ParaDPO’s co-director Clifford Barton explains how GDPR is now part of our everyday existence (not that the Data Protection Act 2018 is beyond current thought), ranging from the curious tenant or the fractious employee wishing to exercise their rights over how their personal data is used, to the largest housing providers with a duty of care to look after and safeguard the rights of the people they provide for and work with.
Through GDPR, housing providers have very recently seen significant change, albeit imposed upon us. What was previously a nice-to-have is now a mandatory must-have; the rights of the natural person, client or employee must now be rigorously observed.
Personal data is not just about individuals’ names, addresses, ethnicity, health details and unlawful transgressions; it is about information that can be used to identify a person either directly or by inference (more recently through metadata [data about data]).
There are now a multitude of requirements surrounding personal data usage, including the need to:
- Provide a reason for collection and why it is being processed;
- Determine how long it will be held for;
- Account for the data lifecycle and journey as it processes through an organisation (and potentially beyond to third parties);
- Identify what categories of data subject information are held;
- Provide a legal reason for collection and storage;
- Specify which data is special category or criminal;
- Describe what security arrangements are in place for the data.
Personal information is held under trust and we must exercise this trust from an empathetic perspective. We must always respect the rights of the data subject. But how do we treat mountains of personal data and make sense of it? Moreover, how do we treat personal data in the context of GDPR without losing sight of the wider legal landscape?
The ICO mandates the use of an information asset register for every organisation that holds and/or processes personal data, as such: ‘maintain a record of processing activities under its responsibility’.
This translates into each organisation having to record what personal data is collected and how it is used. To this end, the ICO provides a couple of rudimentary templates for maintenance purposes though use of these is not mandatory. That said, each organisation is at liberty to record pertinent private data information in a manner suited to them as they see fit (provided it meets the above aim of an organisation holding a dynamic information asset list).
The ICO’s spreadsheets are inelegant, cumbersome and are cost/labour intensive. These templates require significant ongoing input, a lot of management and a raft of training to keep staff aware of their GDPR obligations.
But surely, this can’t be the answer (and not just because businesses are migrating away from spreadsheet use)? The answer and solution therefore is through a systematised and dedicated personal data audit application.
To keep track of swathes of data is an immense task. No set of spreadsheets could ever do it justice, especially for organisations that by necessity pass and process personal data to third parties (such as local authorities, Police, charities and other housing providers) on a daily basis.
Like most businesses today, housing providers are both data-reliant and data-subservient. Many are using the introduction of the GDPR as a lever for business change and transformation, in the bargain realising that efficiencies and economies of scale that can be introduced, with the addition of dedicated applications that make the management of data (both personal and operational) more controllable and accountable, especially pertinent in today’s internal/external audit environment.
ParaDPO has considerable experience in personal data management and with GDPR implementations in the housing sector, and we understand the inadequacies and shortfalls of spreadsheet-style personal data solutions. The solution is therefore to manage personal data through a dedicated relational information asset database (ParaDPO’s version of this is called Myriad) which can be interrogated and quizzed to provide a wide range of personal data information views for any organisation, not only as the ICO stipulates, but also to improve the general understanding on how personal data is distributed internally and externally by an organisation.
Clifford Barton is co-director of ParaDPO.