ParaDPO was one of the ‘IT accelerators’ at the Housing Technology 2020 conference earlier this year; this article is an abridged version of Neil Topping’s presentation at the conference.
What we have been finding is that data protection officers (DPOs) are now leaving their posts because it has been over two years since GDPR came into effect and GDPR/DPA 2018 is now definitely business as usual. The fanfare and board attentions have shifted to areas such as the Hackitt Report.
However, what are the GDPR-related risks at the moment?
- Housing providers are still using spreadsheets to record their GDPR/DPA 2018 compliance;
- Data sharing agreements are expending in complexity and quantity;
- DPOs are leaving;
- Employees are still under-reporting breaches;
- Let’s not forget about Covid-19.
Risk one: Housing providers are still using spreadsheets
Let’s take a look at what data protection information an organisation needs to record:
- Records of processing – This needs to include consent management (when consent was given, the terms of the consent and when it expires), the lawful basis for processing all personal data as well as all of the repositories where the personal data is stored and processed.
- Personal data breaches – There are three types of personal data breach: confidentiality; integrity; and availability. It’s important that these are promptly captured.
- Data subject rights – The organisation needs to show that it is compliant with the timescales of the different rights being exercised. This requires auditability and evidence that timescales have been met or extensions duly sought.
- Data and document retention periods – All data should have its provenance (e.g. where it is from) and when it should be reviewed or deleted identified. Ideally, this should be either automated within a central database or in the system itself. If you can’t do this then you could create reports or store these in Excel, but that’s not ideal because there are lots of extra steps involved.
Moreover, if this is all being kept in spreadsheets then it is still retaining all of the issues of spreadsheets, such as overwriting data, lack of auditability, corrupt files and siloed locations.
Risk two: Data sharing agreements are expanding in complexity and quantity
Everyone and their dog seem to want to setup a data sharing agreement. It’s great that this has become a ‘go-to’ action for company secretaries and governance teams, but these are not always required where a suitable binding rule is in place (e.g. a contract).
The challenges here are that every organisation has tens or even hundreds of different agreements. These all have slightly different clauses and also specific forms or mechanisms for making data sharing requests. In practice, where there is an operationally-focused customer service centre where every second counts, this just isn’t viable.
The key point here is to enable teams to incorporate data protection requirements into their service delivery processes with minimal disruption and customer impact.
Risk three: DPOs are leaving…
It has been over two years since GDPR/DPA 2018 and many DPOs are now moving on. This leaves a void, especially if the DPO has been left to their own devices to manage all of the evidence of compliance.
It is difficult to find good DPOs so there will be a gap before your organisation is back up to full effectiveness in terms of data protection and compliance.
Risk four: Employees are still under-reporting breaches
There is always a risk of an unknown breach going under the radar. This risk can’t be fully eliminated, but it can be mitigated by having a programme of training and awareness. Data governance should be incorporated so that data owners and data stewards understand their roles and responsibilities and that those roles and responsibilities are embedded throughout the organisation.
Risk five: Data Protection & Covid-19
ParaDPO has received many ad-hoc requests about the pandemic and inter-organisational data sharing. Health information is a ‘special category data’ so it requires additional consideration in terms of processing, storage and security.
However, ParaDPO has been developing Myriad, our solution to the above problems. Our first partnership with Look Ahead Care and Support is progressing well with an ‘alpha’ version of Myriad already deployed.
Look Ahead identified a need to improve its GDPR processing including DPIAs and SARs. We are currently loading the data into Myriad and will be tailoring the workflow engine for Look Ahead in the coming weeks. Where Look Ahead previously had spreadsheets, Myriad will replace them and put the data into a structured and auditable system.
ParaDPO has also provided ‘DPO-as-a-service’ for Look Ahead while it was recruiting a new DPO. This has meant that ParaDPO managed to offset risk three (above) during the search and on-boarding process; Look Ahead will continue to use DPOaaS on demand as it recognises the value of the expertise provided.
Neil Topping is the co-founder of ParaDPO.