Cutting straight to the point about GDPR, the central sentiment is that data belongs to the individual and not to you.
Depending on the letters you are planning to send then different rules apply. Housing providers would be unlikely to send marketing letters (which would mean that if you have built your database yourself then you should have acquired the relevant permissions). Equally, if you have purchased your data then you need to make sure that the data provider has obtained consent.
When you are processing transactional letters, such as invoices or legitimate service information, you can usually rely on the legal basis of ‘legitimate interest’. Just make sure you keep appropriate records to show that you are relying on that legal basis for processing this data and that your privacy notices are clear and up to date.
‘Controllers’ and ‘processors’ of data need to abide by GDPR legislation. A controller is responsible for how and why the data is processed, while the processor acts on the controller’s behalf.
You will need to develop technical and organisational measures to demonstrate compliance with GDPR. If you are working with an outsourced data processor, you must ensure that you have updated contractual terms.
Get to grips with data protection impact assessments (DPIAs) which help identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data-processing process, system or technology is being introduced and are a handy weapon in the war against cyber-crime.
DPIAs also support the accountability principle, because they help organisations comply with the requirements of GDPR and demonstrate that appropriate measures have been taken to ensure compliance.
The GDPR mandates that a DPIA should be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.
Finally, you will need an understanding of the changes to data retention and to explore the likely legal grounds for the retention of particular data types that housing providers commonly require.
An ongoing, regular review will keep everyone on their toes, identify any glitches and help you sleep at night.
Chris Burridge is the business development manager at CFH Docmail.