1
Q
What is a Data Source?
Examples of Internal and External?
A
The origin or location where data comes from. It is the point of collection that feeds into analysis, reporting, or decision-making.
Internal sources:
- Lease documents
- Valuation reports
- Client databases (CRM, property management systems)
External sources:
- Land Registry (title info, comparables)
- VOA (rating data)
2
Q
What are the limitations of primary data sources?
A
- Time consuming
- High cost - e.g. hiring inspectors
- Human error
3
Q
What are the limitations of secondary data sources?
A
- No control on what is contained in data
- Lack of confidence could be wrong and inaccurate - validity
- above link to GDPR
4
Q
Why is it important to be careful when accessing data sources?
A
- Essential to consider the reliability of the source and associated risks;
- Where possible, verify data against an alternative source through ‘triangulation’
*Important to know which data you might use in work for different purposes, where it comes from and
how reliable it is
5
Q
Why is Data Storage and Security important?
A
Essential that data is kept safe from corruption and that access needs to be suitably controlled to ensure privacy and protection
6
Q
How is data managed and protected in your firm?
A
- Consistent password changes (every 30 days)
- Microsoft Authentication
- Firewalls
- EFS encryption
- Consistent data purges
- Regular training on how to protect data
6
Q
Give me some examples of data security technologies?
A
- Disk encryption - encrypt data on secure hard drive disk
- Regular back-ups off site
- Password protection
- Use of anti-virus software protection
- Firewalls and disaster recovery procedures
Consider what action is undertaken in your office to ensure the security of data
7
Q
What is a firewall?
A
Computer network security system that restricts internet traffic
8
Q
Give me an example of how you ensure that data is kept securely.
A
-Two factor authentication
- Using data rooms
9
Q
What is intellectual property?
A
Something that is created using your mind, protected by legal rights e.g. patent. copyright
It allows the creator/owner to control use of their work and to benefit commercially from it
10
Q
Can intellectual property be transferred?
A
Yes - Written agreement e.g. contract/assignment
11
Q
What are the Main types of Intellectual Property?
A
- Copyright
-Trademarks
-Patent
-Design Rights
12
Q
What is copyright?
A
Type of IP –>
Set of exclusive rights granted to author or creator of any original work including the right to copy
These rights can be licensed, assigned or transferred
Protects: literary, artistic, musical, dramatic works, films, software, databases.
Automatic protection (no registration).
13
Q
What are trademarks?
A
o Protects: brand names, logos, symbols, slogans.
o Must be registered to be fully enforceable.
14
Q
What is the Data Protection Act 2018?
A
- The UK’s main data protection legislation.
- The UK’s implementation of the General Data Protection Regulations (GDPR).
- Governs how organisations must handle, store, and process personal data, protecting privacy rights of individuals.
15
Q
What is the UK GDPR (2021)
A
- Came in when UK left the EU
- Key principles remain
- Relates to controllers and processors outside the UK if they are dealing with individuals inside the UK
- Covers cross-boarder processing
- Applies to both controllers and processors
16
Q
When did the DPA 2018 come into force?
What did it come in to achieve?
A
It came into force on 25th May 2018 and replaced the Data Protection Act 1998
- Act is a complete data protection system so as well as governing personal data covered by GDPR, it covers all other general data as previously covered by the 1998 Act.
17
Q
Does the UK GDPR 2021 override the 2018 DPA?
A
No — it doesn’t override it.
✅ They work together.
Think of UK GDPR as the main framework. After Brexit, the EU GDPR was brought into UK law as the UK GDPR.
DPA 2018 provides the detail, exemptions, and enforcement mechanisms.
18
Q
What are the rights of individual Data Subjects? (Under GDPR/DPA)
A
- Right to be informed
- Right of access: access their own personal data
- Right to rectification: request corrections
- Right to erasure: to be forgotten
- Right to restrict processing: limitations of data
- Right to data portability: obtain & reuse personal data across different services
- Right to object
- Rights related to automated decision making and profiling
18
Q
What are the key provisions/rules of the DPA 2018?
