One year from today, the new General Data Protection Regulation will come into force. It will make radical changes to how RSLs collect and process personal data about their tenants, staff, service providers and contractors. RSLs are advised to start taking steps towards compliance now and develop action plans to prepare themselves for when the clock strikes midnight on 25 May 2018.
What is the Regulation?
The Regulation is the most significant change to Data Protection law in over two decades. The current Data Protection Act 1998 (DPA) is based on an EU Directive that started out life in 1990, at a time when data processing systems and networks were not as advanced or as complex as what we have today. Indeed, the consumer Internet, as we know it today, did not exist. The Regulation will impose a universal standard of Data Protection across the EU, fit for the information age in which we live.
While the outcome of the referendum last year was that the UK will leave its membership of the EU, this is unlikely to happen until 2019 at the earliest. Until then, the UK must comply with and give effect to EU law, including the Regulation.
What will the Regulation do?
The Regulation is a complex legal instrument and imposes higher standards of Data Protection law across the EU. Some of the most significant changes to the law include:
- a broader definition of personal data: more personal data held by RSLs (in both paper and electronic formats) will be covered by the Regulation than is the case under the DPA. The principal implication of this is that individuals on whom RSLs hold personal data will be entitled to significantly more personal data in response to subject access requests than is currently the case under the DPA;
- a higher standard of consent: consent will be more difficult to rely on as a legal ground to justify data processing, as consent will not only need to be freely given, specific and informed, but must also consist of unambiguous, clear and affirmative actions by individuals. Moreover, consent is unlikely to be a valid legal ground in situations where there is a power imbalance between an RSL and an individual, for example: RSL and tenant; RSL and employee; or RSL and service provider;
- new accountability principle: this all new principle will require RSLs to keep detailed audit trails of their data processing activities, which must be made available to the Information Commissioner’s Office (ICO) on request. RSLs will also need to carry out Data Protection impact assessments of new measures and high risk data processing activities prior to implementation, including CCTV use for crime prevention and public safety and drone use for property condition surveys;
- an enhanced transparency principle: RSLs will need to provide more information to tenants at the point of data collection in clear and easy to understand format, including in relation to data retention periods and rights;
- a new right to be “forgotten”: individuals will be entitled to require RSLs to erase all personal data that they hold on them where there is no justification for holding it. This right could be invoked by, for example, former tenants or former employees of an RSL;
- a new right to data portability: individuals will be entitled to require RSLs to provide them or another organisation with their personal data in commonly used file formats to allow for the easy transfer of their personal data to the other organisation. This right could be used by tenants if they move to another RSL;
- an enhanced right of access: RSLs will only have a month to respond to subject access requests, a shorter time limit than the DPA’s 40 calendar days, and personal data must generally be provided free of charge;
- mandatory data security breach notification: RSLs will need to notify certain data security breaches (and details of the action taken in response) to the ICO and, in some cases, affected individuals within 72 hours of knowledge of the incident;
- Data Protection officers: the new accountability principle requires certain organisations to appoint a Data Protection officer (DPO) to monitor compliance with the Regulation within the organisation. Based on my experience of the types of data processing undertaken by RSLs in performing their functions and the public nature of RSLs’ functions, it is my view that RSLs will be required to appoint a DPO under the Regulation; and
- penalties: RSLs that do not comply with the Regulation could be subject to a fine of up to €20m or 4% of their turnover, whichever is higher, in the case of the most serious data security breaches.
What should RSLs do now?
I have been involved in advising many RSLs on preparing for the Regulation, and I have suggested that they first develop a Regulation compliance action plan by taking the following preparatory steps:
- undertake an audit to identify any shortcomings in DPA compliance and rectify them to ensure 100% compliance. If your RSL does not comply with the DPA now, then it will be difficult to meet the higher standards of the Regulation in a year;
- deliver staff training on the Regulation, focus on how it differs from the DPA and the impact that it will have on staff roles and how they engage with your tenants, suppliers and service providers;
- review your RSL’s existing forms, business correspondence, website and Data Protection statements and update them to comply with the Regulation. As part of this, existing consents may need to be reviewed and refreshed to meet the Regulation’s stricter requirements. Alternative legal grounds for processing may also need to be considered where consent is no longer valid or available;
- establish a framework to make your RSL more accountable on Data Protection compliance to the outside world by, for example, maintaining audit trails of data processing activities and decisions made with regard to processing;
- appoint a DPO to assume responsibility for Data Protection compliance and monitoring within your RSL. Ensure that the DPO is equipped with the necessary resources and legal knowledge and has the requisite authority to challenge your RSL on Data Protection compliance. If an RSL does not have the necessary expertise in-house, consideration should be given to outsourcing this function;
- review your RSL’s data security measures, test their effectiveness and maintain high data security standards to reduce the incidence of data security breaches;
- implement a data security breach management policy, detailing how your RSL will investigate and respond to breaches and report them to the ICO and affected individuals (if required); and
- understand the new individual rights and be prepared for individuals to exercise them from day one, by putting in place the appropriate policies and procedures.
- Daradjeet Jagpal (email@example.com) is legal consultant and director of Information Law Solutions, an independent consultancy providing advisory, training and audit services in Data Protection and Freedom of Information (infolawsolutions.co.uk).