Although many of the main principles of GDPR are the same as the current Data Protection Act and even if you are already complying with this, there are new elements and significant changes which mean organisations will need to rethink their current procedures and practices.
There are a variety of ways in which housing organisations can prepare for this significant regulatory change. Below is an overview of the key actions you may wish to consider in preparation:
Data auditing
Although a data audit is not specifically required under GDPR, it’s essential that you have a comprehensive understanding of the data your organisation already holds. Audits are a great way of outlining whether or not your existing data will be GDPR compliant. By auditing your existing practices, you will gain a clear picture of the areas you may need to look into and improve.
Governance & accountability
It is essential to establish the key people or employees within your organisation and their direct responsibilities around GDPR. Who will be responsible for implementing the GDPR policy? Who is required to follow those policies as part of their job? Is your executive team on board? You may need a designated data protection officer or a GDPR consultant. As part of the accountability requirement, you will also need to make sure that everyone across the organisation is aware of what they need to do.
Staff training
It’s essential that all employees know about GDPR. Depending on the individual roles within your organisation, formal training may also be needed. As well as understanding GDPR, your staff will also need to be knowledgeable of how your specific internal processes will be affected by the forthcoming changes.
Lawful processing
This is one of the biggest elements of GDPR. You now must have what is known as a lawful basis for collecting and processing an individual’s data. The full details of what constitutes lawful basis can be found in official EU guidelines but, for example, includes regulation around complying with other laws – they include things such as it being a necessity to comply with other laws, it being a necessity to carry out the service requested by the individual, or that you have their explicit consent. As a result, you will now need to consider whether your organisation has a legal basis for collecting the information that you currently request.
Consent
A major aspect of lawfully processing data is consent. It is critical that your organisation has a comprehensive policy and procedure in place, for both gaining consent in the first place and storing a record of it afterwards. It is expected that the majority of GDPR fines will first be directed at organisations which fail to gain consent for their information processing activities, so planning ahead now in anticipation of the GDPR should be of utmost importance. It is also important to note that children are covered by the GDPR. As they cannot legally give their own consent to having their data collected or processed themselves, you must receive consent from their parent or guardian instead.
Fiona Sheen is a learning technology consultant at Virtual College.