GDPR compliance is ultimately the responsibility of the data controller who has collected data belonging to individuals, even if they have entrusted processing of some or all of this data to a data processors.
In this case, a housing association is the data controller who has collected personal data from its customers, e.g. tenants or suppliers. However, the association will in turn employ the services of software providers such as ourselves at Affinity to help you in the running of your business, and this will involve entrusting this personal data to our care. Since the tenants and other data subjects are ultimately your responsibility, you must satisfy yourself that we are trustworthy, i.e. GDPR-compliant.
Any requests from data subjects such as tenants or suppliers must be submitted to and processed by the association as the data controller for these individuals. Any such requests made directly to Affinity will be redirected to the appropriate data controller for consideration.
However, we can provide some guidance on how you can handle the most common requests. You should make it clear to your data subjects that any such requests should be formally submitted to your business either in writing or by email, and set the expectation on the response time.
Amending incorrect information
This is achieved within our products by simply updating the relevant contact information on the record in question, e.g. a tenant or supplier contact details form.
Requests for data to be erased / forgotten
Not all requests to be forgotten need to be processed fully; it depends on whether you have a legitimate legal basis for retaining some or all personal data which supersedes the data subject's erasure request.
The most obvious example is a tenant or supplier asking to have his personal details removed from your system since he is no longer a customer. However, if you have issued invoices to, received invoices from, or collected payments from this individual then you have a valid legal basis to retain some personal data so you can correlated invoices to this person for accounting purposes.
A compromise may be to remove that data which is now redundant, e.g. email addresses, phone numbers, registration details, bank accounts, date of birth, and perhaps even postal addresses, but retain either the contact name or some form of reference identifier which allows your business to match invoices and payments to the individual if required.
Access to data stored on an individual
This information should be made available to the requesting data subject in an electronic format within a reasonable period, typically 30 days, free of charge.
You may retrieve the pertinent information directly from the tabs on the relevant record, e.g the tenant tabs or reports, and copy and paste this into a spreadsheet. Alternatively, provided you have the access privileges, you can export this data in CSV format via Admin > Export and filter and extract the data belonging to the data subject in question, again preparing this in a spreadsheet format for maximum portability.