With the much-publicised General Data Protection Regulation (GDPR) coming into effect in May 2018, companies are scrambling to ensure that they are set up to adhere to the new regulation in time for the deadline, or risk the resulting penalties.
Housing providers are required to hold and share a huge amount of personal data including name and date of birth information, home address, dependents, racial or ethnic origin, religious belief, health conditions, gender etc often on behalf of particularly vulnerable people. Tenants personal data is regularly shared with other organisations during the course of normal business and the associations are responsible for the protection of privacy in all cases. With this in mind, housing associations need to pay particular attention to what the new regulation means for them and how best to prepare for it. It is imperative that policies and procedures are in place for data storing and sharing but unfortunately in a sector which is often under resourced, these policies can be lacking.
The Information Commissioner’s Office (ICO) guidance explains that whilst GDPR for the UK market, is an extension of the existing Data Protection Act (1998), there are significant differences and organisations will be subject to more scrutiny as a result of the new regulation. The old legislation is not up to date with the sheer volume of data which is now collected in a more digital era and GDPR will address the issues which business and individuals have been seeing. Organisations will be held accountable for the data they hold and must be able to evidence compliance in all transactions with individuals. Structured policies and procedures must be in place and communicated to all individuals who have visibility of personal information. Organisations need to identify what data they hold and who can see it and put in place training for everyone who has access to personal information.
Housing associations collect and hold vast amounts of data, much of which is required to assist with welfare, education, health and immigration issues. However, a common problem within associations is the relevance of the data they hold. Often data bases and filing systems are overloaded with mass amounts of outdated and unnecessary information. Organisations need to challenge themselves to identify what the data they hold is for, using the GDPR as an opportunity to clear a backlog. With increased data comes the need for more robust systems to cope with volume and ensure data protection and this is where many organisations fall down as legacy technology is often out of date and not equipped to meet the new requirements.
The GDPR also gives much greater control to data subjects so tenants should have better visibility of their data with the right to access their personal information on request and even revoke if they feel it is no longer required. Housing associations will need to ensure tenants information is easily accessible both by housing officers and to the tenants themselves on request.
As part of these stricter requirements, consent must be explicit; permissions must be easily understood with the minimum use of jargon. There is a huge amount of contradictory information, scaremongering and confusion surrounding the ‘consent’ part of the GDPR regulation however, in the regulation there is just as much emphasis on the ‘communication’ aspect, giving data subjects the chance to retract permission and manage their rights. The regulation will actually empower individuals with control over their own personal data whilst also making organisations who deal with personal information more accountable for its security. A common problem within this sector is that many tenants do not hold a digital footprint so organisations need to be able to provide consent and consent management in hard copy. The process should be easy to understand without the requirement for computer literacy.
As the compliance deadline nears, GDPR has taken on an often negative reputation with more than its fair share of scaremongering and confusing noise around the regulation but little real understanding of what is required. Many news stories focus on the increased fines which will be put in force for data breaches and fear surrounds the new requirement to report any breaches within 72 hours or face heavy penalties.
To many GDPR appears to be a logistical nightmare however this doesn’t have to be the case. In fact, GDPR could be considered an opportunity to separate valuable data from out of date or junk information and spring clean data bases making it easier to hold quality over unnecessary quantity data. This is also an opportunity for housing officers and housing associations to build better trust relationships with their tenants, a factor which is so important particularly when dealing with sensitive information and vulnerable individuals.
Housing associations must place their focus on the most important factor, the data subject, whilst also using the opportunity to clear a backlog of unnecessary information and provide a better, trusting and more secure service to clients. There is no doubt this will be a challenge and organisations will need to consider resourcing levels, legacy technology, training and overall procedures as part of the process.
- Mike McEwan is UK CEO of SaaS based GDPR solution, ICONFIRM