Skip to content
All posts

How digital-first referencing helps ensure GDPR compliance

Gone are the days when applicants had to send in paper documents which could be left lying around in the open, or when there was the risk of leaving a passport in a scanner somewhere. Those things are no longer possible when working in a digital-first manner in tenant referencing - making it much easier to stay GDPR compliant in our day-to-day activities.

At Vouch, we've been cloud-based since the beginning. We structured our business model and operational approach around a secure online environment. All the data that we handle is fully encrypted, which gives us, and our customers, confidence that it won't be compromised.

When we moved to remote working, we put a couple of extra security measures in place - such as two-factor authentication for our cloud-based systems and emails - but our entire infrastructure was already set up for remote working. We could do exactly what we were doing in the office, from home.

As a referencing company, we're potentially collecting more data than other industries as we're performing credit checks and verifying identities but all software-based companies have to take the same steps as us to ensure personal data is handled correctly.

Steps to stay compliant

The principles of GDPR compliance remain the same regardless of the industry you're in. As long as due diligence is paid in creating secure systems, and research is done into how and what data is collected and stored, you'll be mitigating against the risk of a data breach.

When considering GDPR, you should evaluate all the data that you collect, then map it out. We look through the data sets at Vouch to make sure that we have enough to do our job, and for our software to work correctly. You shouldn't be collecting more data than you need to deliver your business's primary function.

The next stage is making sure that you receive that information in a secure way. We did our due diligence when we developed our systems to make sure they're all compliant with industry standards and protocols, so we can collect your applicants' information safely.

Then, we store all the data we collect as securely as possible, so it can't be compromised. After that, it's all about your retention policy. We analyse how long we need to keep that data for it to perform its business function, and then remove it from our system once we no longer need it.

Digital-first to side step human error

With a digital-first approach, the majority of the referencing personal data we collect is sent directly through our software, not through our staff. For example, all payment details are securely processed by our trusted partners and never enter our system. All the information we do store is encrypted to industry standard.

The only time that members of our staff are exposed to sensitive information is when they need to get in contact with someone to chase something up, for example. There's GDPR training in place for employees who are in contact with you or your applicants, such as the support department or account managers, but the majority of the data collection and processing, no one sees.

All of these steps combine to help us mitigate against any data protection risks in referencing - with a digital-first approach the best way to set ourselves up as a fully GDPR compliant business.