Blog: Getting ready for GDPR

Fraser Nicol
Fraser Nicol

General Data Protection Regulation (GDPR) comes into force on May 25th 2018, and signals a significant change to the law. Fraser Nicol outlines what changes will be required of housing associations.

On the 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force and brings with it a significant change to the UK’s data protection laws. Additionally, the ICO (Information Commissioner’s Office) will be empowered to impose fines of up to 4% of global revenue or 20 million euros for breaches to the new guidelines. As a result, housing associations need to work quickly to confirm that they understand, and can comply with, the new law.

What does this mean for housing associations?

Currently, housing associations process information about their tenants. As well as general contact, tenancy and financial information, this will include sensitive personal data, especially if the association provides assisted housing for the elderly, vulnerable people or those living with a disability.

From time to time, housing associations may also share tenant data with building contractors and tenant survey agencies. In both cases, it is the association’s responsibility to ensure the safe keeping and privacy of this data.

Recent breaches of data protection have resulted in eye-watering fines for the organisation at fault, such as the housing association which had to report itself to the Information Commissioner after releasing private contact details of its tenants, or the double-glazing company who was fined £50,000 for making nuisance calls to people who had specifically stated they didn’t want to be contacted.

What do housing associations need to do to comply?

Compliance with GDPR requires you to be able to understand and record what personal data you gather, why you gather it, how you handle it, where you hold it and how you share it.

Processes should be put in place to ensure that permission is obtained when necessary to gather data and that data subjects are aware their information is being gathered and what it will be used for. The data obtained should also be proportionate, kept up to date and accurate, and only held for as long as it is required. For many organisations, this will mean developing a raft of new processes and policies in order to ensure compliance.

In addition, GDPR introduces new rights for data subjects, such as the right to be forgotten and the right to move data held on them to another provider (data portability). It also introduces important changes to how and why consent to obtain data can be gathered and how this consent can be used.

GDPR also makes certain activities mandatory, for example:

  • Appointing a Data Protection Officer;
  • Providing new and existing staff with suitable training and awareness, as well as additional sources of guidance and support when required;
  • Conducting Data Protection Impact Assessments (DPIA) to design data privacy into any new systems and processes. This is of particular importance if new technology is being deployed, where there is processing on a large scale of the special categories of data, or if profiling operations are being performed which are likely to have an impact on individuals;
  • Notifying the ICO within 72 hours of a data breach.
  • With some new elements and significant enhancements being introduced by GDPR, it is essential you start planning for this now. At Scott-Moncrieff, we are working with a range of organisations in the housing sector to help them attain GDPR compliance. If you’d like to find out more about this, please contact us.

    • Fraser Nicol is a partner at accountants and business advisers Scott-Moncrieff
    • Share icon
      Share this article: