Blog: Registered Social Landlords and the GDPR
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will change the way organisations within the EU process personal data. The GDPR will be supplemented by a new UK Data Protection Act and will increase the obligations on all organisations using or processing personal data. However, despite its imminence, and significant fines faced by those in breach, the recent Cyber Security Breaches Survey 2018*, commissioned by the UK government, found that just 38% of businesses and 44% of charities had heard of the GDPR.
Lynn Richmond, an associate in BTO Solicitors’ leading Data Protection Defence team, explains why registered social landlords (RSLs) should be preparing for the GDPR and outlines the key aspects to consider in doing so.
While the GDPR is European legislation, it will apply directly to the UK while it remains part of the EU and it is likely to continue in force in some shape or form after Brexit. The general consensus appears to be that it will be necessary for the UK to maintain GDPR level data protection to allow the UK to trade effectively with the rest of Europe.
The new regulations are particularly pertinent for RSLs, which hold large databases of tenant details, including sensitive information about vulnerable tenants. In addition to collating, storing and securing such data, there will also be new regulations to consider when sharing this with other companies such as contractors and tenant consultants.
The GDPR will apply to:
Data Controllers:- a person who either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be processed; and
Data Processors:- in relation to personal data any person who processes the data on behalf of the Data Controller.
All organisations which process personal data must also ensure that personal data is processed in accordance with the data protection principles:
- Lawfulness, fairness and transparency
- For limited purposes
- The data processed is minimised
- The data is accurate and up-to-date
- The data is not retained for longer than is necessary
- The data is processed in a manner which ensures security, integrity and confidentiality of that data.
If an RSL breaches these requirements, the Information Commissioners Office may issue a fine but the GDPR also preserves current rights for a data subject to claim compensation. In situations where a data subject feels that their data has not been processed in accordance with GDPR requirements, that individual may sue for damages for financial loss and/or distress which they have suffered because of the breach of the GDPR.
It is also important to recognise that a data protection breach may give rise to a notifiable event which should be reported to the Scottish Housing Regulator.
Importantly, Data Controllers will need to ensure that they have appropriate contracts in place with the parties with whom they share data or with whom they engage to process data on their behalf. This will apply, for example, to cleaning and factoring companies engaged by an RSL and who are provided with information about tenants and service users. The RSL will have to ensure that an appropriate agreement is in place to ensure that the recipient only uses the data for the purpose that it is provided and that it is stored and disposed of securely.
In all situations where a third party is engaged to provide a service which involves the processing of personal data on the instructions of the RSL, a contract must be in place between the RSL Controller and the third party, or Data Processor, setting out in some detail:
- The subject matter and duration of the processing
- The nature and purpose of processing
- The type of personal data and categories of data subject which will be processed
- The obligations and rights of the controller and responsibilities of the processor
The contract must also stipulate the following:
- The Processor must only process the data on the instructions of the controller
- Anyone processing data on the authority of the Data Processor must be subject to a commitment to confidentiality
- The Processor has appropriate security measures in place
- Permission is sought from the Data Controller by the Data Processor to appoint a sub-processor/sub-contract processing. This permission can be provided in advance, but the Controller must be advised of any new sub-processor if permission has been granted in general terms in advance
- The Processor must assist the Controller to comply with data subjects’ rights and reporting obligations in relation to data breaches
- The contract must state whether the Processor must either return or delete the data once the processing has ended
- There should be an obligation to provide the Data Controller with information for audit/inspection purposes.
It is very possible, if not likely, that RSLs will experience some push back from Processors who are asked to sign up to these agreements. Where once a commercial view may have been taken as to whether to insist on a particular contractual term, it will now be necessary for RSL Controllers to ensure that certain clauses are included in their contracts with Processors. Failure to include a required clause could be a very costly mistake – for both parties.
What Data Processors must understand is that while they had no statutory obligation to comply with the Data Protection Act, they are now subject to obligations under the GDPR. So, if Processors cannot comply with these conditions, then not only do they face losing work, but they also face fines of up to €10 million or 2% global turnover.
This is a basic outline of the new obligations of the GDPR which are most relevant to RSLs, however, organisations need to ensure 100% compliance across all areas of the regulations. This is a complex process and seeking legal assistance is recommended to avoid significant fines.