Privacy law is changing – and housing associations need to be ready. New rules being introduced in May 2018 involve a number of complex requirements that all organisations, including housing associations, will need to follow.
These rules will come into force through the adoption of the EU General Data Protection Regulation (GDPR). This will become part of UK law regardless of Brexit, as has been confirmed by both the UK government and the Information Commissioner. Even if the GDPR is subsequently repealed, it will almost certainly be replaced with nearly identical legislation. Housing associations need to prepare for the changes now.
Privacy laws protect the rights of individuals. They specify how organisations can lawfully collect, use, retain and disclose personal information (PI) – information that can identify a living person.
Housing associations store and process a huge amount of PI every day. This can range from names and addresses held against the tenancy to financial information for the person paying the rent. Protecting this information is crucial. Under existing rules, the Information Commissioner’s Office can issue sanctions to public sector bodies where they have broken the rules.
As housing associations digitise their services, it is vital customers are able to trust that their information is kept safely. If it is not, the take up of digital services is likely to suffer.
|Current law||Law from May 2018|
|Fines for infringement of privacy law||Fines vary by jurisdiction (e.g. in the UK the fine is up to £500,000)||
A tiered structure, with fines depending on the infringement
Level 1: 2% of global turnover or €10m (whichever is higher)
Level 2: 4% of global turnover or €20m (whichever is higher).
|Organisations needing a data protection officer (DPO)
||Generally no requirement to appoint a DPO||Government bodies and organisations conducting mass surveillance or mass processing of special categories of data will need a DPO. Under current guidance and pending deregulation, UK housing associations are classified as public non-financial bodies so will need to take this requirement into account.|
|Inventory||No personal information inventory is required||Most organisations will need a personal information inventory.|
|Breach notification||Generally no breach notification required||Privacy breaches will need to be reported: to the regulator within 72 hours and potentially to the data subject.|
|Security||Vague requirements around security (i.e. ‘adequate level’)||Requirements around monitoring, encryption and anonymisation of personal information.|
|Privacy impact assessments (PIAs)||No mandated requirement to perform PIAs||Organisations must perform PIAs if they are using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals.|
|Data subject’s rights||Various rights, including right of access||Data subject’s rights are extended to include restricting how their data is used and the right to have their data erased.|
+44 (0) 207 6943621