General Data Protection Regulation (GDPR) comes into force on May 25th 2018, and signals a significant change to the law. Fraser Nicol outlines what changes will be required of housing associations.

On the 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force and brings with it a significant change to the UK’s data protection laws. Additionally, the ICO (Information Commissioner’s Office) will be empowered to impose fines of up to 4% of global revenue or 20 million euros for breaches to the new guidelines. As a result, housing associations need to work quickly to confirm that they understand, and can comply with, the new law.

What does this mean for housing associations?

Currently, housing associations process information about their tenants. As well as general contact, tenancy and financial information, this will include sensitive personal data, especially if the association provides assisted housing for the elderly, vulnerable people or those living with a disability.

From time to time, housing associations may also share tenant data with building contractors and tenant survey agencies. In both cases, it is the association’s responsibility to ensure the safe keeping and privacy of this data.

Recent breaches of data protection have resulted in eye-watering fines for the organisation at fault, such as the housing association which had to report itself to the Information Commissioner after releasing private contact details of its tenants, or the double-glazing company who was fined £50,000 for making nuisance calls to people who had specifically stated they didn’t want to be contacted.

What do housing associations need to do to comply?

Compliance with GDPR requires you to be able to understand and record what personal data you gather, why you gather it, how you handle it, where you hold it and how you share it.

Processes should be put in place to ensure that permission is obtained when necessary to gather data and that data subjects are aware their information is being gathered and what it will be used for. The data obtained should also be proportionate, kept up to date and accurate, and only held for as long as it is required. For many organisations, this will mean developing a raft of new processes and policies in order to ensure compliance.

In addition, GDPR introduces new rights for data subjects, such as the right to be forgotten and the right to move data held on them to another provider (data portability). It also introduces important changes to how and why consent to obtain data can be gathered and how this consent can be used.

GDPR also makes certain activities mandatory, for example:

With some new elements and significant enhancements being introduced by GDPR, it is essential you start planning for this now. At Scott-Moncrieff, we are working with a range of organisations in the housing sector to help them attain GDPR compliance. If you’d like to find out more about this, please contact us.