DATA MANAGEMENT

Question 1

Are you aware of any RICS guidance on AI

Answer 1

Yes, the RICS have recently published a new guidance note on AI which will be effective from March 2026

Question 2

What does the UK GDPR state about the processing and collection of data from individuals

Answer 2

Individuals have the right to be informed. You must provide them with privacy information at the time you obtain their data

Question 3

How do you keep personal data secure

Answer 3

• Authenticated access to systems
• Two factor authentication
• Encryption
• Ensure integrity of data collection systems
• Continually evolve and test systems

Question 4

Who is responsible for DPA/GDPR compliance within a business

Answer 4

Data Protection Officer (DPO)

Question 5

What are the principles of UK GDPR

Answer 5

There are SEVEN:
(1) Lawfulness, fairness and transparency
(2) Integrity and confidentiality (security)
(3) Accuracy
(4) Data minimization – only collect it when you need.
(5) Purpose Limitation – be specific about the purpose of the data collection
(6) Accountability – record and prove compliance
(7) Storage Limitations – store data for a necessary limited period and then erase

Question 6

What are the requirements under UK GDPR for data storage limitation and data minimisation

Answer 6

Data storage - data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed

Data minimisation - data must be accurate, relevant and limited to only what is necessary

Question 7

What are the penalties for non-compliance with GDPR

Answer 7

Can be up to the greater of: 4% of the global turnover at the company; or £17.5m

Question 8

What are the punishments for breaking an NDA

Answer 8

Civil - the party that was harmed by the breach can take legal action to enforce the agreement and seek damages for losses incurred

Question 9

What are the 8 individual rights under UK GDPR

Answer 9

• Right to Access
• Right to be informed
• Right to Object
• Right to Erasure
• Right to Rectification
• Right to restrict processing
• Right to data portability
• Right to automated decision making and profiling

Question 10

Explain the key principles of the Data Protection Act 2018

Answer 10

• Processed lawfully, fairly and in a transparent manner
• Collected for specified and legitimate purposes
• Accurate
• Not transferred to countries with less info than your own

Question 11

What is a SAR

Answer 11

Subject Access Request. Demand that the individual be given all the information that a company holds on them.

Question 12

How long does Christie & Co store data

Answer 12

For a minimum of 6 years, we store hard data for 8 years and electronic data in perpetuity although are considering reducing this to 15 years.

This is because negligence claims can be brought against the company 6 years after a loss is suffered which can be over 10yrs from the date of valuation. I note that the Limitation Act 1980 has a long-stop limit of 15 years from the date of the negligent act or omission.

Question 13

What are the responsibilities of data users under the legislation

Answer 13

• To process data lawfully, fairly and in a transparent manner
• To only collect data for a specified and legitimate purpose
• To ensure data is Accurate
• Not to transfer data to countries with less info than your own

Question 14

Give an example how Christie and Co are compliant with UK GDPR and the Data Protection Act

Answer 14

• Fair Processing Notice on our website (Right to be Informed)
• When distributing marketing emails there is a clearly identifiable unsubscribe option (Right to be Informed)
  -Privacy notice when we collect data

Question 15

L3 - Take me through the new process

Answer 15

A new ready made group valuation template in excel that is automated in terms of summarising the valuation and consolidating the individual property accounts

Question 16

What is GDPR

Answer 16

General Data Protection Regulation: Comprehensive data protection law that covers the collection, processing and storage of data. First introduced in the EU in 2018

Question 17

What is secondary data

Answer 17

Data that is collected from a third party source

Question 18

How do you ensure that data is collected accurately

Answer 18

Use clear and structured forms, verify data at the point of entry, regular reviews and data audits

Question 19

What are NDAs and why are they used

Answer 19

Non Disclosure Agreement - a legally enforceable contract between two parties relating to sensitive information

Question 20

Why is it important to test data processes

Answer 20

To ensure the accuaracy of the data

Question 21

What are the limitations of secondary data

Answer 21

We can not verify the accuaracy of the data as we did not collect it ourselves

Question 22

What is personal data

Answer 22

Data that from which an individual could be personally identfiable from (e.g Name, DoB, Etc)

Question 23

Comparable collection

L2 - What types of transactions were you looking for

Answer 23

Freehold and Leasehold pharmacy and dental transactions

Question 24

L2 - How do you prevent being sent personal infomation from Clients?

Answer 24

Within my requesting infomation email when undertaking a valuation where I will be required to analyse staffing schedules, I stress the importance of removing the Personal Infomation (staff names) and put the text in RED to stress the importance

Question 25

L2 - How do you react when you are sent personal staffing infomation?

Answer 25

I make sure to delete it immedietly. I then contact the client to confirm I have deleted the personal infomation and then request that any personal infoamtion is redacted and resent in a new format.

Question 26

When did UK GDPR come into effect

Answer 26

The original GDPR came into effect in the UK on May 25, 2018, alongside the Data Protection Act 2018. Following Brexit, the UK adopted its own version, the UK GDPR, which took effect on January 1, 2021, to replace the EU's GDPR for the UK.

Question 27

You say you know the limitations of using secondary data, what are these?

Answer 27

Its **quality and accuracy are difficult to verify** because the collection methods are unknown. Other limitations include l**ack of control over the data's credibility**, potential for bias, and data that may be incomplete or incompatible

Question 28

Why do you cross check data with Companies House and Land Registry?

Answer 28

Provides a comprehensive view of a company's ownership, assets, and financial health for robust due diligence, risk mitigation, and fraud prevention. Companies House records business information, while the Land Registry documents property ownership

Question 29

What makes some financial data sensitive?

Answer 29

Financial data is sensitive because its exposure can lead to identity theft, fraud, and significant financial loss for both individuals and organizations - **IN THE WRONG HANDS**

Question 30

You mention the importance of removing personal details from information. It is not necessarily bad to hold personal data, *what principle dictates your decision making regarding personal data?*

Answer 30

The UK's GDPR - **Data minimization:** Only the minimum amount of personal data necessary for the intended purpose is collected and stored.

Question 31

What are the risks of holding unnecessary personal information?

Answer 31

Risks range from identity theft and personal danger to financial loss, reputational damage, and threats to national security.

Question 32

What GDPR principle related to your decision to use an encrypted storage system?

Answer 32

Related to the principle of **Integrity and Confidentiality (security)**. Encryption is a key technical measure for protecting personal data and demonstrating compliance with this principle.