A
1) It incorporates the GDPR into UK law, ensuring data protection rules align with the EU regulations
2) It provides a framework for processing personal data in the UK
3) Covers personal data and sensitive peronal data
19
Q
What types of data does the DPA 2018 Cover?
A
- Personal Data - info that identify an individual (directly or indirectly)
- Sensitive Personal Data (special category data): Includes data about racial or ethnic origin, religious beliefs, health, sex, genetics
20
Q
What is a Data Subject?
A
A living individual whose personal data is being collected, held or processed.
- An identified or identifiable natural person
This means a person can be:
* Directly identifiable → e.g., by name, ID number, email address.
* Indirectly identifiable → e.g., by combining information such as job title + workplace + date of birth
21
Q
What are the key principles of data processing under DPA 2018?
A
LPDASIA
1) Lawfulness, fairness, transparency
2) Purpose limitation - only collected for specific, legitimate purposes
3) Data minimization - only data necessary for intended purposes
4) Accuracy - kept up to date
5) Storage limitation - minimal time/as long as necessary
6) Integrity + confidentiality- processed securely to prevent unauthorised access
7) Accountability
22
Q
What is SAR?
A
Subject access request
- Individual demands for info a company holds on them
- Respond within at least 1 calender month
23
EXAMPLE: Who is the data processor and data controller for CCTV information?
- Data controller = Client/Landlord- they direct the processors activities. Define the means and purposes for holding, using and processing the data
- Data processor = Workman- they will collect process, store and transmit personal data.
- Data Sub Processor = A security contractor, RFMs etc. People who views and has access to the data
Data is processed on behalf of controller
24
What is a Data processor?
Processes data on behalf of controller (sometimes known as a third-party E.g a Cloud IT company)
24
What is a data controller?
Person/entity that determines purpose and means of processing personal data (EG a client/landlord, employer holding employee HR records, university managing student records)
Must comply with principles
25
Who is the Data Protection Officer (DPO) and what is their role?
Responsible for overseeing the data protection approach, strategy & implementation. Needed if an organisation processes large amounts of sensitive data.
- These people must comply with data protection principles.
Companies are also required to implement:
26
When would an organisation need to appoint a Data Protection Officer (DPO)?
If they process large amounts of sensitive data or perform regular and systematic monitoring of data subjects
27
What would you do if there was a data breach under DPA 2018?
Under the DPA 2018:
- Report to Information Commissioners office (ICO) within 72 hours - Notify affected individuals without delay, IF likely to result in a high risk their rights/freedoms
If within company I would report to line manager/data protection officer
28
How can a data breach be discovered?
- Unusual network activity
- Unauthorised data access attempts
- Lost equipment
- Reported thefts
29
What is your firms data protection policy?
That suspected breaches reported to line manager or data protection officer
30
What are the penalties under GDPR and data protection act?
Fines reaching up to which is higher;
- 4% of global annual turnover
- 20m euros (£17.5m)
31
What are special provisions around DPA/GDPR?
1. Children’s Data- merit special protection. UK GDPR sets 13 as the minimum age for a child to consent to online services (with parental consent required below this).
2. International Data Transfers - When personal data is sent outside the UK, the law steps in because not all countries have the same level of protection.
31
What are exemptions to the Data Protection Act and GDPR?
Some exemptions to the rules apply, these could be for:
- National Security
- Law enforcement
- Journalism
- Academic research
- Public health
32
What is GDPR?
The General Data Protection Regulation
- A data protection law that applies to all EU members and aims to give individuals greater control over the personal data, while imposing strict rules on organisations who process that data.
- It is a complete data protection system that governs personal data covered by GDPR and the previous act
- Replaced 1995 Data Protection Directive
33
What law did the GDPR replace?
Replaced the 1995 Data Protection Directive and harmionsed data protection laws across the EU.
34
When did GDPR come into effect?
EU - 25 May 2018
35
When was GDPR first introduced?
- EU in 2016 (implemented in May 2018 after a transition period)
- UK in 2018 under data protection act
- UK released own updates in 2021 (UK GDPR)
36
Why Did UK GDPR 2021 come in?
