As part of our focus on GDPR in this issue, Housing Technology interviewed seven GDPR experts from Aareon, BT, Clearview, Data Protection People, Hitachi Solutions and Impact Reporting on how housing providers should approach the impending legislation.
Urgent GDPR issues
Regarding which aspects of GDPR housing providers should address most urgently (i.e. the ‘quick wins’), Hitachi Solutions’ senior GDPR project manager, Andy Gill, said, “Based on the excellent 12 step guide from the ICO, the most urgent aspects should be people awareness and buy-in, and how they will respond with subject access requests within the time allowed, especially given the number of IT systems they will have to search.”
Geraint Griffiths, joint managing director of Aareon UK, added, “The most important thing is to ensure your residents (and other relevant parties) understand why data is being collected and for what purpose.”
BT’s CIO for regional government and health, Phil Brunkard, said, “The ICO published a report, ‘Findings from ICO advisory visits to social housing organisations’, which set out some of the most important data protection issues for housing provider to address. They included proper encryption of portable electronic devices and locking down the use of external storage devices such as USBs and CD/DVD drives; secure printing controls; data security policies for home-working staff; role-based access to records; monitoring and managing of security policies and procedures; and staff training regarding their obligations for the protection of personal data.”
GDPR in housing
While GDPR covers organisations of all types, the nature of the data that housing providers hold concerning their tenants means that some parts of GDPR are particularly pertinent.
Mark Hobart, managing director of Clearview, said, “Many organisations see GDPR as a ‘tick box exercise’ to gain compliance, but it’s much more than that, and is possibly an opportunity to create processes for improving the value for money equation. Data within a housing provider is constantly changing and therefore organisations need systems to manage their data on an ongoing basis to ensure compliance is achieved and then maintained.
“No-one will want to get fined for a breach and everyone will want to be able to efficiently service subject access requests and the like. It is therefore worth investing to get it right.”
Liam Fitzpatrick, a data protection consultant with Data Protection People, said, “Transparency is an area in which housing providers should strive to excel. Having easy to understand but thorough (layered) privacy notices will reinforce trust with tenants who will be given a better understanding as to what actually happens with their personal data and who it is shared with.”
Impact Reporting’s product manager, Chris Farrell, added, “The essence of GDPR is to ensure that personal information trusted to a business is used appropriately. Therefore, the need for a contract between tenants and housing associations puts the sector in a stronger position for holding data than others (for example, a travel company just looking for people to add to a promotional mailing list) but with this comes more responsibility to use it sensibly.”
GDPR for business improvement
As with the introduction of any new regulatory framework, organisations can decide between basic compliance or using compliance as the springboard for business improvements.
BT’s CTO for cyber and secure systems within the public sector, Mike Pannell, said, “GDPR planning is a good opportunity for an organisation to review the historic data they may have collected but is no longer needed. A data-cleansing exercise can enable an organisation to operate more efficiently through easier data retrieval. In addition, compliance with GDPR can differentiate one organisation from another; reputational damage to anybody from losing personal data can be irreparable.”
Data Protection People’s Fitzpatrick said, “While running a number of GDPR transformation projects, one thing that has struck me is how much they lead to an improvement in both governance and business processes. Assigning responsibilities, understanding data flows, having rigorous policies and procedures and being accountable for the personal data in your possession all help elsewhere in the day-to-day business.
“Certain housing providers I worked with had staff who had never questioned the ‘why?’ behind certain processes; taking a step back and having a critical look at things has led many to identify personal data which was being collected unnecessarily and thus identified an inefficiency. Better retention schedules could also lead to a reduction in the huge amounts of personal data which is collected by most housing associations; and this means lower storage costs, a happier IT department and greater compliance.”
Hitachi Solutions’ Gill said, “GDPR should be used as a catalyst to purge old, redundant data and to instil a cultural change regarding how personal data is treated and retained. There is also an opportunity to build customer confidence and loyalty by showing customers how well you take care of their data, such as proactively issuing privacy notices and not just reacting to a SAR.”
Difficulties with GDPR
Aareon UK’s Griffiths said, “One of the most difficult things about GDPR is convincing the business that it is more than just an IT issue and that software can’t just make the organisation instantly compliant.”
