On 25 May 2016 the General Data Protection Regulation (GDPR) comes into force. There is a two-year implementation period before housing associations have to comply with the new regime, at which point the UK's Data Protection Act will cease to apply.
With the clock already ticking there is no time like the present to get started. Housing associations should carry out a gap analysis in the next few months to identify the key changes that will need to be made. Once this has been completed, an implementation project will need to be put in place, which requires significant resource and time.
What's new and what's the impact?
- Fines have significantly increased with maximum fines greater than €20million or 4% of worldwide turnover (increased from £500,000 in the UK). To avoid suffering a serious breach, housing associations need to put in place a comprehensive privacy governance programme.
- A mandatory breach notification regime will require housing associations to report serious breaches to the regulator within 72 hours and notify affected individuals.
- Data processors are subject to the regulatory regime for the first time. All supply chain contracts that involve the processing of personal data will need to be reviewed to include expanded data protection obligations.
- Transparency requirements have been expanded and consent must be “unambiguous” and involve clear affirmative action.
- Individuals will have a new right to data portability, which will allow tenants to require the transfer of their personal data from one landlord to another in a commonly used electronic format, and a new right to have data deleted. New procedures will need to be put in place to respond to new and expanded rights.
- Some organisations will be required to appoint a data protection officer. Depending on the volume of sensitive data processed and the level of monitoring carried out, landlords will need to consider whether they are caught by the requirement.
- A new obligation of 'accountability' requires housing associations to demonstrate that they have all relevant procedures and processes in place to enable compliance. Procedures and records of data processing activities need to be documented and available for inspection by the regulator.
First published by Inside Housing on 7 June 2016.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.