- The EU GDPR came into force in May 2018. It applied directly in the UK (because were still an EU member then).
- Brexit meant EU laws no longer applied automatically, meaning regulations like GDPR would have fallen away, leaving a gap in UK data protection law.
To avoid a legal gap, GDPR was “retained” in UK law. The UK government copied EU GDPR into domestic law and renamed it UK GDPR.
It sits alongside the Data Protection Act 2018.
37
Who regulates GDPR in the UK?
Information Commissioners Office
38
Where did the DPA 2018 come from?
- Before 2018, the UK operated under the Data Protection Act 1998. Based on the 1995 EU Data Protection Directive.
- Framework was outdated (couldn’t cope with digital economy, big data, AI, cloud computing, etc.).
- The EU introduced the General Data Protection Regulation (GDPR) in May 2018. As an EU member at the time, the UK had to adopt GDPR.
39
How did GDPR tighten up the former DPA 1998?
- Gave individuals greater control over personal data (e.g. right to be forgotten, right to data portability).
- Harsher penalties for non-compliance — up to £17.5 million or 4% of annual global turnover, whichever is higher.
- Introduced a duty to report data breaches to the ICO within 72 hours.
- Certain organisations (public bodies/those processing large volumes of data) must appoint a Data Protection Officer (DPO)
40
What is the difference between the UK Data Protection Act and the rules of GDPR?
GDPR:
- EU-wide data protection regulation (now UK GDPR post-Brexit).
- Sets core principles, rights, and obligations for handling personal data.
UK Data Protection Act 2018:
- UK law that supplements the UK GDPR.
- Adds national exemptions and rules (e.g. for law enforcement, intelligence).
- Gives the ICO powers to enforce data protection.
41
What are the key principles of GDPR?
LPDASIA
1) Lawfulness, fairness and transparency
2) Purpose limitation - specified and explicit
3) Storage limitation - should only be kept as long as necessary
4) Data minimization - only necessary data
5) Accuracy - up to date
6) Integrity and confidentiality - processed securely to prevent unauthorised access
7) Accountability - data controllers demonstrate compliance with GDPR principles
ARTICLE 5(1) AND (2)
42
What are the individual rights under GDPR and the data protection act?
1) Right to be informed --> collection/use of personal data
2) Right to access --> to their personal data + request free copy
3) Right to rectification --> request corrections to data
4) Right to erasure --> 'to be forgotten'/deletion of data when no longer required
5) Right to restrict processing
6) Right to data portability --> obtain and reuse data across services
7) Right to object --> to processing of personal data, such as marketing
8) Rights related to automated decision making and profiling --> right to request human intervention
43
What are the key obligations for organisations under GDPR?
1) Must have data controller and data processor- both must implement appropriate technical and organisational measures
2) Data Protection by design and default - integrate DP into business practices
3) Data Protection Impact Assessment (DPIAs) - required for processing activities
4) May require DPO if processing large amounts of sensitive information (also oversee compliance with GDPR)
5) Breach notification/process --> when breach occurs
44
What is a Data Protection Impact Assessment (DPIAs)?
a process to identify, assess and minimise risks to individuals’ personal data when undertaking high-risk data processing.
It’s a requirement under UK GDPR for certain activities
45
What is the purpose of GDPR and DPA?
Governs how personal data should be processed + protects rights of individuals
46
Can you confirm how data from your examples are stored under the regulations?
In line with GDPR principles
47
What are the rights of access under GDPR?
Individuals have right to access their personal data and supplementary information - can request copy of data free of charge
47
How do you comply with GDPR in your role?
- Report breaches to the DPO, and will then they will escalate to ICO is high risk
- Do not give out personal info
- Keep records of data consent
- Ensure info held is in line with GDPR
- Data Purges
48
Can you give me some examples of data held by surveying practices covered under GDPR?
- Emails/correspondence
- Customer data held for marketing
- Data to help service a client (accounting info)
- Standard and Sensitive personal data
49
Why was GDPR introduced?
