Along with every other organisation holding customer and employee personal data, the housing sector will need to comply with stringent new laws which come into force on the 25th May 2018. The General Data Protection Regulation (GDPR) is EU legislation designed to beef up data protection regulations and replaces the existing Data Protection Act (DPA). It’s far more rigorous than the DPA and comes with much more stringent penalties of up to €20m or four per cent of annual turnover for noncompliance. Compare this with the current maximum fine that the Information Commissioner’s Office can levy of £500,000 and one can see it’s a big leap. It’s important to note that GDPR applies regardless of the UK’s decision to leave the EU.
GDPR applies to all organisations that handle personal data. If we apply that to a housing provider, we can see that could constitute many forms. Tenants’ personal information, their bank details and copies of land registry information would all fall within this remit and if compromised could be highly damaging in the wrong hands. GDPR will also apply to a housing provider’s employees – again their contact details, tax records and salary information (for example) all constitute valuable data that must be protected in order to comply with GDPR.
What are the differences between GDPR and the Data Protection Act?
GDPR takes the Data Protection Act but applies a lot more rigour. The key difference is accountability. Essentially, organisations must ensure that personal data is only collected for valid reasons, stored securely, and accessed ‘only by those who need it’ for valid data-processing reasons. There is also a requirement to delete the personal data once it is no longer needed for the processing activity. Data controllers also must comply with the ‘right to be forgotten’ when an individual asks for their data to be erased if it’s no longer required for processing or if the individual no longer has an ongoing commercial agreement with the data controller.
Proof of GDPR adherence could be requested at any stage. This means organisations will need to provide evidence of their policies on data handling and prove they are processing the data lawfully and provide evidence that they have consent. It also mandates special considerations for children’s personal data. Additionally, public organisations and enterprises processing a certain number of data records will need to appoint a data protection officer (DPO).
Payments come with extra regulations
Most housing providers will have their tenants on direct debit but there will still be occasions when one-off payments still need to be taken by credit or debit card. It’s not commonly understood but existing Payment Card Industry (PCI) regulations are very tight on how card payments can be taken. For example, if the cardholder is not present, unless there is an approved, documented process and policy to do so, then it shouldn’t be possible for the housing provider’s employee (if speaking to the tenant over the phone) to write down card details. They should also not repeat the card number back to the customer (since sensitive cardholder details can be captured using a recording device). Instead a housing provider should look to de-scope their call-centre environment. The best way to do so is to use a payment application which allows the caller to anonymously key in their payment information over the phone without having to share the data with the agent on the other end of the call. These requirements are in place today with the Payment Card Industry Data Security Standard (PCI DSS) but under GDPR it will mean that enforcement is stepped up and penalties for non-compliance will fall within the tougher fine structure.
What does the housing sector need to do?
It’s important to remember that while technology can help, the main challenge is around people and processes. It’s more of ‘what we’ve always needed to do’. The first step is to formulate a plan. Housing providers should think about all the areas where personal data is stored. Storing anyone’s data constitutes a risk for them so organisations should think about how that can be mitigated. Is access restricted to only those that need it as a specific part of their job function? Is data encrypted so if there is a breach from a cybercriminal, there is less chance of them being able to access it? Housing providers should ask if they actually need to capture the data in the first place; if data doesn’t exist, it can’t be breached so think carefully about the amount of personal data you hold on individuals.
It should be remembered that a key difference between GDPR and the DPA is that the former is more up-to-date with modern technology; for example, it means that IP logs of tenants looking at their housing provider’s website would constitute personal data and fall within GDPR. Similarly, if personal data has been collected for marketing purposes but to some extent anonymised and ‘tagged’ according to certain group characteristics, it can still fall within the scope of the GDPR depending on how difficult it is to unravel this and isolate it to a particular individual.
The housing sector needs to act now (if it hasn’t already)
GDPR is the biggest upheaval in how data is handled in 20 years and there’s only just over a year for the housing sector to become compliant. Many will see it as a burden but much of this is good business practice that should be embraced. The process will give reassurance to employees and customers that their data is being securely stored and accessed in accordance with the new law. In particular, we have seen in other sectors over the past few years the damage and angst that can be caused by cyber-attacks when personal data has been exposed. Had some of these organisations been GDPR compliant, their customers would have been spared a lot of anxiety and firms wouldn’t have suffered such damage to their reputations. While getting GDPR compliant will be a lawful requirement, it makes sense to do this in any case.
Brad Semp is director of PCI services at GCI.