After more than a year of build-up, the EU General Data Protection Regulation (GDPR) is now in force. But the real journey for the housing sector is only just beginning as Daniela Flores, in-house counsel and GDPR Office at heat network metering, billing and payment specialist, Insite Energy, explains.
The deadline of 25 May certainly created a sense of urgency, but the scope of GDPR extends far beyond this first milestone.
Forward-thinking housing associations and local authorities are well aware of this and, rather than seeing it as an administrative nightmare or tick-box exercise, are focused on the bigger picture; where data protection flows through operations at every level and is an important part of corporate values. In this context, it is not just a legal necessity, but crucial to protecting and maintaining a business – so needs to be taken seriously.
At Insite Energy, we manage metering, billing and payment services for heat networks, which involves processing an enormous volume and detail of data on behalf of our clients. With over 180 communal heating schemes and 20,000 units, putting an effective GDPR strategy in place has therefore been a priority.
We believe that now is the ideal time to reflect on what has been achieved so far, identify where to make improvements and define the shape of things to come.
Rules of engagement
In the rush to take action many organisations showed themselves to be confused about a number of different aspects of GDPR.
A basic principle of GDPR is consent. From the volume of emails sent out the day before GDPR came into effect, I suspect many believed this to be the only legal basis for processing personal data. But this is not the case.
For our clients in the housing sector, it is sufficient to provide tenants with an agreement with suitable data protection clauses, as well as a privacy notice setting out how data is used and the legal basis for processing it. As a contractual relationship, additional “consent” is not needed.
What they also need to be clear on, however, is that they responsible for all contractor compliance; everyone in the contractual chain must be compliant before any personal data is transferred to a third party.
The role of Data Protection Officer (DPO) also needs to be fully understood. Many organisations appointed one “just in case”; without knowing if they had a legal obligation to do so. While it may have seemed prudent to take such action, there is actually a lot more to it than simply giving someone a title.
The company must, for example, ensure the DPO has expertise in data protection law and practices, as well as a complete understanding of the IT infrastructure, technology and organisational structure. It can, in theory, appoint an existing employee – but only if their other responsibilities do not interfere with their ability to perform the role of DPO. An internal appointment such as this could also raise issues with confidentiality and conflict of interest, so it would be essential for the business to put relevant policies in place.
Last but not least, it’s important to know that neither the controller nor processor can instruct the DPO on how to do their job – in fact, the role must report to the highest level of management. In addition, the DPO cannot be dismissed or penalised for performing their duties. They must have adequate resources to carry out assigned tasks, and so the list goes on. With so much to consider, if a company is under no legal obligation to appoint a DPO, they should think very carefully before doing so.
The fear of hefty fines from the Information Commissioner’s Office (ICO) for non-compliance was behind much of the reactive response to GDPR. Of course, this threat is still very much present, making it more important than ever that organisations adopt an effective long-term strategy to reduce the risk of any infringements. There are a number of steps to think about, such as:
- Cyber security: Ensure software is updated and patched regularly to avoid weak spots for hackers to exploit. The Achieving Cyber Essentials certification will also demonstrate IT security to government standards.
- Risk assessments: Carry out vulnerability reviews to address any changes or new threats to data protection. Consider all aspects such as data storage and remote access for employees. Personal data should at least be encrypted – and this includes work laptops.
- Staff training: Enrol all staff on a GDPR course to ensure everyone is aware of key compliance obligations and handles data appropriately. Awareness of sensitive data and security should be part of a company’s culture.
- Breach detection, investigation and reporting procedures: The ICO has very useful guidelines on this, but we all have to realise that human error is always a risk.
- Formal accreditation: Although there is as yet no certification specifically dedicated to GDPR, organisations looking for the next level of accreditation should consider ISO27001.
Clarifying these issues and putting correct processes in place is only part of the GDPR story. To think otherwise would be a mistake. It is now a real-time legal framework that will develop as new practices and technologies emerge. Organisations will need to constantly re-evaluate practices against these changing circumstances to ensure ongoing compliance.
The ones who will thrive in this new age of data protection are those that see it as an opportunity, rather than a constraint. We know that consumers are more inclined to share data with organisations they trust – and isn’t transparency what GDPR is all about?