To consolidate EU 2018 data laws and provide greater protection/rights to individuals
50
What is within the RICS guidance for GDPR compliance?
- Document purposes of holding information
- Keep record of consent for processing, storage and retention
- Check if you have contract for info
51
How long can you hold data for?
No specified time period - As of GDPR principle should be kept as long as necessary for processing purposes
52
How do you practice handling and managing data in line with GDPR at Workman?
- We have a compliance team and a compliance officer
- Training provided ie. Cyber training on how to be safe online
- IT controls on client data, opt in distribution lists etc.
53
What is the difference between the Data Protection Act and GDPR?
The Data Protection Act enacts GDRP into UK law
54
What things must companies put in place to ensure GDPR Compliance?
- Privacy notice informing employees and clients about how their personal data will be used
- Training for employees on how to process personal / important data
- Risk assessments for data processing activities
- Firewalls / password changes / encryption etc.
55
Who are the key persons outlined within GDPR?
- DPO: Data protection officer - used when large amounts of sensitive data are being processed
- Data controller: determines the purpose and means of processing of personal data
- Data processor: processes the personal data on behalf of controller Eg contractor
56
How do you / your firm ensure compliance with GDPR?
- Our PM systems utilise personal data to link managers to their properties.
- In line with the principles of GDPR, my firm requires us to add information in a secure way, using protected forms.
- We also remove the information as soon as possible, in line with the data minimisation / storage limitation principles. Every 6 months there is a company-wide check of all properties and inactive managers are removed.
57
What is the Freedom of Information Act and when did it come into force?
IN THE UK --> Right for anyone to request public access to info held by a public body/authority.
- Promotes transparency and accountability by allowing public to request information.
-Public body required to provide within 20 working days (fee can be charged)
- Introduced 30th Nov 2000
58
What are the exemptions to the Freedom of Information Act?
1) Absolute Exemptions (info that doesnt need to be disclosed) --> E.g national security, court records, parliamentary privilege, personal data protected under the DPA 2018.
2) Qualified Exemptions: Info that may be withheld if the public interest in maintaining the exemption outweighs the public interest in disclosure. --> E.g law enforcement, H&S etc
59
How much does it cost to submit a freedom of information request?
- Can be £0
- Limit is £450 for public authorities
- Limit is £600 for central government
60
If you are working for a public sector client, and you receive a FOI request about a valuation you’ve prepared, what would you do?
- I would not release the information myself.
- I would advise my client, who as the public authority is responsible for handling the request.
- I would flag potential exemptions, such as commercial sensitivity or personal data, but the decision lies with the authority.”
61
What is Privacy and Electronic Communications (EC Directive) Regulations 2003?
- PECR = Privacy and Electronic Communications (EC Directive) Regulations 2003.
- Sits alongside UK GDPR & DPA 2018 → applies specifically to electronic communications.
62
How does the PECR 2003 relate to UK GDPR & DPA 2018?
UK regulations that sit alongside the Data Protection Act 2018 and UK GDPR.
They give people specific privacy rights in relation to electronic communications.
Purpose:
- To regulate how organisations can use electronic communications for marketing, cookies, and network security.
63
What is the Land Registry Act 2002?
- Framework to ensure possibility of transferring and creating registered land interests electronically
- Aims to get all freehold land in England and Wales registered by 2030
- Any sale/lease over 7 years, or mortgage must be registered with HM Land Registry
64
What are the Key areas covered in the Privacy and Electronic Communications Regulations 2003 (PECR)?
1. Electronic Marketing- Rules for emails, texts, calls, faxes. Consent usually required (opt-in), but “soft opt-in” allowed for existing customers.
2. Cookies & Tracking - Websites/apps must tell users, explain purpose, and get consent before using cookies
3. Security of Communications Services - Telecoms/ISPs must keep services secure.
4. Customer Privacy- Confidentiality of communications (no unlawful interception). Rules on caller line ID and location data.
65
What is the Retention of files and Limitations Act 1980?
Sets out how long business should keep documents for.
- States legal action must be brought within 6 years of issue arising.
