Data Management L3

Question 1

What is GDPR?

Answer 1

EU General Data Protection Regulation

Question 2

What is the purpose of GDPR?

Answer 2

Protect citizens personal data

Question 3

What constitutes personal data?

Answer 3

Any information related to a person or ‘Data Subject’ that can be used to identify a person EG names, photo, email address, bank details etc

Question 4

Examples of personal data under GDPR that could apply to property companies?

Answer 4

• Tenant information
• Client information
• HR - background checks, payroll and employee information
• Customer data for marketing
• Also, data relating to investors, fund managers, valuations, compliance

Question 5

To what organisations does GDPR apply?

Answer 5

The UK GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.

Question 6

What are penalties for GDPR breaches?

Answer 6

4% of annual global turnover up to 20 million euros

Question 7

What is the ‘right to access’ under GDPR?

Answer 7

Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data

Question 8

What is a breach notification under GDPR?

Answer 8

• Need to report within 72 hours of becoming aware of breach
• If breach high risk, then need to notify individual without delay

Question 9

How are data breaches typically discovered?

Answer 9

Access logs, reported thefts, lost equipment or data security incident

Question 10

How have consent conditions been strengthened under GDPR?

Answer 10

• Consent must be given using plain and clear language
• Must be as easy to withdraw consent as it is to give it

Question 11

What is ‘right to be forgotten’ under GDPR?

Answer 11

Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances where…
- Data no longer necessary
- Data been processed unlawfully

Question 12

What is data portability?

Answer 12

Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller

Question 13

What is privacy by design?

Answer 13

• Legal requirement under GDPR
• Calls for inclusion of data protection from onset of designing systems, rather than as addition

Question 14

What is data protection officer?

Answer 14

• An individual appointed to monitor internal compliance and advise on an organisations data protection obligations
• Only required if organisation is public body, authority or carrying out certain type of processing activity

Question 15

Examples of data held by surveying practices?

Answer 15

• Payroll and HR
• Customer data for marketing
• Emails and correspondence relating to clients and employees

Question 16

What are obligations imposed by GDPR?

Answer 16

• Must have knowledge of data you store and process
• Need to be able to provide information on how data is used and the rights of individuals regarding their data
• Need to be able to demonstrate data is being managed in compliant manner
• Must be able to delete every instance of an individuals data in compliance with ‘right to be forgotten’
• Must keep data in format that allows portability to another data processor, should the need arise

Question 17

Who regulates GDPR in the UK?

Answer 17

Information Commissioners Office

Question 18

RICS best practice points for complying with GDPR?

Answer 18

• Conduct data review
• Anonymise data where possible
• Encrypt everything where possible
• Treat commercial data in same way as personal data, even though not covered by GDPR

Question 19

What are your company’s policies for data protection breaches?

Answer 19

Report to line manager or Data Protection Officer within the firm

Question 20

RICS recommendations for using confidential information?

Answer 20

• Document purposes for which you are allowed to hold information
• Keep record of consent for processing, storage and retention
• Check if you have appropriate contractual clauses for use of information

Question 21

What information should be included in firms privacy notice?

Answer 21

• What information you have
• What information will be used for
• Which third parties information will be shared with
• How long information will be stored for
• What legal rights they have

Question 22

When did GDPR come into effect

Answer 22

25 May 2018

Question 23

What Act implemented GDPR in the UK?

Answer 23

• Data Protection Act (2018)
• Replaced Data Protection Act 1998

Question 24

What are the key requirements of GDPR?

Answer 24

• Obligation to conduct data protection impact assessments for high risk holding of data
• New rights for individuals to have access to information on what personal data is held, and to have it erased
• Data controller decides how and why personal data is processed and is directly responsible for GDPR
• A new principle of ‘data accountability’ ensuring that organisations can prove to the Information Commissioner’s Office (ICO) how they comply with the new regulations
• Data security breaches need to be reported to ICO within 72 hours where there is a loss of personal data and a risk of harm to individuals
• An increase in fines - up to 4% global turnover or 20 million euros (whichever is greater)
• Policed by ICO

Question 25

8 individual rights under GDPR?

