Tuesday, 20 February 2018

The GDPR – The Basics


The GDPR provides the first shake up in data protection legislation since the Data Protection Act in 1998.
As May 25th 2018 looms large, the responsibilities and requirements of the GDPR have taken on mythical proportions with organisations racing to delete databases, qualify records and appoint Data Protection Officers.
However the GDPR is really about common sense and process and boils down to checks and balances which if properly conducted will mitigate risk, fulfil the requirement to act responsibly and ensure that the data of your residents/ tenants is only used for legitimate purposes.
In simple terms GDPR has real teeth and is there to safe guard the individual, it marks a shift from a general directive to a legal requirement and no matter what happens with Brexit , it will still apply.
The General Data Protection Regulation (GDPR) is a ruling intended to protect the personal data of those who live within the European Union. It will provide a greater level of control to people over their personal data and how it is used.

The central sentiment is that data belongs to the individual and NOT to you – it’s their data not your data.

Depending on the letter you are planning to send then different rules apply. If you are sending out marketing letters and have prepared your database yourself then you should have acquired the relevant permissions. Equally if you have purchased your data then you need to make sure the provider has obtained consent.

When you are processing transactional letters such as invoices or legitimate service information you can usually rely on the legal basis of legitimate interest. Just make sure you keep appropriate records to show that you are relying on the legal basis of legitimate interest for processing this data and that your privacy notices are clear and up to date.


'Controllers' and 'Processors' of data need to abide by GDPR legislation. A controller is responsible for how and why the data is processed, while the processor acts on the controller’s behalf.

You will need to develop technical and organisational measures to demonstrate compliance with GDPR. If you are working with an outsourced data processor you must ensure that you have updated contractual terms.

Get to grips with Data protection impact assessments (DPIAs) which help identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced and are a handy weapon in the war against cyber crime.

DPIAs also support the accountability principle, as they help organisations comply with the requirements of the GDPR and demonstrate that appropriate measures have been taken to ensure compliance.

Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation's annual global turnover or €10 million – whichever is greater.

The GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.
Finally you will need an understanding of the changes to data retention and to explore the likely legal grounds for retention of particular data that housing associations commonly require.

An ongoing, regular review will keep everyone on their toes, identify any glitches (and help you sleep at night).

The information in this article is for guidance only and does not constitute legal advice. We will be updating the sector regularly over the coming months and will be happy to answer any questions you may have. Call 01761 416311/ 07834 173288.




No comments:

Post a Comment