- 12 years: Deeds and certain property-related claims
- Ensures surveyors are aware that claims for breach of lease obligations, defects, or valuation disputes may be barred after a certain time.
66
How long does the RICS advise to hold data for?
15 years - The Limitations Act 1980 long stop date
67
What is the Limitations Act 1980?
The Limitation Act 1980 is a UK law that sets out the statutory time limits (known as “limitation periods”) within which legal claims can be brought in England & Wales.
68
What is a Deed? Example?
- Legal document transferring or creating property rights.
- Evidence of a transaction (sale, transfer, lease).
Example: Transfer deed for a house sale
69
What is a Registered title?
Example?
- Official Land Registry record of ownership.
- Proof of legal ownership and interests.
Example: Land Registry shows buyer as owner.
70
What is the difference between a deed and a registered title?
- Deed = Legal document that formally transfers legal ownership
- Registered Title = concept of giving right to own electronically
Title takes precedent (it is what the public uses)
💡 Tip: Deed = the document; Registered title = the official ownership record
71
What is an Index Map?
A large-scale map used to show the location and boundaries of a property or land parcel.
It is usually referenced in deeds, conveyances, or registered titles to identify the land being transferred or leased
72
What are the Key features of Index maps?
- Shows plot boundaries, adjoining land, and reference numbers.
- Acts as a visual reference to legal documents (e.g., a deed or lease).
- Used in Land Registry and property records to link physical land to legal ownership.
73
How would you source title information?
1. Land Registry (Registered Titles)- Official record of ownership, easements, covenants. Searched via HM Land Registry.
2. Deeds (Unregistered Land)- Historical documents showing transfers, leases, or legal rights. Typically stored at solicitors’ offices or archives.
3. Title Plans/Index Maps. Show location and boundaries of property. Often included with deeds or Land Registry entries.
4. Official Searches & Enquiries- Local authority searches for planning restrictions, rights of way.
74
What are CPSEs?
Commercial Property Standard Enquiries
A standardised set of questions used by surveyors, purchasers, or prospective tenants to obtain essential information about a commercial property before acquisition, lease, or investment.
75
What is the benefit of CPSEs?
They are designed to save time, reduce risk, and improve transparency in commercial property transactions.
76
Give me some examples of what the different types of CPSEs are used for?
- CPSE.1 (General pre-contract enquires) - Freehold, Purchases, New Lease
- CPSE.2 - Sale or Purchase of leasehold properties
- CPSE.3 - Grant of a new lease
- CPSE.4- Assignment
- CPSE.5- Surrenders
77
What is a Data Room?
A centralised secure location (physical or digital) where all relevant documents, records, and data relating to a property are stored for review by authorised parties.
- Share sensitive docs, controlled access and relevant docs (in line with GDPR/DPA)
77
Which CPSE would you use for a lease assignment?
CPSE.4 is the standard form used for the assignment of an existing lease. It focuses on issues such as whether landlord’s consent is required, any arrears of rent or service charge, whether there are disputes under the lease, and details of alterations or break clauses
78
When might a data room be used?
- Used in sales, leases, or refinancing → for due diligence.
- Key for property sales.
79
What are the benefits of a data room?
- Efficiency – all documents in one place, easy remote access.
- Security – controlled access, encryption, audit trails.
- Transparency – everyone sees the same up-to-date info.
- Cost & Time Saving – no printing/couriers, faster due diligence.
- Auditability – clear record of what was shared and when.
80
What is Building Information Modelling (BIM) and how can it be used?
A process supported by digital tools that enables stakeholders (surveyors, contractors, and owners) to create, manage, and exchange information about a building in a coordinated way.
- Generate and manage digital representations of elements of a building e.g. project planning and historic preservation
80
What are Automated Valuation Models (AVMs)
Computerized systems that estimate property values using algorithms, statistical models, and available data (sales, rents, property attributes, market trends).
80
Explain the growing use of AVMs in the industry
1. Speed & Efficiency- Provide instant property valuations without manual inspection.
2. Cost-Effectiveness- Reduce the need for traditional surveyor input for every valuation.
3. Data-Driven Decision Making- Banks, lenders, and insurers use AVMs to assess risk and lending limits. Helps property investors analyze portfolios and market trends.
