why the information is being collected. Any form of data collection should be clear of jargon, easily understood and transparent in how information will be used and how long it is kept for. Any data that is no longer required for its original purpose must be deleted.

5. Requesting the ‘right to be forgotten’

Once the GDPR is enforced, businesses will not be able to hold or retain any data for longer than is necessary. Individuals can request the ‘right to be forgotten’, where an organisation must delete all data on a person in full.

In addition to this, companies will not be able to manipulate data from what it was originally agreed to be for. If they wish to do this, a new and updated consent must be obtained. Residents will have the right to the transfer of data from one provider to another, so social housing providers will need to know exactly where all personal data is being held.

Be prepared for the upcoming GDPR changes by signing up to our free online course.

Need a more in-depth look at the new legislation? Why not try our full online course here?

Related resources