I was lucky enough to chair an NHF event recently, and a big thank you to the National Housing Federation for the invite. As always, these events bring up some interesting and certainly topical areas of discussion, and it is one of these I want to look at.
It’s my favourite subject; data. Or more importantly, in this instance Data Protection.
Out of the sessions I chaired on the day, I never ever thought I would say that someone had finally made data and data protection sound interesting. And not only that, the legal areas of data protection as well. So, I want to do those responsible for covering this subject the justice of being responsible for initiating this post. The ladies that presented were amazingly well versed in the topic, and didn’t waffle around the issues.
However, it is not the first time data, it’s protection and the areas of responsibility of a landlord have cropped up in a conference, however what is frustrating is that although it is discussed in almost every one I have been to, no sea change in attitude seems to have occurred. So please, come on folks, lets get to grips with this subject. You will see why shortly. But for now, some basics.
Data. Its at the core of everything we do. It is responsible for driving your KPI’s, your customer services, your day to day activities. However, our tenants have likely got little idea as to how poorly data is ‘sometimes’ controlled and managed within their landlord. The board members do not pay enough attention (they don’t!), and yes, you, management teams have also not paid enough attention over the years. And if anyone wants to challenge this, then please do so. I am always keen to hear of those on top of such things, and ahead of the curve so to speak.
If however you are not ahead of the curve, then this has to stop. The reason is really simple. The new General Data Protection Regulation is much wider reaching than the previous Data Protection Directive, and with it comes some serious penalties for not paying attention. If you don’t believe me, here they are:
- Non compliance: administrative fine of €10m
- or up to 2% of total worldwide turnover
Of course, when it says worldwide we do realise that this does not apply too much in our sector, even although we do wish we had regional offices in Paris and New York.
There are as we hinted above some significant changes to data protection rules in the UK, so its not a simple matter of just ticking a few boxes. In some cases a lot of work is required. But hold on…..
Instead of running to the nearest pub and drowning your sorrows at the prospect of the journey ahead, we urge you to forget about the regulations, the rules and the laws. Yes, thats right, don’t do what everyone thinks you will do.
First of all, get back to basics. The reason I wanted to write this post is more to do with the preparation you can do instead of the detailed work to ensure compliance. Then basics!
You may be asking yourself: Why should we do that?
The answer is that before you are able to run ahead with the detail, get yourself ready to walk. Too many jump into things too far down the journey, instead of starting at the beginning and doing it right.
With this in mind, as you would expect, I am highlighting some areas that your company and its people should follow. Here goes…. you should think of the following….
- This cant be done alone. Create a task force to attack this. You will need a team to address this whole issue of the General Data Protection Regulation. Start team building.
- Perhaps coming from the above, work out who is going to do what, and specifically who will take on the role of the data protection officer. You will also now need to ensure this person has a direct line to the board.
- Treat it as a project, and not something someone is given the task to go away and sort out. Develop the PID’s, project plan, roles and responsibilities and so on. Treat it with the respect it deserves.
- Ensure you educate and inform staff (all staff) as to the role they play, and what these new regulations mean to the company.
- Don’t think you can bury this as a sole IT project.
Some further tasks:
- Document what personal data you hold, where it came from and who you share it with.
- Review contracts and arrangements when sharing data with others, especially third party contractors.
- Review your current policies and procedures in relation to data management and protection.
- Seek help if you need to. This is sometimes overlooked in such areas, but legal help can be a big help.
The point/s I am trying to make here is the following:
- Up its importance. I believe it will be the most implant legal challenge you will have over the next year or so.
- Get senior sponsorship and buy-in.
Do not wait another second. Start it now.
Failing all that, call those lawyers!