4. Integration with Digital Platforms- linked with BIM, GIS, and property databases for richer insights.
81
How do Workman manage and protect data?
- Keep documents secured – EFS files
- Have annual audits carried out
- Usually, Workman/landlord are data controller, and the contractor is the processor
- DPO to contact with any queries
- All about getting consent for marketing, taking photos of individuals, displaying cleaner/security certificates etc
- ISO9001 – Protects documents relating to their business
- ISO27001 - protect sensitive information systematically and manage risks related to data breaches or cyber threats
82
How do Workman Ensure GDPR compliance?
- Raise awareness across the business
- Audit all personal data
- Update privacy notice
- Review procedures supporting individuals’ rights
- Identify and document legal basis for processing personal data
- Annual GDPR training
83
How do Workman practise handling/ managing data in line with GDPR?
- We have a compliance team and a compliance officer
- Training provided ie. Cyber training on how to be safe online
- IT controls on client data, opt in distribution lists etc.
84
Where does Workman store data?
On the cloud, which is stored in data centres within the UK.
85
Does your firm have a privacy notice? What is included?
- Yes - it is on the website
- It identifies the data controller
- Shows what data is held, Outlines uses for data, Outline how long you hold data for
- Outlines the data rights
- Cookies used etc
86
Disadvantages of Workman Management Systems?
1.Updates to ensure strong encryption and firewall --> Downtime
2. Always security risk
3. Dependent on internet connections (tech). If not, their data can’t be accessed
87
How do you extract data in your role?
1.Horizon
2.Encrypted login
3. Search up property on system - go to data source needed e.g. invoice
88
How do you validate information received in your role?
- Avoid duplications
- Reviews leases/legal documents
- Cross check against historic data - Tenant/Landlord info
- DI form dates correct - correct charges and sent to correct recipients
89
How do you comply with GDPR in your role?
- Report breaches
- Do not give out personal info
- Keep records of data consent
- Ensure info held is in line with GDPR
- Data Accuracy - ensure records are accurate and kept up to date (e.g. updating tenant contact details when notified).
90
What is the Use of horizon/tramps and meridian?
* Tramps --> Client reporting, sending tenant invoices, Accounting figures for budget, Legal documentation, Password protected - change every month
* Meridian --> Actioning health and safety queries / documentation, Prop inspection report
91
How do you handle Confidential Information in a lease assignment (in line with GDPR principles)?
1) Secure Collection - Documents are submitted password-protected encrypted email.
2) Restricted Access - Only the responsible surveyor and legal team can view the information.
Only certain people copied into email.
3) Purpose-Limited Use - Information is used solely to assess the assignee’s financial strength
and advise the landlord.
4) Secure Storage - Digital files stored on EFS within the relevant property.
5) Data Minimization - Only necessary information is extracted for reports; irrelevant details are
not retained. When reporting to the client, I summarise findings rather than sharing raw data unnecessarily.
6) Disposal & Compliance - After the assignment process, confidential files are securely deleted
or shredded.
92
How do you extract data in your role?
1. SharePoint - extract tenant lease information from the property management database to prepare valuation reports and lease reviews.
2. Horizon – Tenant rent information, service charge/rent invoices etc
92
If you come across a data breach, what is the process?
* Notify affected individuals without delay
* Report to Information Commissioners office within 72 hours -
* If within company I would report to line manager/data protection officer
93
How do you protect Electronic Data from Viruses?
1. Antivirus & Anti-Malware Software- Install programs and keep updated. Regularly scan devices for threats.
2. Firewalls- Use hardware or software firewalls to block unauthorized access.
3. Regular Software Updates- Keep operating systems and applications patched to fix vulnerabilities.
4. Email & Download Security- Avoid opening suspicious attachments. Verify sources before downloading files.
5. Data Backups- Maintain regular backups to recover files if infected. Store backups offline/in secure cloud storage
94
What is ISO9001?
Sets out requirements for how firms should control data + documents relating to their business
95
What does block chain mean?
