SFHA and GWSF Commission TC Young to Produce GDPR Guidance
Guidance will be available to members in January 2018.
With the deadline for compliance with the General Data Protection Regulations fast approaching (25 May 2018), SFHA and GWSF has commissioned TC Young to produce a number of templates for its members to aid with implementation.
This guidance will be available to members in January 2018 and more details about what this will contain is available below.
TC Young is in the process of drafting the following templates and guidance:
Template for personal data map: This can be found in the downloads section to the right of this article, and can be used as a useful starting point in preparation for GDPR. Idesigned for identifying what personal data is retained by the organisation and for what purpose. An example has been filled out (for the HR row) but it is suggested that this be circulated amongst departments for each to complete individually. This will also include consideration of existing arrangements with third party data processors, and will be a useful point of reference when framing the terms of the Fair Processing Notice.
Model Fair Processing Notice: The requirement for this Notice, implemented by the GDPR, is a significant change. All RSLs will require a Notice which allows individual customers to refer to what personal data is held by the RSL, for what purpose(s), where it is stored and what third parties that data is given to. The model Notice will require adjustment by each RSL depending on the activities of the organisation.
Model Privacy Policy: It is likely that RSLs will have a Privacy or Data Protection Policy already, and it may be that an RSL deems it is easier to tweak their existing policy. The Privacy Policy will set out the full terms of a policy which can be adopted by the RSL, or the clauses that can be taken from that style to update their current policy.
Contractual provisions for data processor contracts: RSLs, as data controllers, will require to update the terms of their contractual relationship with third party data processors that they share personal data with. Those contracts will differ – likely substantially – depending on the work undertaken by the third party data processor (i.e. processing payroll or providing an alarm/call system at a sheltered housing complex). The contractual provisions will be provided to cover a range of scenarios and contractual arrangements so that the RSL can select the relevant clause(s). Additionally, Contracts of Employment will require to be reviewed in light of GDPR and model wording will be produced along with the above documentation.
Guidance notes: Given the vast array of work currently undertaken by RSLs, and the customers each RSL has, the above model documentation will require to be specifically adapted to suit each RSL’s own circumstances, taking in to account its range of employees and customer base. Guidance notes will therefore be produced to be read and reviewed alongside the individual documents within the above suite. These Guidance notes will provide information to the RSL drafter when finalising the precise terms of the RSL’s GDPR documentation.
The guidance notes will provide clear instruction when assessing what information from the model documentation requires to be populated within each RSL’s final documentation. The guidance will include advice on identifying a member of staff who will have data management responsibilities where housing associations may not yet have done this, and detail the main policies that RSLs will need to review as part of GDPR implementation.
The SFHA and GWSF aims to have all of these documents finalised and available to members in January 2018. TC Young will also deliver some follow up training on the use of these documents in the new year.