Answer 25

1. Right to Information 2. Right to Access 3. Right to Rectification 4. Right to Erasure 5. Right to Restrict Processing 6. Right to Data Portability 7. Right to Object 8. Right to avoid Automated Decision Making

Question 26

What are the principles of GDPR?

Answer 26

Article 5(1) - Principles relating to storage of personal data must be: - Processed lawfully, fairly and in transparent manner - adequate, relevant and limited to what is necessary for the purpose - Kept up to data - Eradicated if inaccurate, or rectified without delay - Kept in a form that permits identification of data subjects for no longer than is necessary - Processed in manner than ensures appropriate security of personal data, including protection from unlawful processing, accidental loss, destruction or damage Article 5(2) - the controller shall be responsible for, and be able to demonstrate, compliance with the principles

Question 27

What is SAR?

Answer 27

- Subject Access Request - Demand that the individual be given all the information that a company holds on them

Question 28

What was the Freedom of Information Act?

Answer 28

- Came into effect in 2000 - Allows an individual to request access to information held by a public body - Public body is required to provide that information (within 20 working days) in requested format - They can charge a fee for this

Question 29

What are the provisions of the Land Registry Act (2002)?

Answer 29

- Provides a complete and accurate reflection of the state of the title of the land at any given time - Aim is to get all freehold land in England and Wales registered by 2030

Question 30

Disadvantages of the systems you use?

Answer 30

- Rely on data input completed by others - human error - External systems - firm is not in control of security - Not user friendly and lots of staff training required!

Question 31

How did it tighten up the former DPA 1998?

Answer 31

- Customer has greater control over their data - Harsh penalties if fail to comply - up to 20 million euros - GDPR is binding piece of legally enforceable regulation - Applies to all EU nations and every company holding data on EU citizens - Breaches have to be reported to the relevant authorities within 72 hours - Companies will be accountable for data protection - Any firm with over 250 people required dedicated data protection officer

Question 32

What is the Freedom of Information Act? 

Answer 32

Act of parliament that creates a public right of access to Information held by public authorities. 

Question 33

Principles of Data Protection Act/GDPR?

Answer 33

Lawfulness, fairness, transparency Purpose limitation Data minimisation Storage limitation Accuracy Integrity / confidentiality accountability

Question 34

What is a ROPA?

Answer 34

Reporting of processing activities

Question 35

What is an information barrier and how should it be enforced?

Answer 35

1. Different surveyor should act for each client. 2. They must be physically separated preferably in different buildings or on different floors with separate support teams. 3. All information regarding the instruction should be securely stored. 4. The firms compliance officer must oversee all actions.

Question 36

What is a firewall?

Answer 36

A firewall is a device configured to permit, deny, or encrypt all computer traffic between different secure locations.

Question 37

What encryption?

Answer 37

Encryption is a method which allows information to be hidden so that it cannot be read without special knowledge or tools.

Question 38

What was your advice in your Level 3 examples?

Answer 38

Covid-19 concessions: - Create sharepoint - Encrypt / password protected - Only issued to relevant parties as per my firm's Data Protection Privacy Policy HR employee information: - Redact sensitive information - Password protect - 2 factor authenticate - Email password protected information and confirm password over the phone

Question 39

What is you firm's data protection policy?

Answer 39

- Complies with DPA 2018 - Subject to appropriate legal safeguards in DPA and UK GDPR - Workman is a data processor and controller - Firm is responsible for notifying ICO of the data it holds - Has a DPO for ensuring compliance - Adheres to data protection priciples

Question 40

What are Workman's principles?

Answer 40

- Be processed fairly, lawfully and in a transparent manner and shall not be processed unless certain conditions are met. - Be collected for specific, explicit and legitimate purposes and shall not be processed in any manner incompatible with those purposes. - Be adequate, relevant and not excessive for those purposes. - Be accurate and, where necessary, kept up to date. (Every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.) - Not be kept for longer than is necessary for a specific purpose. - Be processed in accordance with the data subject’s rights. - Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures. - Not be transferred to a country or territory outside the UK, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.