Find out more about our GDPR compliance work for Tower Hamlets Community Housing
With the new EU General Data Protection Regulations (GDPR) coming into force on the 25th May 2018, the process of collecting, storing and processing an individual’s personal data has become increasingly prescriptive. Penalties have increased in severity with fines now set at a maximum of 20M Euro’s. Tower Hamlets Community Housing (THCH) consulted Manifest to help ensure that it had a coherent project to become GDPR compliant, ahead of the new legislation coming into force.
The challenge for Manifest was to build a body of evidence across a large range of services that THCH provides to prove their compliance and protect themselves against penalties for data breaches or non-compliance in the future. The complex nature and scale of this project required lengthy and detailed planning, so Manifest’s close collaboration with the client team at THCH was critical.
Manifest had already provided an Interim Head of IT to work in-house at THCH to rewrite its IT strategy, manage outsourced IT Services contracts and progress IT projects which had stalled. During their period of engagement they also took ownership of the GDPR Compliance project and drafted a Business Case, Project Brief, PID and plan along with deliverables; following which the project launched in November 2017.
The scope of the compliance project led Interim Head of IT, Nick Tutt to begin a recruitment process for a project manager to assist with delivery. With additional support Nick was able to co-ordinate the delivery of the necessary adjustments across all of THCH services.
Nick organised a data audit for each service within THCH, consisting of interviews with all management staff to establish the processes behind data collection, the type of data to be collected and the purpose for that collection together with the legal basis for it.
The task was complicated by Customer data being stored in a several different systems and across a number of spreadsheets on network drives. Nick says “The data audit is a slow process, taking several weeks, but it is vital and must be carried out proficiently and conscientiously.
Nick and the THCH team also reviewed all privacy notices already in place as well as identifying all the company policies, procedures and forms which had implications for the processing of personal data and consequently needed reviewing. All staff undertook GDPR General Awareness training with Management Staff receiving more in-depth training on the regulations and risk identification.
The project also included looking at general data security, access controls & permissions together with disaster recovery arrangements. All THCH contractors, suppliers and partners with whom personal data was shared also had to have contract addendums/agreements issued.
Tower Hamlets Community Housing is now largely prepared for the changes that GDPR has brought. Nick Tutt’s guidance has secured THCH as a compliant organisation with little danger of risk. Nick says:
“By taking a proactive, risk-based approach, THCH is well placed in terms of being GDPR ready. The systems, processes and controls implemented by Manifest as part of this project will help provide reassurance to some 3000 residents of Tower Hamlets Community Housing that their data is being protected to the highest standards.
There is still more to do, for example maintaining compliance on an ongoing basis; frequently reviewing policies, procedures, education and technical controls under our assurance framework and verifying that these are being followed. GDPR compliance will therefore always be work-in-progress to some degree.”