COOKIE NOTICE: 3C Consultancy uses cookies to store information on your computer, in order to improve your experience when using our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site (using your browser), but parts of the site may not work. To find out more about the cookies we use and how to delete them, Read More.

Call us: 0333 900 3003

Will Your Housing Association Break The Law After May 25th?


From May 25th, when the EU’s General Data Protection Regulation (GDPR) comes into effect, your organisation must be able to prove it has a lawful reason for collecting and processing the personal data of tenants, employees and suppliers.

The GDPR states that organisations must meet one of the following conditions for the processing of personal data to be lawful. They are:

  • The individual has given consent to the processing of their personal data for one or more specific reasons
  • Processing the data is necessary for the performance of a contract to which the individual is a party
  • Processing the data is necessary for the organisation to be legally compliant
  • Processing the data is necessary to protect the interests of the individual
  • Processing the data is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the organisation
  • Processing the data is necessary for the legitimate interests pursued by the organisation (except where they are overridden by the interests or fundamental rights and freedoms of the individual which require the protection of personal data).

As Colin Sales, 3C Consultants’ Managing Director, explains in this video, the GDPR is more prescriptive as to how personal data should be processed.

For a housing associations, possible data subjects might include its employees, tenants, the relatives of tenants whose personal data is held by the landlord, and suppliers or outsourced contractors.

It’s not enough to know that your housing association meets one of the six conditions for processing personal data, says Colin. You will also need to document the lawful reason your organisation has for processing personal data and ensure it is explained in the association’s privacy notice. That privacy notice needs to be written in a way that’s easy to read and understand.

Your organisation should also take the opportunity ahead of the introduction of GDPR to review and if necessary update all your internal and external policies, procedures and documents that deal with or seek consent to process data to ensure they will be GDPR-compliant.

At the same time, staff should be trained, so they are aware of the legal basis your organisation will be relying on for GDPR.

If you need help or would like to discuss any issue that this GDPR video series raises, please call us now on 0333 900 3003.