If someone isn’t already working on GDPR readiness in your organisation, they should be. The aim of this article is to cover the tasks every housing provider should undertake in order to be as ready as possible for the new regulation in May 2018. This article doesn’t cover what GDPR is or why it’s coming as that’s already been done to death in the media, but just be aware that there seems to be as much fake news as there is fact.
So where do you start?
Awareness and buy-in
GDPR readiness will require efforts from all areas of your business, alongside business as usual, so getting suitable buy-in from your senior management is critical. With nine months to go, GDPR should be flagged as a corporate risk so there is also a need for board-level awareness.
Research and gap analysis
How compliant are you with the current data protection act, and how far away are you from GDPR? Understanding what the requirements are may require significant research, followed by a gap analysis exercise (the Information Commissioner’s Office website provides online assessments to help with this).
Data protection officers (DPO)
Not every company needs a data protection officer (the function can be outsourced or shared) but as a housing provider processing thousands of tenant records, you will need one. While the DPO must be independent of an operational team, responsibility for managing your GDPR project can sit elsewhere within your business.
Possibly the largest piece of work for GDPR compliance is the creation of an ‘information register’ to understand the information you process. You will need subject matter experts in all areas of the business to facilitate this; they know their part of the organisation and what is stored where, why, and for how long, etc (the Isle of Man ICO website provides an excellent template for the 5 Ws to help with this activity).
Once completed, and it will take some time, it will not only detail the information you store, where it is stored including archives, retention timeframes, and who the information is shared with (important for supplier/third-party risk), but also the touch points with any ‘data subjects’ which will identify where consent may be required.
Knowing where information is stored will also help identify if data is stored outside an EU state, which will require research and understanding on ‘territorial reach’. Ensuring activity is process mapped will also be helpful to validate the audit results and will help enforce consistency across similar teams.
There are various reasons why you can lawfully process an individual’s data, and this will be documented in your information register. No further consent is required over and above a tenancy agreement unless you are using that individual’s data for something outside that context. You will only need to revisit existing consent if something changes, such as you collect additional information or decide to use existing information for another purpose.
Where consent is required, the wording in the consent notice is likely to need updating. Consent notices need to be clear to understand, unambiguous and with a positive ‘opt-in’ approach, and the consent itself must be kept as a record and this generally includes any form of direct marketing. If services are provided directly to children, then further guidelines are in place, and the consent notice must be written so it can be easily understood by the reader.
There are two new rights under GDPR; the ‘right to portability’ and the ‘right to be forgotten’, the latter being the one that the media are picking up on. You will need a documented process to ensure these (and the others) are carried out consistently and within an appropriate timescale.
The right to access (subject access requests) is changing from the current £10 charge and 40 calendar days’ turnaround, to be provided free of charge and within 30 days. Staff also need to understand how to recognise an individual exercising one of their rights, as many won’t understand the jargon involved.
Under GDPR, there are certain circumstances whereby the ICO needs to be notified of a breach. There are also circumstances whereby the individuals affected need to be notified. You will need a documented process in order to confirm that there has been a breach, who you will involve in the investigation, whether the ICO and affected individuals need to be informed, and how and when you will communicate the breach. If the breach is reportable, it needs to be reported to the ICO within 72 hours of you being made aware, so organisations need to act quickly to carry out their initial investigations.
Data protection impact assessment (DPIA)
Current best practice is to carry out a privacy impact assessment (PIA) for any project that will process large volumes of personal data in order reduce privacy risks. Under GDPR, a ‘DPIA’ is mandatory under certain circumstances, such as a change to an IT system or implementing CCTV in a building, with the results of the assessment evidenced and revisited if the project scope changes. The outcome of each DPIA will help enable continuous improvement of the information register.
Privacy by design
The security of the information you process is a large part of GDPR compliance. As such, accrediting to a standard such as Cyber Essentials or better still, ISO27001, would be of great benefit. Depending on your starting point, this may be out of reach in the timescales remaining, but reviewing your security practices aligned with one of the standards would be hugely beneficial.
Third parties & suppliers
The information register will help identify where data is shared with third parties and suppliers. There are new guidelines for data processors under GDPR, including increased legal liability if they are responsible for a breach. You as data controller have an obligation to ensure your subcontractors comply with GDPR.
Don’t be panicked by the scaremongering. Act now, seek senior level buy-in, create a project team and focus on the activities required. There is no silver bullet despite what some resellers are claiming, although there are an increasing number of products that can help with some of the specific requirements. Join the ‘housing privacy and security’ LinkedIn forum where many of your peers are networking and sharing progress and ideas.
To return to my first point, I can’t urge you strongly enough to make sure you have GDPR covered; in addition to the legal and reputational implications, ignoring it also leads to the risk of a downgrade from the regulator.
Paul Sandersfield is head of data governance at Gentoo Group.