Blog: Registered Social Landlords and the GDPR
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will change the way organisations within the EU process personal data. The GDPR will be supplemented by a new UK Data Protection Act and will increase the obligations on all organisations using or processing personal data. However, despite its imminence, and significant fines faced by those in breach, the recent Cyber Security Breaches Survey 2018*, commissioned by the UK government, found that just 38% of businesses and 44% of charities had heard of the GDPR.
Lynn Richmond, an associate in BTO Solicitors’ leading Data Protection Defence team, explains why registered social landlords (RSLs) should be preparing for the GDPR and outlines the key aspects to consider in doing so.
While the GDPR is European legislation, it will apply directly to the UK while it remains part of the EU and it is likely to continue in force in some shape or form after Brexit. The general consensus appears to be that it will be necessary for the UK to maintain GDPR level data protection to allow the UK to trade effectively with the rest of Europe.
The new regulations are particularly pertinent for RSLs, which hold large databases of tenant details, including sensitive information about vulnerable tenants. In addition to collating, storing and securing such data, there will also be new regulations to consider when sharing this with other companies such as contractors and tenant consultants.
The GDPR will apply to:
Data Controllers:- a person who either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be processed; and
Data Processors:- in relation to personal data any person who processes the data on behalf of the Data Controller.
All organisations which process personal data must also ensure that personal data is processed in accordance with the data protection principles:
If an RSL breaches these requirements, the Information Commissioners Office may issue a fine but the GDPR also preserves current rights for a data subject to claim compensation. In situations where a data subject feels that their data has not been processed in accordance with GDPR requirements, that individual may sue for damages for financial loss and/or distress which they have suffered because of the breach of the GDPR.
It is also important to recognise that a data protection breach may give rise to a notifiable event which should be reported to the Scottish Housing Regulator.
Importantly, Data Controllers will need to ensure that they have appropriate contracts in place with the parties with whom they share data or with whom they engage to process data on their behalf. This will apply, for example, to cleaning and factoring companies engaged by an RSL and who are provided with information about tenants and service users. The RSL will have to ensure that an appropriate agreement is in place to ensure that the recipient only uses the data for the purpose that it is provided and that it is stored and disposed of securely.
In all situations where a third party is engaged to provide a service which involves the processing of personal data on the instructions of the RSL, a contract must be in place between the RSL Controller and the third party, or Data Processor, setting out in some detail:
The contract must also stipulate the following:
It is very possible, if not likely, that RSLs will experience some push back from Processors who are asked to sign up to these agreements. Where once a commercial view may have been taken as to whether to insist on a particular contractual term, it will now be necessary for RSL Controllers to ensure that certain clauses are included in their contracts with Processors. Failure to include a required clause could be a very costly mistake – for both parties.
What Data Processors must understand is that while they had no statutory obligation to comply with the Data Protection Act, they are now subject to obligations under the GDPR. So, if Processors cannot comply with these conditions, then not only do they face losing work, but they also face fines of up to €10 million or 2% global turnover.
This is a basic outline of the new obligations of the GDPR which are most relevant to RSLs, however, organisations need to ensure 100% compliance across all areas of the regulations. This is a complex process and seeking legal assistance is recommended to avoid significant fines.
* Cyber Security Breaches Survey 2018: Preparations for the new Data Protection Act statistical release