• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology Main Logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Contact
  • Home
  • Research
  • Magazine
  • Events
  • Awards
  • Recruitment
  • On Demand
Home / Magazine Articles / Getting ready for GDPR

Getting ready for GDPR

If someone isn’t already working on GDPR readiness in your organisation, they should be. The aim of this article is to cover the tasks every housing provider should undertake in order to be as ready as possible for the new regulation in May 2018. This article doesn’t cover what GDPR is or why it’s coming as that’s already been done to death in the media, but just be aware that there seems to be as much fake news as there is fact.

So where do you start?

Awareness and buy-in

GDPR readiness will require efforts from all areas of your business, alongside business as usual, so getting suitable buy-in from your senior management is critical. With nine months to go, GDPR should be flagged as a corporate risk so there is also a need for board-level awareness.

Research and gap analysis

How compliant are you with the current data protection act, and how far away are you from GDPR? Understanding what the requirements are may require significant research, followed by a gap analysis exercise (the Information Commissioner’s Office website provides online assessments to help with this).

Data protection officers (DPO)

Not every company needs a data protection officer (the function can be outsourced or shared) but as a housing provider processing thousands of tenant records, you will need one. While the DPO must be independent of an operational team, responsibility for managing your GDPR project can sit elsewhere within your business.

Information register

Possibly the largest piece of work for GDPR compliance is the creation of an ‘information register’ to understand the information you process. You will need subject matter experts in all areas of the business to facilitate this; they know their part of the organisation and what is stored where, why, and for how long, etc (the Isle of Man ICO website provides an excellent template for the 5 Ws to help with this activity).

Once completed, and it will take some time, it will not only detail the information you store, where it is stored including archives, retention timeframes, and who the information is shared with (important for supplier/third-party risk), but also the touch points with any ‘data subjects’ which will identify where consent may be required.

Knowing where information is stored will also help identify if data is stored outside an EU state, which will require research and understanding on ‘territorial reach’. Ensuring activity is process mapped will also be helpful to validate the audit results and will help enforce consistency across similar teams.

Consent

There are various reasons why you can lawfully process an individual’s data, and this will be documented in your information register. No further consent is required over and above a tenancy agreement unless you are using that individual’s data for something outside that context. You will only need to revisit existing consent if something changes, such as you collect additional information or decide to use existing information for another purpose.

Where consent is required, the wording in the consent notice is likely to need updating. Consent notices need to be clear to understand, unambiguous and with a positive ‘opt-in’ approach, and the consent itself must be kept as a record and this generally includes any form of direct marketing. If services are provided directly to children, then further guidelines are in place, and the consent notice must be written so it can be easily understood by the reader.

Individuals’ rights

There are two new rights under GDPR; the ‘right to portability’ and the ‘right to be forgotten’, the latter being the one that the media are picking up on. You will need a documented process to ensure these (and the others) are carried out consistently and within an appropriate timescale.

The right to access (subject access requests) is changing from the current £10 charge and 40 calendar days’ turnaround, to be provided free of charge and within 30 days. Staff also need to understand how to recognise an individual exercising one of their rights, as many won’t understand the jargon involved.

Privacy policy

Your website should already include a privacy policy summarising your commitment to data protection. This may need revising for GDPR for the same reasons as consent notices; making them unambiguous and easy to understand.

Breach

Under GDPR, there are certain circumstances whereby the ICO needs to be notified of a breach. There are also circumstances whereby the individuals affected need to be notified. You will need a documented process in order to confirm that there has been a breach, who you will involve in the investigation, whether the ICO and affected individuals need to be informed, and how and when you will communicate the breach. If the breach is reportable, it needs to be reported to the ICO within 72 hours of you being made aware, so organisations need to act quickly to carry out their initial investigations.

Data protection impact assessment (DPIA)

Current best practice is to carry out a privacy impact assessment (PIA) for any project that will process large volumes of personal data in order reduce privacy risks. Under GDPR, a ‘DPIA’ is mandatory under certain circumstances, such as a change to an IT system or implementing CCTV in a building, with the results of the assessment evidenced and revisited if the project scope changes. The outcome of each DPIA will help enable continuous improvement of the information register.

Privacy by design

The security of the information you process is a large part of GDPR compliance. As such, accrediting to a standard such as Cyber Essentials or better still, ISO27001, would be of great benefit. Depending on your starting point, this may be out of reach in the timescales remaining, but reviewing your security practices aligned with one of the standards would be hugely beneficial.

Third parties & suppliers

The information register will help identify where data is shared with third parties and suppliers. There are new guidelines for data processors under GDPR, including increased legal liability if they are responsible for a breach. You as data controller have an obligation to ensure your subcontractors comply with GDPR.

Generally…

Don’t be panicked by the scaremongering. Act now, seek senior level buy-in, create a project team and focus on the activities required. There is no silver bullet despite what some resellers are claiming, although there are an increasing number of products that can help with some of the specific requirements. Join the ‘housing privacy and security’ LinkedIn forum where many of your peers are networking and sharing progress and ideas.

To return to my first point, I can’t urge you strongly enough to make sure you have GDPR covered; in addition to the legal and reputational implications, ignoring it also leads to the risk of a downgrade from the regulator.

Paul Sandersfield is head of data governance at Gentoo Group.

See More On:

  • Housing Association: Gentoo Group
  • Topic: Housing Management
  • Publication Date: 059 - September 2017
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Artificial intelligence in housing
  • Mobysoft – Data problems affecting complaints’ handling
  • Data, AI and private-sector strategies
  • Smart repairs & smarter homes
  • From firewalls to fortresses
  • Achieving three quick wins in AI
  • Rebuilding Selwood Housing’s IT infrastructure
  • Are you ready for organisational AI?
  • PIMSS releases AI Document Reader for compliance
  • Calico Homes cuts arrears with RentSense
  • FourNet launches digital transformation index
  • New income recovery software from Voicescape
  • Asprey Assets at YMCA
  • I love spreadsheets…
  • All watched over by machines of loving grace – AI assistants and adult social care
  • The rent revolution – The case for AI-powered payments
  • Unlocking safer living through data
  • Aareon acquires MIS ActiveH
  • Vericon launches MouldSense
  • Back to the future at Housing Technology 2025
  • FireAngel wins Which? Award
  • Maximising income and preventing homelessness
  • Anchoring digital innovation with Plentific
  • Cynon Taf Community Housing gets Housing Insight’s Arrears Manager
  • Tenants, AI & your biggest compliance risk
  • EDITOR’S NOTES – Data, standards & straight-through processing
  • AI as a social housing expert
  • South Yorkshire Housing halves arrears with Mobysoft
  • Bromford Flagship wins Aico’s smart-home competition
  • Putting VIVID’s customers in control of their tenancies

Footer

Housing Technology Main Logo
  • Instagram
  • LinkedIn
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2025 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293