GDPR is a regulation that requires businesses and organisations to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.


Registered Providers that collect data on tenants and leaseholders in the U.K. will need to comply with strict new rules around protecting customer data by 25th May 2018. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer and tenant rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.


Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Registered Providers will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number.



The GDPR leaves much to interpretation. It says that Registered Providers must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body much leeway when it comes to assessing fines for data breaches and non-compliance.


Time is running out to meet the deadline, so CPS Consultants have compiled a comprehensive checklist detailing what  every Registered Provider needs to know about the GDPR, along with advice for meeting its requirements. Many of the requirements do not relate directly to information security, but the processes and system changes needed to comply could affect existing security systems and protocols.


CPS Consultants provide a specialised service to Registered Providers on all aspects of Property Safety (Statutory Compliance) and data protection (Data Protection Act 1998 to be imminently superseded by the General Data Protection Regulation - GDPR, EU Law effective from 25th May 2018).



The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require Registered Providers to protect the personal data and privacy of their tenants and leaseholders  for transactions that occur within the U.K. (as well as within  EU member states). The GDPR also regulates the exportation of personal data outside the EU.


The GDPR protects -


  • Basic identity information such as name,phone numbers, address (home and electronic) and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation


The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.


Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your organisation and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner.


The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Registered Providers are required to have a DPO if they process or store large amounts of their tenants and leaseholders  data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.


The GDPR allows for steep penalties of up to €20 million or 4 percent of total annual turnover, whichever is higher, for non-compliance.


Some Registered Providers have prepared well for these forthcoming changes, but along with many other organisations and businesses there are a large number of Registered Providers who will not be compliant by the 25th May 2018 deadline.


CPS Consultants can conduct an initial review into your organisation’s current policies and processes around GDPR and provide you with the essential, third-party reassurance that either a) compliance with GDPR is being achieved or b) recommendations to be implemented to attain compliance status.

Registered address

693 Windmill Lane,

Manchester, M34 2ET