Article:

6 things housing associations should be considering now in relation to GDPR compliance

10 December 2020

The recent survey results of the Social Housing Barometer 2020 highlighted that housing associations are less concerned with data than in previous years, with only 31% of respondents confirming that data privacy compliance remained in their Top five risks. However, with the Information Commissioner’s Office (ICO) increasingly administering fines for data breaches and non-compliance and with accountability and transparency continuing to be a key focus of the ICO, housing associations should caution against complacency in this area.

The following six themes outline important data privacy considerations in the current climate:

Are you being transparent with individuals about what you are doing with their data, and why?

Housing associations typically process personal data for a diverse range of individuals, so it’s critical that privacy notices accurately reflect data processing activity and are kept up to date. With this in mind, it’s worth reviewing your data processing activities regularly, to ensure that any changes or updates to records of processing are reflected in privacy notices.

Are employees aware of data protection requirements in the new operating environment?

For many, COVID-19 has fundamentally changed the way in which we work, with many housing associations transitioning to a fully remote workforce over a short period of time. This poses significant challenges when ensuring GDPR compliance in the new environment. Training and awareness is key to ensuring that employees fully understand data protection risks and their individual responsibilities when handling personal data. Furthermore, employees should be alert to processes for identifying and reporting data breaches in a home-working environment.

Are you familiar with recent ICO updates regarding the processing of subject access requests?

In October 2020, the ICO issued new, detailed guidance to help organisations respond to data subject access requests effectively and efficiently. The guidance provides greater clarity on stopping the clock, excessive requests, charging for requests and third-party requests. Housing associations, which typically receive a high number of data subject access rights requests, would be advised to review the changes and update existing policies and procedures accordingly.

How confident are you of compliance with retention policies?

To comply with the storage limitation principle, organisations must not hold personal data for longer than required. Furthermore, the longer an organisation retains personal data, the greater its exposure in the event of a data breach. Typically, housing associations store large amounts of personal data across multiple systems, some of which may have retention periods automatically built in, whereas others will require a periodic, manual data cleanse. It is therefore important that your organisation has full visibility of personal data held, comprehensive retention policies in place and frequent audits, to ensure retention schedules are adhered to.

Do you have full oversight of organisations that you share personal data with?

The Social Housing Barometer 2020 report highlighted that, owing to the global pandemic, a number of organisations across the sector have changed their procurement practices. In view of this, be mindful to check that any changes in your procurement procedures do not reduce oversight of third party data risks. At a time when the rules for transferring personal data outside the EU are changing, it is vital to maintain full visibility of data transfers and have procedures in place to ensure that contracts include data sharing agreements and data transfer clauses, where appropriate.

Can you evidence on-going GDPR compliance?

Finally, accountability is one of the key data protection principles written into GDPR and the UK Data Protection Act and continues to be a key focus of the ICO. This means that organisations are responsible for complying with data protection regulations and must be able to demonstrate (through documented evidence) continued compliance. It is, therefore, important that your organisation has a fully documented data protection compliance framework and that this is regularly reviewed and tested.

The themes highlighted in this article are based on our experience working with the sector, changes in the European data privacy landscape and the impact of COVID-19. To find out more, of if you would like to discuss any of the topics raised in this article, please contact Christopher Beveridge in our Data Privacy Practice.