The General Data Protection Regulation (GDPR) is 300 days away and it will change the way you deal with tenant data. Will you be ready for the new data protection requirements?
Whether it’s the information you hold about customers or colleagues, the way you must process personal data is changing. From 25 May 2018, all organisations will need to ensure they comply with the new data protection legislation set out in the GDPR.
Following a series of successful events and the launch of our sector-specific GDPR publication, HouseMark is committed to supporting our member network to prepare for the new legislation.
As part of an ongoing campaign to raise awareness of data protection, this month we have invited the Information Commissioner’s Office (ICO) to share the key changes within the GDPR.
Housing providers dealing with people’s personal information will have to make the privacy rights of tenants a top priority when new laws come into force to replace the current UK Data Protection Act (DPA). The GDPR is set to give consumers and citizens more control over their information and stronger rights to be informed about how organisations use their personal data.
One of the main changes for housing providers will be the way subject access requests (SARs) are dealt with. Subject access is a person’s right to access information held about them, which could be tenant records. The new law gives less time to respond to these requests, only 30 days and in most cases, organisations won’t be able to charge a fee. Tenants will also have the right to request that personal data be deleted or removed if there’s no compelling reason to carry on processing it.
Under GDPR certain organisations will be required to have a DPO. Housing providers must consider whether they need to appoint a DPO to monitor compliance with the new law.
A DPIA can help organisations identify the most effective way to comply with data protection law. It allows any problems to be identified and fixed at an early stage. It’s part of the accountability and transparency that are also requirements under GDPR. The ICO expects that much of the work undertaken by housing providers that involves personal information will require a DPIA under the new laws.
Data controllers, organisations responsible for saying how and why personal data is processed, will have to ensure any contracts with data processors, organisations that process data on its behalf, comply with the law. Data processors will have more obligations under GDPR and will need to maintain records of personal data and processing activities. Processors will also have significantly more legal liability if a data breach occurs.
Organisations will need to report certain data breaches to the ICO within 72 hours of becoming aware of it and in some cases, where the breach is considered high risk, to the individuals affected. The ICO’s enforcement powers are significantly increased under GDPR, the highest fines for companies can be up to twenty million euros or four per cent of a company’s annual turnover. The ICO will also have the power to enforce in other areas such as accountability and failure to conduct a DPIA.
Both HouseMark and the ICO remain committed to helping housing organisations to improve practices and prepare for the GDPR.
Find out more about GDPR within our comprehensive guide to data protection and privacy, designed specifically for the sector in partnership with Anthony Collins Solicitors and Amicus Horizon. You can also access further information on the ICO website.
Join HouseMark and gain access to one of the sector’s largest member communities and all the know-how, data and tools within it.
As a member, you can access a range of tools included in the cost of your subscription. Explore our tools to see how we can add value.
Promote best practice, learn from others, and bring your data to life with our range of Specialist Clubs.