Digital Transformation can improve customer experience, reduce costs, and drive sustainable growth. Many housing providers are embarking on transformation projects, and this is likely to increase following the release of the Better Social Housing Review Report, and more recently the Housing Ombudsman’s Spotlight Report on Knowledge & Information Management (KIM).
Undertaking any sort of transformation is never easy, though, with so many moving parts and opportunities for things to go wrong.
But there is something that many people see as an obstacle, that with a little help, can be turned into your greatest asset for completing a smooth and effective digital transformation project.
And you might be surprised to hear that thing is the (UK) GDPR!
When you look past the idea that the GDPR is all about tricky compliance rules and potential fines, at its heart it is a framework for any business with a strong purpose. The most important word in the GDPR is Purpose, and social housing is all about purpose too.
In this blog post I talk about using that framework as an asset in social housing digital transformation projects but the concepts can be applied to other sectors too, and other projects.
This was also the topic of my presentation to Golden Marzipan’s Breakfast Briefing on 9th June 2023, and you can see the slides by clicking here.
First of all, let’s look at why the (UK)GDPR is often seen as an obstacle in data-related projects.
GDPR is widely misunderstood
In my work with clients, and in the housing sector, I see lots of evidence that the GDPR, and Data Protection in general, is widely misunderstood. Which is to be expected, as the name itself is so misleading. Data “Protection” – it sounds like we can collect, use, analyse, etc. data in any way we want, as long as we stick to protecting it, keeping it secure.
Which leads to the misunderstanding that data security – encryption, firewalls, ransomware protection, and so on – is the key requirement for compliance with the (UK)GDPR.
IT teams are the experts on these measures, and so project managers may feel they’re complying by involving the IT team in the digital side of the project, and that speaking to the data protection officer (DPO) or DP team will just slow down progress, because they’ll just go over the same ground again.
However, this is a common myth about data protection. The “protection” part actually starts much earlier in any process or project, as the fundamental aim of DP law is to protect people from harm caused by their data being handled in a way that is unfair.
The social housing sector is also committed to treating people fairly, and fulfilling its social purpose, but misunderstanding the scope of data protection means we see housing providers falling short of this, especially when using new digital technologies or launching other projects.
So, what are the GDPR Principles, if it’s not just about security?
Data Protection is about treating people fairly when handling their data, but it starts before we collect even one piece of data.
Of the 6 GDPR Principles – the golden rules that govern the handling of personal data – 5 of the 6 relate to the purpose for which the data is being held, and only 1 out of 6 relates to security.
Purpose should be the guiding light, the north star, when handling personal data, and most projects (in housing, but also many other sectors) will involve at least some handling of personal data.
But before we go any further, let’s bust another couple of myths. It’s important to remember that:
- There is no such thing as GDPR-compliant data, and
- There is no such thing as GDPR-compliant software.
It would be so much simpler if data and software could be GDPR-compliant!
But it’s more complex than that.
Regarding “compliant data”, whilst there are some standards under the (UK)GDPR that the data itself should meet, it doesn’t matter what state the data is in if the purpose for which it’s being used, and the way it’s being used, aren’t both compliant too.
For example, under the (UK)GDPR, data should be accurate and up to date, but no matter how accurate the data is, if it’s being used to treat people unfairly, it’s unlawful, full stop.
Side note; this is another thing that often causes surprise; accuracy and timeliness are often regarded as “Data Quality” rather than Data Protection, but they’re actually both.
The (UK)GDPR can also signpost us towards what “unfair” treatment of people might look like, and at CP Data Protection we have created a process that brings this to life, as some unfair treatment is not always obviously unfair.
So, now we know what the GDPR does, and doesn’t do, how can we use it as an asset in digital transformation and other projects?
How GDPR can be your biggest asset in digital transformation & similar projects
Any large project needs a clear purpose. Otherwise, why undertake the changes?
The purpose of the project should of course align with the organisation’s purpose, so precious resource is being put to the best use. This is more important now than ever in the housing sector.
The project planning phase is essential. In that planning phase, keeping the focus on the purpose of the overall organisation and the project, will help to ensure that money, time, and energy are only spent on actions that will help fulfil a valid purpose.