Shared ledger system that facilitates process of recording transactions across a computer network
95
Can you confirm how data from your examples are stored under the regulations?
In line with GDPR principles
96
What are the differences between manual and electronic records?
Electronic = stored online on file system and can read multiple at once
Manual = Physical storage and harder to locate
97
What is the purpose of GDPR and data protection act?
Governs how personal data should be processed + protects rights of individuals
98
Can you give me some examples of reports that you run?
Arrears report
Tenancy schedules
Service charge analysis
99
What is the right to be forgotten?
The right for individuals to have their personal data erased if no longer required or if data processed unlawfully
100
What is an electronic document management system?
Software that centrally stores and organises documentation. E.g. Workman EFS
101
Who regulates GDPR in the UK?
Information Commissioners Office
102
How is data managed on the Tramps (Horizon + Sharepoint) platform?
- Collaboration and sharing between different teams within businesses (and between business)
- Only authorised users can access certain files
- Audit trails document activity
- Documents held via the cloud
- Double factor authentication to get into the site
103
What is hard and soft data?
Hard - quantifiable, numerical facts
Soft - not measurable - e.g opinions
104
Explain your use of horizon/tramps and meridian?
Tramps
- Client reporting
- Sending tenant invoices
- Accounting figures for budget
- Legal documentation
- Password protected - change every month
Meridian
- Actioning health and safety queries / documentations
- Prop inspection reports
105
RICS best practice points for complying with GDPR?
- Conduct data review
- Anonymise data where possible
- Encrypt everything where possible
- Treat commercial data same as personal data, even though not covered by GDPR
106
What are the benefits of the cloud?
- Env friendly - less space
- Speed
- Accessibility managed via online settings
- Collaboration
- Information backed up securely on encrypted servers
- Multiple users can access the same documents
107
When you downloaded the tenants account history reports, how do you ensure that these are stored safely?
Stored on electronic filing system (EFS), this is my firms encrypted filing system. I ensured these were saved under property specific folder
108
How did you ensure that the folder you set up on your system for the sale ensured data safety principles were met?
1) Picked sharepoint as the data room provider - Ensured encryption and password entry
2) Add users - Set boundaries
3) Set permissions for users
4) Add documents and files - These can be downloaded to local internet networks
109
What does TRAMPS stand for?
Trace Microcomputer Property System
110
What is ISO27001?
Set of requirements for defining, implementing, operating, and improving an Information Security Management System (ISMS)
- Proves to customers that it safeguards their data
111
What do ISO27001 users have privilege for?
Privileged accounts may access important data or systems or exercise administrative powers.
- It is important to secure privileged accounts to prevent unauthorized use.
- Accessing sensitive data
112
How do you ensure compliance with the Data Protection Act 2018 and UK GDPR?
- Process data lawfully and fairly for its intended purpose.
- Obtain consent where necessary.
- Secure personal and financial information through password protection and restricted access.
- Keep records of processing and retention periods.
- Report breaches promptly according to company procedures.
113
What systems do you use for data management?
Accounting systems: Tramps and Horizon for financial records, tenant accounts, and service charge management.
Health & Safety systems: Vantify and Meridian for tracking inspections, risk assessments, and H&S compliance.
114
How do you maintain data accuracy in these systems?
- Regular audits and reconciliations of financial data.
- Cross-checking property information with lease documents and inspection reports.
- Ensuring all entries are updated promptly when changes occur.
115
What have you learned from managing property and client data?
- Effective data management reduces errors, improves efficiency, and supports compliance.
- Regular training and system familiarity enhance accuracy and security.
- Cross-referencing multiple systems ensures consistency across financial, property, and H&S records.
116
What are Vantify and Meridian?
A H&S management system used to track, manage, and report on inspections, risk assessments, and compliance actions. Helps ensure H&S obligations are monitored and met.
117
What are Tramps and Horizon?
A property and financial management system used to manage tenant accounts, service charges, rent collection, and financial reporting
118
What is the impact and importance of GDPR?