Clearview’s Hobart added, “We see a number of challenges from an IT perspective: where do I keep personal data across my vast IT infrastructure; how can I catalogue data across multiple structured, semi-structured and unstructured data sources; how can I create a single view of information to easily identify all data belonging to any particular data subject; how do I maintain readiness after the introduction of GDPR, and will my systems cope with the new rights of data subjects; finding the resources to do it; and, finally, being able to quickly cascade awareness training across the organisation.”
Gill from Hitachi Solutions said, “For many organisations, the biggest challenge will be the sheer number of systems which they may have to trawl to respond to a SAR. Much of this data may be badly indexed, in poorly structured file stores and therefore not easily discoverable. As a result, undertaking data privacy impact assessments (DPIAs) to build clear data maps and a data dictionary of personal data items across many disparate systems will be challenging for many.”
IT help with GDPR compliance
IT is merely an enabler for GDPR compliance, by providing the underlying technology and data framework to support a housing provider’s GDPR processes and procedures.
BT’s Pannell said, “In our view, there are five key technology areas that can help with GDPR compliance: data encryption, data loss prevention, content protection, data archiving, and network protection and detection. Individually, each of these areas requires careful planning to ensure a seamless solution across the different technologies. IT can provide the tools, but only the business can decide how they use them in their specific context.”
Data Protection People’s Fitzpatrick added, “IT definitely has a role to play in GDPR compliance. This includes advising the business on appropriate access controls for all information assets, implementing proper disaster recovery plans and ensuring they are effective, helping incorporate privacy by design and default into all new systems, assisting with DPIAs, helping with due diligence checks on suppliers and assisting with the retrieval, removal and blocking of personal data for data subjects’ access right requests.”
GDPR-specific software vs. existing IT systems
Regarding the choice of implementing GDPR-specific software versus using existing core business applications, Clearview’s Hobart said, “There is no ‘silver bullet’ for GDPR. Every solution will only work with enterprise-wide adoption and conformity, with each and every employee educated on their responsibilities in regards to GDPR and what they can and can’t do. Data discovery software will help enormously; without it, they won’t find the weaknesses in their strategy until they receive their first data portability request on 25 May!
“They should also consider asking all of their software suppliers for a GDPR-compliance statement and understand when their software will be compliant.”
Hitachi Solutions’ Gill added, “The choice between GDPR-specific software and using existing software depends on what systems they have currently and the extent to which they have previously adopted a security and compliance framework model, such as ISO27001. That said, we suspect that many housing providers will need new systems to help with the workload, such as case management solutions, and that many should take the opportunity to move the data they want to retain to a more manageable environment, such as a cloud solution hosted in Microsoft Azure.”
Impact Reporting’s Farrell said, “Housing providers need to assess their current software to ensure it enables GDPR compliancy and doesn’t in fact create masses of extra administrative work.
“If your current software needs updating, it would be a good idea to look at options that have been specifically designed to make GDPR as easy as possible. In particular, ‘the right to be forgotten’ means that if you’re contacted by someone who doesn’t want you to hold their information any longer, you will have 30 days to delete all traces of their data from your systems. This can be quite a substantial task if the software you’re using isn’t streamlined; it needs to be easy to pull all information you hold on an individual and delete it.”
Balancing process changes with IT changes
Brunkard from BT said, “There is always a trade-off in the cost, benefits, effort and risk mitigations when considering the extent to which processes are automated. The business may need to consider short-term manual measures to meet the GDPR deadline but ultimately such interim steps will need to be reassessed against dealing with longer-term complexities and further data-handling risks downstream.”
Aareon UK’s Griffiths concluded, “The priority is that your IT systems need to be able to support the business processes being implemented to ensure the rights under the act are respected. It’s really important to understand that GDPR compliance is a business project supported by IT, rather than an IT project that brings GDPR compliance.”
Housing Technology would like to thank Geraint Griffiths (Aareon UK), Phil Brunkard and Mike Pannell (BT), Mark Hobart (Clearview), Liam Fitzpatrick (Data Protection People), Andy Gill (Hitachi Solutions) and Chris Farrell (Impact Reporting) for taking part in this interview.