5 things housing associations should be considering now in relation to GDPR compliance
5 things housing associations should be considering now in relation to GDPR compliance
The Information Commissioner’s Office (ICO) is increasingly administering fines for data breaches and non-compliance, and with accountability and transparency continuing to be a key focus of the ICO, housing associations should caution against complacency in this area.
The following five themes outline important data privacy considerations for housing associations:
Are you being transparent with individuals about what you are doing with their data, and why?
Housing associations typically process personal data for a diverse range of individuals, so it’s critical that privacy notices accurately reflect data processing activity and are kept up to date. With this in mind, it’s worth reviewing your data processing activities regularly, to ensure that any changes or updates to records of processing are reflected in privacy notices.
Are your employees aware of data protection requirements in the new operating environment?
For many, COVID-19 fundamentally changed the way in which we work, with many housing associations transitioning to a fully remote or hybrid workforce. This poses significant challenges when ensuring GDPR compliance in the new environment. Training and awareness is key to ensuring that employees fully understand data protection risks and their individual responsibilities when handling personal data. Furthermore, employees should be alert to processes for identifying and reporting data breaches across different environments.
How confident are you of compliance with retention policies?
To comply with the storage limitation principle, organisations must not hold personal data for longer than required. Furthermore, the longer an organisation retains personal data, the greater its exposure in the event of a data breach. Typically, housing associations store large amounts of personal data across multiple systems, some of which may have retention periods automatically built in, whereas others will require a periodic, manual data cleanse. It is therefore important that your organisation has full visibility of personal data held, comprehensive retention policies in place and frequent audits, to ensure retention schedules are adhered to.
Do you have full oversight of organisations that you share personal data with?
Following the global pandemic, a number of organisations across the sector changed their procurement practices. In view of this, be mindful to check that any changes in your procurement procedures do not reduce oversight of third party data risks. With the rules for transferring personal data outside the UK and EU constantly changing, it is vital to maintain full visibility of data transfers and have procedures in place to ensure that contracts include data sharing agreements and data transfer clauses, where appropriate.
Can you demonstrate ongoing GDPR compliance
Finally, accountability is one of the key data protection principles written into GDPR and the UK Data Protection Act and continues to be a key focus of the ICO. This means that organisations are responsible for complying with data protection regulations and must be able to demonstrate (through documented evidence) continued compliance. It is, therefore, important that your organisation has a fully documented data protection compliance framework and that this is regularly reviewed and tested.
The themes highlighted in this article are based on our experience working with the sector and changes in UK the European data privacy landscape.
If you would like to discuss any of the topics raised in this article, or want our help in managing your data compliance, please contact Christopher Beveridge in our Data Privacy Practice.