Digital Transformation can improve customer experience, reduce costs, and drive sustainable growth. It’s not easy, though, with so many moving parts and opportunities for things to go wrong.
But there is something that many people see as an obstacle, that with a little help, can be turned into your greatest asset for completing a smooth and effective digital transformation project.
That thing is the (UK)GDPR. I particularly want to talk about using it as an asset in social housing digital transformation projects. The concepts can be applied to other sectors too.
First of all, let’s look at why the (UK)GDPR is often seen as an obstacle in data-related projects.
GDPR is widely misunderstood
In my work with clients, and in the housing sector, I see lots of evidence that the GDPR, and Data Protection in general, is widely misunderstood. Which is to be expected, as the name itself is so misleading. Data “Protection” – it sounds like we can collect, use, analyse, etc. data in any way we want, as long as we stick to protecting it, keeping it secure.
Which leads to the misunderstanding that data security – encryption, firewalls, ransomware protection, and so on – is the key requirement for compliance with the (UK)GDPR.
IT teams are the experts on these measures, and so project managers may feel they’re complying by involving the IT team in the digital side of the project, and that speaking to the data protection officer (DPO) or DP team will just slow down progress, because they’ll just go over the same ground again.
However, this is a common myth about data protection. The “protection” part actually starts much earlier in any process or project, as the fundamental aim of DP law is to protect people from harm caused by their data being handled in a way that is unfair.
The social housing sector is also committed to treating people fairly, and fulfilling its social purpose, but misunderstanding the scope of data protection means we see housing providers falling short of this, especially when using new digital technologies or launching other projects.
So, what are the GDPR Principles, if it’s not just about security?
Data Protection is about treating people fairly when handling their data, but it starts before we collect even one piece of data.
Of the 6 GDPR Principles – the golden rules that govern the handling of personal data – 5 of the 6 relate to the purpose for which the data is being held, and only 1 out of 6 relates to security.
Purpose should be the guiding light, the north star, when handling personal data, and most projects (in housing, but also many other sectors) will involve at least some handling of personal data.
But before we go any further, let’s bust another couple of myths. It’s important to remember that:
- There is no such thing as GDPR-compliant data, and
- There is no such thing as GDPR-compliant software.
It would be so much simpler if data and software could be GDPR-compliant!
But it’s more complex than that.
Regarding “compliant data”, whilst there are some standards under the (UK)GDPR that the data itself should meet, it doesn’t matter what state the data is in if the purpose for which it’s being used, and the way it’s being used, aren’t both compliant too.
For example, under the (UK)GDPR, data should be accurate and up to date, but no matter how accurate the data is, if it’s being used to treat people unfairly, it’s unlawful, full stop.
Side note; this is another thing that often causes surprise; accuracy and timeliness are often regarded as “Data Quality” rather than Data Protection, but they’re actually both.
The (UK)GDPR can also signpost us towards what “unfair” treatment of people might look like, and at CP Data Protection we have created a process that brings this to life, as some unfair treatment is not always obviously unfair.
So, now we know what the GDPR does, and doesn’t do, how can we use it as an asset in digital transformation and other projects?
How GDPR can be your biggest asset in digital transformation & similar projects
Any large project needs a clear purpose. Otherwise, why undertake the changes?
The purpose of the project should of course align with the organisation’s purpose, so precious resource is being put to the best use. This is more important now than ever in the housing sector.
The project planning phase is essential. In that planning phase, keeping the focus on the purpose of the overall organisation and the project, will help to ensure that money, time, and energy are only spent on actions that will help fulfil a valid purpose.
Side note; if you work in housing and think you have a project that doesn’t have anything to do with personal data, please let me know! In my experience, any project that relates to employees, customers, or even assets, is likely to involve data linked to people in some way, but it’s not always acknowledged.
The GDPR, being grounded in purpose, gives us a framework for identifying and stress-testing the purpose of a project, or any smaller part of a project.
It might not be immediately obvious that the GDPR does that, so we’ve developed a process at CP Data Protection to help project teams, managers and stakeholders to:
- identify the purpose of a project, then
- stress-test to ensure that it’s a valid purpose, and
- confirm if it’s worth proceeding with the project even with the risks and costs involved.
By asking three simple questions – that are based on just two key words! – we can help you understand the purpose and value of your projects.
Those two key words are “why?” and “how?” and there’s a link at the bottom of this article to a very short 72-second video about the 3 questions we ask. Asking the questions is facilitated through tools we’ve developed, but the video explains the process at a high level.
That’s just the first part of the framework that we can derive from the GDPR, making the GDPR an asset to digital transformation and other data-related projects.
Regarding the widely-pushed myth of “compliant software” (pushed by vendors of course), while there are things that software can do to help support your compliance, no software solution can make your processing compliant. As we’ve discussed, there are so many aspects of data protection compliance that software can’t possibly “fix” them all.
The (UK)GDPR though, gives us a framework again, to ensure we avoid certain risks related to software. Security is of course crucial, but as above, it is not the only important aspect of using software.
We don’t want to disregard the security measures in the software, but there are many more knowledgeable people than me to talk about technological security.
Instead, what I’d like to highlight here, is the fact that the GDPR also guides us towards reducing other risks related to the use of software.
Even if we have a great relationship with the software vendor, we are placing a massive amount of trust in them, by giving them the huge responsibility of storing our data. How can we control that risk?
By carrying out due diligence on the vendor, by entering a contract that works fairly for both parties (including controlling where the data can be stored), and by continuing to monitor the vendor’s compliance with the contract terms.
In large projects, your purchasing or procurement team is likely to be involved, and have a hand in ensuring these things happen – due diligence, contract, and contract management.
But for smaller projects, or in smaller organisations without these teams, it is just as important to implement them, and these requirements are actually laid out in the GDPR, thereby giving us something to hang that requirement on. It even spells out exactly what terms should be in the contract in order to protect the buyer from data-related issues that a vendor can cause.
So there we have just two of the key ways that the GDPR can be our biggest asset in digital transformation work and other data-related projects:
- Helping us identify and stress-test the purpose and value of projects or parts of projects, and
- Protecting us from the risks involved in entrusting our data to software vendors.
There are other gifts hidden in the (UK)GDPR too, that help to increase customer trust, and help us to reduce the costs (and risks) of hoarding irrelevant data. (These may feature in future articles!)
Introducing “Purpose & Data Alignment”
We have developed a framework that can be applied to every aspect of your organisation’s work with data, to achieve, as we describe it, “Purpose and Data Alignment” (PADA). The six-part PADA framework contains all the ingredients from the GDPR to create a robust data strategy, from project level, to organisation-wide.
It starts with purpose, as discussed here, and goes through responsibilities, risk management, “baking-in” data protection to procedures, communication & training, and finally to continual monitoring & improvement.
Subscribe to the CP Data Protection emails and receive a free copy of the Purpose & Data Alignment (PADA) Monitoring Report template, which combines all the aspects of the framework described, and helps to focus your organisation on increasing the value from data-related projects and reducing the risks.
The framework can be applied to just one process or project, or to the whole organisation, in turn building trust and helping your organisation fulfil its overall purpose.
If we’re not already connected, find me on LinkedIn through this link: