Slide background
Slide background

Social housing and data breaches

Do you know what to do if your housing association has a data breach? Clare Paterson explores the risks of a data breach in social housing, and how you can reduce and manage those risks.

As a housing association leader, how well do you know the chances of your housing association having a data breach? Do you know what could happen and how you should respond if the worst does happen?

Many years ago, a housing association executive director emailed me about a news story and asked me the question “this couldn’t happen here, could it?”

A housing association had suffered a large data breach. I’ll tell you how I answered later on.

Article continues below...

How do you feel when you read about housing associations having data breaches? Hopeful it couldn’t happen in your organisation? Or fearful that it could?

Maybe you’re not sure what impact you'd suffer if you did have a data breach, especially now the multi-million-pound GDPR fines we were warned about have been few and far between in the UK.

It could feel like the pressure is off.

On the other hand, ransomware attacks are on the rise in all sectors, and if you Google 'housing association data breach' the first few results include phrases like:

'Could you be entitled to up to £5,000 data breach compensation?' and 'Your data breach could be worth thousands.'

We know of many organisations, including housing providers, who have received compensation claims following fairly small data breaches and organisations who have suffered significant impacts from ransomware or other data breaches that came out of the blue.

So even without the threat of GDPR fines, a data breach could still cost your organisation many thousands of pounds to respond to it. Not just paying out on ransoms or compensation or other mitigations, but also all the time spent dealing with the incident, and the effects on your customer relationships and colleague morale.

All of this before you even consider the potential, and very real, harm that could be caused to the people whose data you hold; identity theft, fraud, scams, harassment, and of course the worry and stress that goes along with those problems.

Unfortunately, there’s no easy fix that can guarantee you won’t have a data breach. But there are steps you can take to reduce the likelihood of it happening and reduce the impact if it does happen.

With the right processes, implemented holistically across the organisation, you can reduce your risks, report on assurances, and be prepared when you are faced with a breach.

We find that data protection/security is often treated as being outside of the 'day job', which leads to increased risks when actually, 90% (a guesstimate) of the day-to-day work carried out by housing providers involves handling information about customers or colleagues. Meaning your employees and contractors should be thinking 'data protection' while doing their day job.

We have developed a six-step model, especially for the social housing sector, that helps to embed good data protection and security into every relevant team and role, in the most painless way possible.

  1. Purpose identification
  2. Roles and responsibilities
  3. Engagement and communication
  4. Proactive and reactive risk management
  5. Data handling guidance
  6. Reporting and continuous improvement

We call this the Purpose and Data Alignment model, and our new Purpose and Data Alignment training programme is delivered over six weeks and provides you with all the ready-to-use tools, templates and training you need to build the model into your organisation, so you don’t need to reinvent the wheel.

This training programme does require a time investment which we understand is not a simple ask, so if you're not ready to implement the Purpose and Data Alignment model just yet, we can help you prepare for a data breach to give you some peace of mind.

In the data breach planning session, we provide tools and templates you can put in place so you're not caught unprepared. But most importantly the session provides a safe space for key senior colleagues to discuss scenarios and understand both the legal and ethical drivers that could influence your response to a data breach.

Send me an email at This email address is being protected from spambots. You need JavaScript enabled to view it. for more details, or to arrange a chat about either training offer.

And the answer I gave that director all those years ago?

"Yes, it could definitely happen here! We can never say never.”

Clare Paterson is a Consultant at Anthony Collins and CP Data Protection.



Sponsored Editorial