Share with your friends

Privacy – a shifting landscape

Privacy – a shifting landscape

Privacy law is changing – and housing associations need to be ready. New rules being introduced in May 2018 involve a number of complex requirements that all organisations, including housing associations, will need to follow.

Harry Mears - Head of Social Housing, KPMG in the UK, Southampton

Head of Social Housing

KPMG in the UK


Also on

House Key

These rules will come into force through the adoption of the EU General Data Protection Regulation (GDPR). This will become part of UK law regardless of Brexit, as has been confirmed by both the UK government and the Information Commissioner. Even if the GDPR is subsequently repealed, it will almost certainly be replaced with nearly identical legislation. Housing associations need to prepare for the changes now.

Why privacy laws matter

Privacy laws protect the rights of individuals. They specify how organisations can lawfully collect, use, retain and disclose personal information (PI) – information that can identify a living person.

Housing associations store and process a huge amount of PI every day. This can range from names and addresses held against the tenancy to financial information for the person paying the rent. Protecting this information is crucial. Under existing rules, the Information Commissioner’s Office can issue sanctions to public sector bodies where they have broken the rules. 

As housing associations digitise their services, it is vital customers are able to trust that their information is kept safely. If it is not, the take up of digital services is likely to suffer.

Current and future privacy law

  Current law Law from May 2018
Fines for infringement of privacy law Fines vary by jurisdiction (e.g. in the UK the fine is up to £500,000)

A tiered structure, with fines depending on the infringement

Level 1: 2% of global turnover or €10m (whichever is higher)

Level 2: 4% of global turnover or €20m (whichever is higher).

Organisations needing a data protection officer (DPO) 
Generally no requirement to appoint a DPO Government bodies and organisations conducting mass surveillance or mass processing of special categories of data will need a DPO. Under current guidance and pending deregulation, UK housing associations are classified as public non-financial bodies so will need to take this requirement into account.
Inventory No personal information inventory is required Most organisations will need a personal information inventory.
Breach notification Generally no breach notification required Privacy breaches will need to be reported: to the regulator within 72 hours and potentially to the data subject.
Security Vague requirements around security (i.e. ‘adequate level’) Requirements around monitoring, encryption and anonymisation of personal information.
Privacy impact assessments (PIAs) No mandated requirement to perform PIAs Organisations must perform PIAs if they are using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals.
Data subject’s rights Various rights, including right of access Data subject’s rights are extended to include restricting how their data is used and the right to have their data erased.

What questions should housing associations be asking?

  • Do we understand the privacy risks we face when capturing and processing personal information for our customers?
  • Do we fully understand the current and future privacy regulations? What do we need to do to manage the risks these introduce?
  • Do we know what personal information we hold, where it is stored and what it is used for? 
  • Are we building privacy controls into our digitisation programmes from the ground up?
  • Do we have the resources and capability to manage our privacy risk?

How KPMG can help

Drawing on our combined expertise in housing and changing privacy law, KPMG can help housing associations with all stages of their privacy policy:

  • Assessment: Performing a privacy maturity assessment to understand the effectiveness of your existing privacy controls.
  • Design: Defining the desired state privacy maturity system and building a roadmap to enable the organisation to reach it.
  • Implementation: Supporting the implementation of pragmatic, robust and fit-for-purpose privacy controls.
  • Monitoring: Performing regular reviews to verify that the defined privacy controls continue to operate as designed.


Harry Mears

+44 (0) 2380 202093

15 Canada sq

Brexit and EU data privacy

Brexit and EU data privacy

While Brexit continues to dominate conversations, UK companies cannot forget about imminent EU data protection changes.


Connect with us


Want to do business with KPMG?


loading image Request for proposal