• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Search Archive
  • Home
  • Research
  • Magazine
  • Events
  • Recruitment
  • Blog
  • On Demand
  • Contact
Home / Free Subscriber Access / GDPR is here – What happens next?

GDPR is here – What happens next?

After over a year of build-up, GDPR has now been in force for over three months. But the real journey for the housing sector is only just beginning, as Daniela Flores, in-house counsel and GDPR officer at Insite Energy, explains.

The deadline of 25 May 2018 certainly created a sense of urgency, but the scope of GDPR extends far beyond this first milestone. Forward-thinking housing providers and local authorities are well aware of this and, rather than seeing it as an administrative nightmare or tick-box exercise, are focused on the bigger picture; where data protection flows through operations at every level and is a core part of corporate values. In this context, it is not just a legal necessity, but crucial to protecting and maintaining a business.

At Insite Energy, we manage metering, billing and payment services for heat networks, which involves processing a huge volume and detail of data on behalf of our clients. With over 180 communal heating schemes and 20,000 units, having an effective GDPR strategy has therefore been a priority. We believe that now is the ideal time to reflect on what has been achieved so far, identify where to make improvements and define the shape of things to come.

Rules of engagement

In the rush to take action, many organisations showed themselves to be confused about a number of different aspects of GDPR.

A basic principle of GDPR is consent. Judging by the volume of emails sent out the day before GDPR came into effect, I suspect many believed this to be the only legal basis for processing personal data. But this isn’t the case.

For our clients in the housing sector, it’s sufficient to provide tenants with an agreement with suitable data protection clauses, as well as a privacy notice explaining how data is used and the legal basis for processing it. As a contractual relationship, additional ‘consent’ is not needed.

What they need to be clear on, however, is that they are responsible for all of their contractors’ compliance; everyone in the contractual chain must be compliant before any personal data is transferred to a third party.

The role of a data protection officer (DPO) also needs to be fully understood. Many organisations appointed one ‘just in case’, without knowing if they had a legal obligation to do so. While it may have seemed prudent to take such action, there is a lot more to it than simply giving someone a title.

The company must, for example, ensure that the DPO has expertise in data protection law and practices, as well as a complete understanding of the IT infrastructure and organisational structure. It can, in theory, appoint an existing employee, but only if their other responsibilities don’t interfere with their ability to perform the role of DPO.

It’s important to know that neither the controller nor processor can instruct the DPO on how to do their job; in fact, the role must report to the highest level of management. In addition, the DPO can’t be dismissed or penalised for performing their duties. They must have adequate resources to carry out assigned tasks, and so the list goes on. Therefore, if a company is under no legal obligation to appoint a DPO, they should think very carefully before doing so.

Strategic approach

The fear of hefty fines from the Information Commissioner’s Office for non-compliance was behind much of the reactive response to GDPR. Of course, this threat is still present, making it more important than ever that organisations adopt an effective long-term strategy. There are a number of steps to think about, such as:

  • Cyber security – Ensure software is updated regularly to avoid weak spots. The ‘Achieving Cyber Essentials’ certification will also demonstrate IT security to government standards.
  • Risk assessments – Carry out vulnerability reviews to address any changes or new threats to data protection. Consider all aspects such as data storage and remote access for employees. Personal data should at least be encrypted, including work laptops.
  • Staff training – Enrol all staff on a GDPR course to ensure everyone is aware of key compliance obligations and handles data appropriately. Awareness of sensitive data and security should be part of your culture.
  • Breach detection, investigation and reporting procedures – The ICO has useful guidelines on this, but we all have to realise that human error is always a risk.
  • Formal accreditation – While there is as yet no certification specifically dedicated to GDPR, organisations looking for the next level of accreditation should consider ISO27001.

Clear vision

Clarifying these issues and instigating correct processes is only part of the GDPR story. It is now a real-time legal framework that will develop as new practices and technologies emerge. Organisations will need to constantly re-evaluate practices against these changing circumstances to ensure ongoing compliance.

The ones who will thrive in this new age of data protection are those who see it as an opportunity, rather than a constraint. We know that consumers are more inclined to share data with organisations they trust, and isn’t transparency what GDPR is all about?

Daniela Flores is the in-house counsel and GDPR officer at Insite Energy.

See More On:

  • Vendor: Insite Energy
  • Topic: Finance Management, General News, Housing Management
  • Publication Date: 065 - September 2018
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Free cyber-defence tools from NCSC
  • Learning from history
  • Grand Union Housing gets connected with Aico HomeLink
  • The silences in the system: Predicting and preventing damp and mould
  • Looking back and to the future: Cyberthreats in social housing
  • Hyde signs repairs contract with Totalmobile
  • Fuelling high performance automation
  • Morgan Sindall’s Carbon Zero decarbonisation tool
  • An ethical approach to arrears
  • Housing and the ever-evolving workplace
  • Supporting residents with home safety risks
  • Less innovation & more service design at RHP
  • Ateb Group outsources IT help desks to Central Networks
  • Capital Letters partners with Evo Digital to tackle homelessness
  • Calico appoints M247 for digital transformation
  • 24/7 care requires 24/7 technology
  • Govtech trends for 2023
  • Are you ready for business process automation?
  • Lincoln council moves to the cloud with Civica
  • Why do IT business improvement projects fail?
  • Flagship and Ebrik launch augmented reality app
  • Following the golden thread
  • Setting the standard for carbon-monoxide protection
  • The business case for data
  • Digital twins – When, not if…
  • Using data to build communities
  • The cyber-security jigsaw’s missing piece – Managed detection & response
  • Cyber-security challenges in housing
  • Digitalising retrofits with SHDF & HomeLink
  • Tips for improving care and support

Footer

Housing Technology
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Blog
  • Search All Articles
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2022 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293

htc23 pop banner