Data Protection and General Data Protection Regulation (GDPR)

Customer Privacy Notice

The General Data Protection Regulation (GDPR) took effect from 25th May 2018 and changed the way we deal with customer, employee, stakeholder and partner data. GDPR gives consumers and citizens more control over their information and stronger rights to be informed about how organisations use their personal data. Whether it’s the information we hold about customers or colleagues, the way we must process personal data is changing.  Since 25th May 2018, all organisations must ensure they comply with the data protection legislation set out in the GDPR.

The Data Controller is Hundred Houses Society; the Data Owner is the Executive Resources Director, Sean Kent; the Data Protection Officer (DPO) is Peter Fisher (Governance Manager); the Information Security Oficer (ISO) is the Executive Resources Director, Sean Kent.

As part of an ongoing campaign to raise awareness of data protection, we have included a link to the Information Commissioner’s Office (ICO) public information and Housemark’s guide for landlords and tenants.

Housing providers dealing with people’s personal information will have to make the privacy rights of tenants a top priority when new laws come into force to replace the current UK Data Protection Act (DPA).

Principles of GDPR

The key principles adopted by Hundred Houses Society (HHS) in relation to personal data include :

  • Information in relation to individuals belongs to those individuals as data owners
  • HHS will only keep and maintain data that we require in order to carry out our role and responsibilities as a landlord, employer and housing association
  • Information will only be shared with third parties with the permission and knowledge of the data owner.

Key changes with GDPR

  • Subject Access Requests (SARs)

One of the main changes for housing providers will be the way subject access requests (SARs) are dealt with. Subject access is a person’s right to access information held about them, which could be tenancy records, for example. The new law gives organisations less time to respond to these requests, only 30 days and in most cases, organisations won’t be able to charge a fee. Tenants will also have the right to request that personal data be deleted or removed if there’s no compelling reason to carry on processing it.

  • The role of data protection officers (DPO)

Under GDPR certain organisations will be required to have a DPO. Housing providers must consider whether they need to appoint a DPO to monitor compliance with the new law.

  • Data protection impact assessments (DPIA)

A DPIA can help organisations identify the most effective way to comply with data protection law. It allows any problems to be identified and fixed at an early stage. It’s part of the accountability and transparency that are also requirements under GDPR. The ICO expects that much of the work undertaken by housing providers that involves personal information will require a DPIA under the new laws.

  • Organisations processing data on behalf of others will have more responsibilities

Data controllers, organisations responsible for saying how and why personal data is processed, will have to ensure any contracts with data processors, organisations that process data on its behalf, comply with the law. Data processors will have more obligations under GDPR and will need to maintain records of personal data and processing activities. Processors will also have significantly more legal liability if a data breach occurs.

  • Data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Personal data breaches can include:

access by an unauthorised third party;

deliberate or accidental action (or inaction) by a controller or processor;

sending personal data to an incorrect recipient;

computing devices containing personal data being lost or stolen;

alteration of personal data without permission; and

loss of availability of personal data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.


Organisations will need to report certain data breaches to the ICO within 72 hours of becoming aware of it and in some cases, where the breach is considered high risk, to the individuals affected. The ICO’s enforcement powers are significantly increased under GDPR, the highest fines for companies can be up to twenty million euros or four per cent of a company’s annual turnover. The ICO will also have the power to enforce in other areas such as accountability and failure to conduct a DPIA.