Considerations for housing associations prior to the introduction of GDPR
The introduction of the General Data Protection Regulation (GDPR) in May 2018 sees another piece of legislation that housing associations (HA) will need to consider when certifying to the Regulator of Social Housing that it has complied with all law.
Accountability is a key theme throughout GDPR and having adequate internal procedures will assist greatly with compliance of the regulations. Below are just a couple of the issues that HAs should prepare for ahead of May 2018.
Data Protection Officer
The appointment of a Data Protection Officer is required if you are a public authority or if your core activities consist of carrying out large scale systematic monitoring of individuals. It is likely that a landlord processing the details of its tenants would be considered to be a "core activity", and as such, most HAs will need to appoint a Data Protection Officer. As a minimum, the officer is to inform and advise the organisation of their obligations under the law and be the first port of contact for supervisory authorities and importantly those how data is being processed. The officer is allowed to hold another role within the organisation so long as it does not conflict with the individual's duty as Data Protection Officer.
Internal procedure and reporting timescale
The GDPR will impose a duty on all organisations to report certain types of data breaches to the ICO and in certain circumstances to the individuals themselves.
A report of breach to the ICO will apply where the breach is likely to result in a risk "to the rights and freedoms" of individuals (e.g. discrimination, financial loss, etc.). Any breach must be reported "without undue delay" and this must be within 72 hours of the organisation becoming aware of the breach. It is for this reason that robust internal procedures are essential. Where it is necessary to notify affected individuals, this must be done without undue delay. Failure to notify a breach when required to do so may result in a substantial fine from the ICO of up to €10 million or 2% of global turnover and this is separate from the potential penalities which may be applied for the breach itself (which in the most serious cases can be up to €20 million or 4% of global turnover). The ICO in its guidance emphasise that it will expect transparency. The individuals will have a right to bring their own legal proceedings against the organisations.
Although fines at these levels are not expected to be common place, the risks of non-compliance must be taken seriously. However, given the significant impact that such a fine could have on an HA, it is imperative that all staff understand and appreciate what constitutes a breach.
Training should be given to help demonstrate the circumstances which may give rise to a breach and staff should also be trained on the internal procedure that must be adopted once a breach has been identified (including notifying the Data Protection Officer) so that organisation is able to comply with its reporting obligations and avoid the risk of a fine.
If staff are generally unaware of the procedures and a breach occurs then it is likely that the organisation fails to comply with its obligations under the regulations.