- Signficantly impacted how organisations worldwide handle personal data, driving greater respect/accountability for individual privacy rights.
- Set a high standard for data protection
- It is essential for any organisation processing personal data of EU Citizens, regardless of location
119
What is the public interest test?
Decides under a qualified exemption if it is in the public interest to publish the data
120
What is a publication scheme?
A guide that a public authority must produce under the Freedom of Information Act 2000 (FOIA).
- Where public authorities are required to proactively publish certain info through a publication scheme.
- schemes must be approved by ICO and intend to make more info available, without specific requests.
121
What is the impact/importance of Freedom of Information Act (2000)
- Transparency and accountability --> providing a mechanism for public scrutiny
- Public participation --> enables citizens to participate more effectively in decision-making processes
- Press and research --> frequently requested/use FOIA requests.
122
What other steps should be taken when erasing personal data?
Ensure erasure from back-up systems as well as live systems
123
How quickly do you need to delete personal data if someone requests this?
Within a month - 30 days
124
What information is stored electronically in your firm?
- Property related information
- Client information – names, contact details
- General admin – fee invoices, staff contracts
125
What information is stored hard copy in your office?
Older leases and property files
126
What would you do if a piece of land is unregistered?
In this instance, proof of ownership is by production of a deed which sets out information about the ownership and the property details.
- Check if it should be registered – registration is compulsory on sale, transfer, lease over 7 years, assignment of such a lease, or first legal mortgage. If none have occurred, it may remain unregistered.
- Obtain the title deeds – these are the only proof of ownership.
- Carry out extra due diligence – site inspection and local searches, as Land Registry guarantees don’t apply.
127
What are title documents?
A copy of the original register of title that the land registry can provide (a title plan and title register) detailing:
- Owner
- Address of owner
- Tenure
- Price paid (if sold since April 2000)
- The boundaries
- Any rights of way or restrictions & covenants on the land noted on the register
128
What is a Non-disclosure agreement? Why might you use it?
An agreement in which the parties agree not to disclose the information covered by the agreement.
With parties involved in a potential transaction, if it is of a sensitive nature.
129
What are examples of data security threats?
- Phising and Whaling
- Hacking
- Loss or theft of equipment
- Insider threat - an employee causes a data breach (can be mistakenly or malicious)
130
When would RICS investigate a social media post online?
- One that adversely impacts public confidence and trust in the profession
This includes posts that:
- are discriminatory, dishonest, abusive or threatening
- bully, harass other people
131
What is primary vs secondary data?
- Primary = Data collected for the first time by the researcher to meet a specific, current need.
- Secondary = Data that already exists and was collected by someone else for a different purpose
132
What is the request called when someone wants information about themselves?
Subject Access Request (SAR)
ICO have 30 days to respond to
133
What would you do if you lost a management/confidential report on the way to site?
- I would be open and honest with the client
- I would inform my line manager, and because it was high risk, i would inform my DPO at my company
- Inform the individual asap
- Then would they handle it
134
Can you tell me how CCTV relates to GDPR and the principles that underpin it?
- Data transparency - Lawful/fair
- Purpose limitation - requires personal data to be collected
- Storage limitation - Only retained for time period
- Secured against unauthorised access - data controller etc
135
What would you do if someone wanted to review the CCTV footage at Holborn/Lewisham/Guildford?
1) Request received
2) Check with data protection officer
3) Notify police (if required)
4) Ask subject to complete SAR whilst awaiting advice from data protection officer
136
What do the GDPR regulations say about CCTV?
- Reason for surveillance
- Consider privacy - access/detecting incidents/audit
- Policies and procedures - what to be recorded/who can view/how long to retain
- Regular reviews - updated system/cameras added/removed
- Accountability - Named person (IT team - Data Controller + data protection officer)
- Need to pay data protection fee to ICO
- Register with ICO as CCTV operator
- Complete a data privacy impact assessment with ICO
137
What is Article 6 of GDPR?
- Outlines the lawful bases required for any processing of personal data, meaning data processors must have one of these legal grounds to proceed.
- The six bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
- Without one of these bases, processing personal data is not permitted