Side note; if you work in housing and think you have a project that doesn’t have anything to do with personal data, please let me know! In my experience, any project that relates to employees, customers, or even assets, is likely to involve data linked to people in some way, but it’s not always acknowledged.
The GDPR, being grounded in purpose, gives us a framework for identifying and stress-testing the purpose of a project, or any smaller part of a project.
It might not be immediately obvious that the GDPR does that, so we’ve developed a process at CP Data Protection to help project teams, managers and stakeholders to:
- identify the purpose of a project, then
- stress-test to ensure that it’s a valid purpose, and
- confirm if it’s worth proceeding with the project even with the risks and costs involved.
By asking three simple questions – that are based on just two key words! – we can help you understand the purpose and value of your projects.
Those two key words are “why?” and “how?” and the three questions are structured around these two words.
That’s just the first part of the framework that we can find in the GDPR, that makes the GDPR such an asset to digital transformation and other data-related projects.
Regarding the widely-pushed myth of “compliant software” (pushed by vendors of course), while there are things that software can do to help support your compliance, no software solution can make your processing compliant. As we’ve discussed, there are so many aspects of data protection compliance that software can’t possibly “fix” them all.
The (UK)GDPR though, gives us a framework again, to ensure we avoid certain risks related to software. Security is of course crucial, but as above, it is not the only important aspect of using software.
We don’t want to disregard the security measures in the software, but there are many more knowledgeable people than me to talk about technological security.
Instead, what I’d like to highlight here, is the fact that the GDPR also guides us towards reducing other risks related to the use of software.
Even if we have a great relationship with the software vendor, we are placing a massive amount of trust in them, by giving them the huge responsibility of storing our data. How can we control that risk?
By carrying out due diligence on the vendor, by entering a contract that works fairly for both parties (including controlling where the data can be stored), and by continuing to monitor the vendor’s compliance with the contract terms.
In large projects, your purchasing or procurement team is likely to be involved, and have a hand in ensuring these things happen – due diligence, contract, and contract management.
But for smaller projects, or in smaller organisations without these teams, it is just as important to implement them, and these requirements are actually laid out in the GDPR, thereby giving us something to hang that requirement on.
The GDPR even spells out exactly what terms should be in the contract in order to protect the buyer from data-related issues that a vendor can cause.
So there we have just two of the key ways that the GDPR can be our biggest asset in digital transformation work and other data-related projects:
- Helping us identify and stress-test the purpose and value of projects or parts of projects, and
- Protecting us from the risks involved in entrusting our data to software vendors.
There are other gifts hidden in the (UK)GDPR too, that help to increase customer trust, and help us to reduce the costs (and risks) of hoarding irrelevant data.
The Hive Live; Blocker to Builder
We’ll be exploring ideas for using the GDPR in your Data strategies at our very first conference, The Hive Live on 25th September.
The event is for everyone working with data (i.e. everyone!) not just Data Protection professionals. As the Housing Ombudsman stated in the Spotlight on KIM report ‘senior leaders [need to be] clear about the importance of Knowledge and Information Management (KIM), and their standards and expectations.’
The Hive Live aims to bring Data Protection professionals and experts in other areas of business together, instead of working in silos, in a day of sharing knowledge, listening, learning, planning, and meeting friends old & new, in the interactive & engaging sessions. There is never enough time for networking when we meet with like-minded and similarly enthusiastic professionals in the worlds of housing and data, so this event is largely interactive, or you can of course choose to observe instead, if that’s more your style; there is no pressure to do anything you’re not comfortable with.
Find all the details here: The Hive Live; Blocker to Builder
Introducing “Purpose & Data Alignment”
At CP Data Protection, we have developed a framework that can be applied to every aspect of your organisation’s work with data, to achieve, as we describe it, “Purpose and Data Alignment” (PADA). The six-part PADA framework contains all the ingredients from the GDPR to create a robust data strategy, from project level, to organisation-wide.
It starts with purpose, as discussed here, and goes through responsibilities, risk management, “baking-in” data protection to procedures, communication & training, and finally to continual monitoring & improvement.
The framework can be applied to just one process or project, or to the whole organisation, in turn building trust and helping your organisation fulfil its overall purpose.
If we’re not already connected, please do find me and follow me in all the usual places using the links below.
Latest Blog Posts: