After over a year of build-up, GDPR has now been in force for over three months. But the real journey for the housing sector is only just beginning, as Daniela Flores, in-house counsel and GDPR officer at Insite Energy, explains.
The deadline of 25 May 2018 certainly created a sense of urgency, but the scope of GDPR extends far beyond this first milestone. Forward-thinking housing providers and local authorities are well aware of this and, rather than seeing it as an administrative nightmare or tick-box exercise, are focused on the bigger picture; where data protection flows through operations at every level and is a core part of corporate values. In this context, it is not just a legal necessity, but crucial to protecting and maintaining a business.
At Insite Energy, we manage metering, billing and payment services for heat networks, which involves processing a huge volume and detail of data on behalf of our clients. With over 180 communal heating schemes and 20,000 units, having an effective GDPR strategy has therefore been a priority. We believe that now is the ideal time to reflect on what has been achieved so far, identify where to make improvements and define the shape of things to come.
Rules of engagement
In the rush to take action, many organisations showed themselves to be confused about a number of different aspects of GDPR.
A basic principle of GDPR is consent. Judging by the volume of emails sent out the day before GDPR came into effect, I suspect many believed this to be the only legal basis for processing personal data. But this isn’t the case.
For our clients in the housing sector, it’s sufficient to provide tenants with an agreement with suitable data protection clauses, as well as a privacy notice explaining how data is used and the legal basis for processing it. As a contractual relationship, additional ‘consent’ is not needed.
What they need to be clear on, however, is that they are responsible for all of their contractors’ compliance; everyone in the contractual chain must be compliant before any personal data is transferred to a third party.
The role of a data protection officer (DPO) also needs to be fully understood. Many organisations appointed one ‘just in case’, without knowing if they had a legal obligation to do so. While it may have seemed prudent to take such action, there is a lot more to it than simply giving someone a title.
The company must, for example, ensure that the DPO has expertise in data protection law and practices, as well as a complete understanding of the IT infrastructure and organisational structure. It can, in theory, appoint an existing employee, but only if their other responsibilities don’t interfere with their ability to perform the role of DPO.
It’s important to know that neither the controller nor processor can instruct the DPO on how to do their job; in fact, the role must report to the highest level of management. In addition, the DPO can’t be dismissed or penalised for performing their duties. They must have adequate resources to carry out assigned tasks, and so the list goes on. Therefore, if a company is under no legal obligation to appoint a DPO, they should think very carefully before doing so.
The fear of hefty fines from the Information Commissioner’s Office for non-compliance was behind much of the reactive response to GDPR. Of course, this threat is still present, making it more important than ever that organisations adopt an effective long-term strategy. There are a number of steps to think about, such as:
- Cyber security – Ensure software is updated regularly to avoid weak spots. The ‘Achieving Cyber Essentials’ certification will also demonstrate IT security to government standards.
- Risk assessments – Carry out vulnerability reviews to address any changes or new threats to data protection. Consider all aspects such as data storage and remote access for employees. Personal data should at least be encrypted, including work laptops.
- Staff training – Enrol all staff on a GDPR course to ensure everyone is aware of key compliance obligations and handles data appropriately. Awareness of sensitive data and security should be part of your culture.
- Breach detection, investigation and reporting procedures – The ICO has useful guidelines on this, but we all have to realise that human error is always a risk.
- Formal accreditation – While there is as yet no certification specifically dedicated to GDPR, organisations looking for the next level of accreditation should consider ISO27001.
Clarifying these issues and instigating correct processes is only part of the GDPR story. It is now a real-time legal framework that will develop as new practices and technologies emerge. Organisations will need to constantly re-evaluate practices against these changing circumstances to ensure ongoing compliance.
The ones who will thrive in this new age of data protection are those who see it as an opportunity, rather than a constraint. We know that consumers are more inclined to share data with organisations they trust, and isn’t transparency what GDPR is all about?
Daniela Flores is the in-house counsel and GDPR officer at Insite Energy.