• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology Main Logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Contact
  • Home
  • Research
  • Magazine
  • Events
  • Awards
  • Recruitment
  • On Demand
Home / Magazine Articles / GDPR – What it is and why the housing sector should care

GDPR – What it is and why the housing sector should care

Along with every other organisation holding customer and employee personal data, the housing sector will need to comply with stringent new laws which come into force on the 25th May 2018. The General Data Protection Regulation (GDPR) is EU legislation designed to beef up data protection regulations and replaces the existing Data Protection Act (DPA). It’s far more rigorous than the DPA and comes with much more stringent penalties of up to €20m or four per cent of annual turnover for noncompliance. Compare this with the current maximum fine that the Information Commissioner’s Office can levy of £500,000 and one can see it’s a big leap. It’s important to note that GDPR applies regardless of the UK’s decision to leave the EU.

GDPR applies to all organisations that handle personal data. If we apply that to a housing provider, we can see that could constitute many forms. Tenants’ personal information, their bank details and copies of land registry information would all fall within this remit and if compromised could be highly damaging in the wrong hands. GDPR will also apply to a housing provider’s employees – again their contact details, tax records and salary information (for example) all constitute valuable data that must be protected in order to comply with GDPR.

What are the differences between GDPR and the Data Protection Act?

GDPR takes the Data Protection Act but applies a lot more rigour. The key difference is accountability. Essentially, organisations must ensure that personal data is only collected for valid reasons, stored securely, and accessed ‘only by those who need it’ for valid data-processing reasons. There is also a requirement to delete the personal data once it is no longer needed for the processing activity. Data controllers also must comply with the ‘right to be forgotten’ when an individual asks for their data to be erased if it’s no longer required for processing or if the individual no longer has an ongoing commercial agreement with the data controller.

Proof of GDPR adherence could be requested at any stage. This means organisations will need to provide evidence of their policies on data handling and prove they are processing the data lawfully and provide evidence that they have consent. It also mandates special considerations for children’s personal data. Additionally, public organisations and enterprises processing a certain number of data records will need to appoint a data protection officer (DPO).

Payments come with extra regulations

Most housing providers will have their tenants on direct debit but there will still be occasions when one-off payments still need to be taken by credit or debit card. It’s not commonly understood but existing Payment Card Industry (PCI) regulations are very tight on how card payments can be taken. For example, if the cardholder is not present, unless there is an approved, documented process and policy to do so, then it shouldn’t be possible for the housing provider’s employee (if speaking to the tenant over the phone) to write down card details. They should also not repeat the card number back to the customer (since sensitive cardholder details can be captured using a recording device). Instead a housing provider should look to de-scope their call-centre environment. The best way to do so is to use a payment application which allows the caller to anonymously key in their payment information over the phone without having to share the data with the agent on the other end of the call. These requirements are in place today with the Payment Card Industry Data Security Standard (PCI DSS) but under GDPR it will mean that enforcement is stepped up and penalties for non-compliance will fall within the tougher fine structure.

What does the housing sector need to do?

It’s important to remember that while technology can help, the main challenge is around people and processes. It’s more of ‘what we’ve always needed to do’. The first step is to formulate a plan. Housing providers should think about all the areas where personal data is stored. Storing anyone’s data constitutes a risk for them so organisations should think about how that can be mitigated. Is access restricted to only those that need it as a specific part of their job function? Is data encrypted so if there is a breach from a cybercriminal, there is less chance of them being able to access it? Housing providers should ask if they actually need to capture the data in the first place; if data doesn’t exist, it can’t be breached so think carefully about the amount of personal data you hold on individuals.

It should be remembered that a key difference between GDPR and the DPA is that the former is more up-to-date with modern technology; for example, it means that IP logs of tenants looking at their housing provider’s website would constitute personal data and fall within GDPR. Similarly, if personal data has been collected for marketing purposes but to some extent anonymised and ‘tagged’ according to certain group characteristics, it can still fall within the scope of the GDPR depending on how difficult it is to unravel this and isolate it to a particular individual.

The housing sector needs to act now (if it hasn’t already)

GDPR is the biggest upheaval in how data is handled in 20 years and there’s only just over a year for the housing sector to become compliant. Many will see it as a burden but much of this is good business practice that should be embraced. The process will give reassurance to employees and customers that their data is being securely stored and accessed in accordance with the new law. In particular, we have seen in other sectors over the past few years the damage and angst that can be caused by cyber-attacks when personal data has been exposed. Had some of these organisations been GDPR compliant, their customers would have been spared a lot of anxiety and firms wouldn’t have suffered such damage to their reputations. While getting GDPR compliant will be a lawful requirement, it makes sense to do this in any case.

Brad Semp is director of PCI services at GCI.

See More On:

  • Vendor: GCI
  • Topic: Customer Management
  • Publication Date: 058 - July 2017
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Artificial intelligence in housing
  • Mobysoft – Data problems affecting complaints’ handling
  • Data, AI and private-sector strategies
  • Smart repairs & smarter homes
  • From firewalls to fortresses
  • Achieving three quick wins in AI
  • Rebuilding Selwood Housing’s IT infrastructure
  • Are you ready for organisational AI?
  • PIMSS releases AI Document Reader for compliance
  • Calico Homes cuts arrears with RentSense
  • FourNet launches digital transformation index
  • New income recovery software from Voicescape
  • Asprey Assets at YMCA
  • I love spreadsheets…
  • All watched over by machines of loving grace – AI assistants and adult social care
  • The rent revolution – The case for AI-powered payments
  • Unlocking safer living through data
  • Aareon acquires MIS ActiveH
  • Vericon launches MouldSense
  • Back to the future at Housing Technology 2025
  • FireAngel wins Which? Award
  • Maximising income and preventing homelessness
  • Anchoring digital innovation with Plentific
  • Cynon Taf Community Housing gets Housing Insight’s Arrears Manager
  • Tenants, AI & your biggest compliance risk
  • EDITOR’S NOTES – Data, standards & straight-through processing
  • AI as a social housing expert
  • South Yorkshire Housing halves arrears with Mobysoft
  • Bromford Flagship wins Aico’s smart-home competition
  • Putting VIVID’s customers in control of their tenancies

Footer

Housing Technology Main Logo
  • Instagram
  • LinkedIn
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2025 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293