Data Protection and General Data Protection Regulation (GDPR)

Click here to see HHS's Customer Privacy Notice and Data Retention Schedule.

The General Data Protection Regulation (GDPR) took effect from 25th May 2018 and changed the way we deal with customer, employee, stakeholder and partner data. GDPR gives consumers and citizens more control over their information and stronger rights to be informed about how organisations use their personal data. Whether it’s the information we hold about customers or colleagues, the way we must process personal data has changed.  Since 25th May 2018, all organisations must ensure they comply with the data protection legislation set out in the GDPR.

The Data Controller is Hundred Houses Society; the Data Owner is the Executive Resources Director, Sean Kent; the Data Protection Officer (DPO) is Magda Syposz (Governance Manager); the Information Security Oficer (ISO) is the Executive Resources Director, Sean Kent.

As part of an ongoing campaign to raise awareness of data protection, we have included a link to the Information Commissioner’s Office (ICO) public information and Housemark’s guide for landlords and tenants.

Information Commissioner's Office (ICO)

Guide to data protection and privacy for landlords and tenants

Housing providers dealing with people’s personal information will have to make the privacy rights of tenants a top priority when new laws come into force to replace the current UK Data Protection Act (DPA).

Principles of GDPR

The key principles adopted by Hundred Houses Society (HHS) in relation to personal data include :

  • Information in relation to individuals belongs to those individuals as data owners
  • HHS will only keep and maintain data that we require in order to carry out our role and responsibilities as a landlord, employer and housing association
  • Information will only be shared with third parties with the permission and knowledge of the data owner.

Key changes with GDPR

  • Subject Access Requests (SARs)

One of the main changes for housing providers was the way subject access requests (SARs) are dealt with. Subject access is a person’s right to access information held about them, which could be tenancy records, for example. The law now gives organisations 30 days to respond to these requests and in most cases, organisations are not able to charge a fee. Tenants also have the right to request that personal data be deleted or removed if there is no compelling reason to carry on processing it.

  • The role of data protection officers (DPO)

Under GDPR certain organisations are required to have a DPO. Housing providers must consider whether they need to appoint a DPO to monitor compliance with GDPR law.

  • Data protection impact assessments (DPIA)

A DPIA can help organisations identify the most effective way to comply with data protection law. It allows any problems to be identified and fixed at an early stage. It is part of the accountability and transparency requirements under GDPR.  Much of the work undertaken by housing providers that involves personal information now requires a DPIA under the 2018 law.

  • Responsibilities of organisations processing data on behalf of others

Data controllers, organisations responsible for saying how and why personal data is processed, have to ensure that any contracts with data processors, organisations that process data on its behalf, comply with the law. Data processors have more obligations under GDPR than previously and need to maintain records of personal data and processing activities. Processors also have significantly more legal liability if a data breach occurs.

  • Data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Personal data breaches can include:

access by an unauthorised third party;

deliberate or accidental action (or inaction) by a controller or processor;

sending personal data to an incorrect recipient;

computing devices containing personal data being lost or stolen;

alteration of personal data without permission; and

loss of availability of personal data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.


Organisations need to report certain data breaches to the ICO within 72 hours of becoming aware of it and in some cases, where the breach is considered high risk, to the individuals affected. The ICO’s enforcement powers were significantly increased under GDPR - the highest fines for companies can be up to twenty million euros or four per cent of a company’s annual turnover. The ICO also has the power to enforce in other areas such as accountability and failure to conduct a DPIA.