Few sectors in the UK hold as much personal data as the housing sector, from information on pay and benefits to details on religion and criminal history. The possession of such data means the sector is likely to be seen as a lucrative target by cyber criminals.
The principal punitive costs of GDPR are well documented both here in Housing Technology and also in the wider media, but the fall out might not end with an EU-levied fine, consequent reputational damage and costs related to an actual breach; class-action lawsuits are a lesser-known threat.
GDPR makes it much easier for individuals to bring private claims against data controllers and processors. According to its terms, data subjects can lodge complaints to consumer protection bodies, pushing them to bring claims on their behalf, which will inevitably increase the rate of group privacy claims against businesses.
As per Article 82, any individual has the right to claim compensation from the controller or processor for either ‘material or non-material damage’ as a result of GDPR infringement. The phrasing ‘non-material’ is poignant here, indicating that even if individuals haven’t suffered tangible financial losses, they are nevertheless entitled to make claims against controllers and processors to secure compensation. Also, where a controller or processor has paid full compensation for the damage suffered, they are also entitled to claim back from the other controllers or processors.
GDPR defines ‘personal data’ in very broad terms: ‘Any information concerning an identified or identifiable natural person’. Taking an equally-broad interpretation, this includes basic identity information such as names and addresses, but it also covers a broader scope. Web data and location data may also all be covered if it can be indirectly linked to a living person. Given the physical nature of housing, all of these data types and more – including the details of children, which are paid special attention by GDPR – are likely to be in the possession of housing providers.
Given that GDPR imposes such a high bar for compliance, other sectors are sometimes being told the most effective approach may simply be to avoid processing personal data in the first place. This simply isn’t an option for housing providers. Instead, thought should be paid to whether data that doesn’t need to be kept is deleted, or information that does is anonymised or encrypted.
Either way, data in its entirety will become incredibly important for the housing sector under GDPR and it is up to organisations to determine how to handle it. The regulation does have its challenges and complexities but being prepared should be viewed as a positive by the housing sector. It presents an opportunity for organisations to assess the state of the data they hold, ensure they are only holding what is necessary and put in place the appropriate technical and organisational measures required to protect their data subjects.
Compliance is more than achievable, and it’s certainly not too late for unprepared organisations to act. Support is available, and for businesses with complex data and IT systems, managed service providers can be a helping hand.
Lee James is the chief technology officer for EMEA at Rackspace.
