Social housing providers must find ways to work smarter and more efficiently to manage the impact of GDPR. Robert Brooks investigates.
The General Data Protection Regulation (GDPR) snowballed into force in May this year and the impact on all sectors has been so large that in many ways the effects are still unknown and unpredictable. We have seen organisations panic; dumping data sets following the unnecessary sending of consent emails and we have seen self reporting (following a data breach) to the Information Commissioners Office (ICO) grow by 173% in one month (May 2018-June 2018). The message, however confused, is getting out there.
So what does this mean to housing providers?
Social housing providers sit between their regulator (CLG) and the people they are providing a service to. Whilst the relationship between the regulator and provider will be governed by robust policy and procedures relating to data protection, the relationship between the provider and their clientele will be by contract. For individuals (or data subjects, for the purposes of this article, which is any person whose personal data is being collected, held or processed) who use the providers services this can be a complicated and daunting task – one that involves a great deal of personal information and data sharing communications. The types of data being shared or processed are important here as they will undoubtedly contain personal information e.g name, address and email etc. In addition, special category data which is data that contains race, health, ethnic origin, political religious, genetics and biometric data. Information relating to children and criminal records will also be determinable and shared. It may be the case that these data subjects may not have access to the necessary media to make best use of the services being offered to them and therefore the data may need to be in many different formats and recorded or managed in many different ways. Data subjects may also be transient and therefore moving between different council wards. It may be that many different third party professionals are needed to assist in the delivery of the services to the data subject.
All of these relationships involve communication, so understanding every aspect of the movement of information is vital. We carry out many data mapping activities and constantly see how these data landscapes can be complicated and ever growing. Once this work is carried out and recorded it is much easier to see any potential gaps and risks.
Being able to support data subjects during the use of these services is vital but understanding their rights as a service provider is critical. If all of the service provider’s processes and policies are in order, acting upon a Subject Access Request (which is a request an individual can make to obtain access to their data) or dealing with a data breach will be much more manageable. So if the data detritus hits the fan, which even with the very best intentions, it might, you will have plans in place to deal with it. The much talked about fines and bad publicity can be avoided if you can be seen to have taken positive steps towards compliance.
Does treating data with respect mean that the data subject gets the same treatment?
A developed concept that was around before the GDPR but now plays a central role is data protection by design and default, this concept is a legal requirement and needs to be engrained into the very fabric of an organisation to really have an affect. Its purpose is to ensure that privacy is a main ingredient to any new type of processing or product, this might include new tech i.e. a new App or file sharing site. To help mitigate the potential risks that this type of new processing may bring it is important to carry out privacy impact assessments or PIAs as they are known.
This process can help by applying a questions and answers approach to the risk faced with a report as an outcome. A decision can be made on the future of the project or the processing based on this report, therefore helping to mitigate any risk.
The cornerstone of the GDPR centres on transparency and fairness; it’s about data subjects knowing what will or has been done with their data. This might be especially relevant when dealing with people that might be in need.
Robert Brooks is the privacy officer at Stephens Scown. Robert advises clients on data protection and privacy. To discuss this article or another data protection issue you can get in touch either by telephone 01392 210700 or by email firstname.lastname@example.org