Data management

Question 1

What is the maximum fine for a GDPR breach?

Answer 1

Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

Question 2

What are subject access requests?

Answer 2

A request for disclosure of all (or some) of the personal data we hold of someone. Generally includes name, address, DOB, passport details, utility bill, credit card info.
Simple request from client for contact details we hold from them should not be counted as an SAR
SAR should be referred to DPO asap, 1 calendar month to respond.

Question 3

What is CJ’s procedure for reporting and managing a data breach?

Answer 3

Loss must be reported immediately to line manager and either Head of IT or the DPO.

1. Where there is a risk that there has been a loss of personal or commercial data then the member of staff/Partner involved must advise IT and/or Compliance as soon possible providing details of
   what has occurred. Do not discuss this with anyone else other than your immediate Line Manager until cleared to do so by the Head of IT or the DPO.
2. IT/Compliance will review the circumstances and will identify any immediate containment or damage limitation steps that may be appropriate.
3. Compliance will update the Data Breach Log and IT will log the loss of any equipment. The Police may be advised if appropriate eg. Break into an office or vehicle.
4. IT/Compliance will assess the risk and determine who needs to be involved and what the next steps should be. The risk assessment will take into account:
   a. The type and quantity of data involved and who it relates to eg. Clients, staff, suppliers.
   b. Risk mitigating factors eg. Encryption on equipment.
   c. What has happened – is it a loss of a single file or a mass mailing to lots of recipients.
   d. What harm could be done with the data eg. Is it just names and addresses or does it include more detailed information such as dates of birth or bank account details?
5. Depending on the risk assessment it may necessary to involve other areas of the business eg. Marketing, PR, Division Head/local team to assist with developing and implementing the response
   plan.
6. The impacted individuals may be advised of the data breach to enable them to take steps to protect themselves. The notification will include details of how and when the breach occurred, what data is involved and what steps have been taken to limit the damage. This notification will be prepared and approved jointly by the incident response team led by IT/Compliance.

Question 4

How do you manage data securely?

Answer 4

I use a document management system to store files and emails, I undertake regular training to ensure best practice. I always double check who an email is addressed to before sending.

Question 5

What is your understanding of GDPR?

Answer 5

General Data Protection Regulation - toughest privacy and security laws in the world

Question 6

What Act applies to data protection?

Answer 6

The Data Protection Act 2018

Question 7

What types of data are there?

Answer 7

Personal, sensitive personal information and privileged information

Question 8

What rights to individuals have in relation to data protection?

Answer 8

• be informed about how your data is being used
• access personal data
• have incorrect data updated
• have data erased
• stop or restrict the processing of your data
• data portability (allowing you to get and reuse your data for different services)
• object to how your data is processed in certain cirmustances

Question 9

What is EDM?

Answer 9

Electronic Document Management

Question 10

Who would usually own the copyright of a valuation report?

Answer 10

The surveyor, the client is licensed to copy it in connection with the purpose

Question 11

Who does the Data Protection Act 2018 apply to?

Answer 11

Data controllers and processors

Question 12

Could a PI claim be based on lost or corrupted data?

Answer 12

Yes