What is the Data Protection Act 2018?
UK GDPR (General Data Protection Regulation) is covered by the Data Protection Act 2018.
Sets out legal framework of data protection in the UK.
It creates one set of rules for businesses to follow and empower individuals to take control of how their data is used by third parties.
It gives people rights to be informed about how their personal information in used.
Can you summarise the key differences between GDPR UK 2021 and the Data Protection Act 2018?
GDPR UK (2021) this is a regulation - that sets out broad general rules for handling personal data, including the rights of individuals, such as access, correction and deletion of their data.
Data Protection Act (2018) this is LEGISLATION - this supplements GDPR UK by tailoring certain provisions to the UK context. It includes additional protections, such as specific rules for law enforcement data processing, national security and provisions for handling sensitive date.
The DPA 2018 supplements UK GDPR by adding UK-specific rules, exemptions, and criminal offences. GDPR sets the core principles, while the DPA fills gaps and covers areas like law enforcement and special category data.”
What are the 6 key principles of the Data Protection Act / GDPR UK that must be complied with?
- Lawfulness, fairness and transparency - ensure clients are aware of how their data will be used and get consent.
- Purpose - Collected for specified, explicit and legitimate purposes.
- Data minimisation - only collect the minimum amount of data needed for the task
- Accuracy - ensure data collected is up to date and correct.
- Storage Limitation - Kept no longer than necessary
- Integrity and confidentiality - processed securely to protect against unauthorised access.
What methods do you use to verify the accuracy of the data when extracting information from sites such as co-star, land registry?
- I cross-reference information with internal databases and records.
- I consult with local agents to confirm the data.
- Its important to consider the reliability of data, without verification of data sources you cannot guarantee accuracy, and therefore may be providing inaccurate advice.
How do you ensure that clients are informed about their data in accordance with GDPR’s transparency requirements?
Issue a privacy notice which outlines:
- What data is being collected
- Why the data is being collected
- How long the data will be stored
- Who the data may be shared with
- The clients rights regarding access, rectification and erasure.
What are the 8 individual rights of GDPR UK?
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision
How do you handle client data requests under GDPR, such as access, rectification, or erasure, while maintaining data accuracy and integrity?
Access - I verify the identity of the requester before providing access to their personal data, - use a machine-readable format (CVS) within a one month timeframe required by GDPR.
Rectification - if a client requests that their data to be corrected, I review and update the information immediately.
Erasure - if a client exercises their right to be forgotten, I delete their data unless there is a legal obligation to retain it. Backup copies are also deleted.
In the context of the Data Protection Act 2018, how do you ensure that the data you collect is limited to what is necessary for the intended purpose (data minimisation principle)?
- Only collect data that is directly necessary for the task at hand.
- Regularly review the data to ensure any outdated info is deleted/archived.
The ‘right to be forgotten’ (data erasure) is an important aspect of GDPR. How do you handle data deletion requests from clients while ensuring compliance with all legal obligations?
I verify the lawful basis under which the data was processed – if data was collected under consent proceed with erasure – if data is needed for contractual/legal obligations then inform client that it cannot be deleted.
All copies of data, including backups, are deleted if requested.
GDPR requires that personal data be stored only for as long as necessary. How do you determine the appropriate retention period for client data, and what steps do you take to ensure this period is followed?
The retention period of data is based on contractual obligation – data is kept for the duration of our contract.
Some data may be held for future business purposes e.g. client relationship management but only with appropriate justification.
Under the limitation Act 1980 - 6 years on file.
In case of a data breach, GDPR requires swift action. Can you explain your process for detecting, reporting, and investigating data breaches, and what steps you would take to minimise their impact?
I detect through systems that track unauthorised access attempts.
If a breach is detected, I inform my firm’s GDPR Country Lead Team and IT team, then notify the Information Commissioner’s Office (ICO).
I would begin an internal investigation to try and identify the root cause.
Once breach is identified, I would ensure the compromised data is isolated and provide affected clients with steps to protect themselves (changing passwords etc.)
How long do you hold client information for?
Information is held for as long as necessary to fulfil the purpose for which it was collected or required for. However, it is common practice to retain information for 6 years after the end of a business relationship, in line with the Limitations Act (1980).
What is the difference between a data controller and data processor?
Data Controller decides how data is stored and how its protected.
Data Processor is someone who just handles the data.
For example, at Colliers the controller is Mike Harris, but it is us surveyors who processes it.
What is the importance of handling and storing data with sensitivity?
In order to comply with UK GDPR (2016) as well as the RICS Rules of Conduct and Bylaw of confidentiality.
Are there any exemptions to complying with the Data Protection Act?
Under the Data Protection Act (2018) there are certain exemptions.
For example, if complying would harm a criminal investigation or affect someone’s commercial interest.
What are the penalties for non-compliance of the Data Protection Act/ UK GDPR?
4% of your firm’s global turnover or £17.5m (whichever is greater)
What did you learn in your cpd?
Received mandatory online information handling and GDPR training.
Learning outcomes were on how to safely store clients’ data through data security technologies such as disk encryption and setting up password-protected documents.
How does a password-protected document ensure GDPR is adhered to?
Ensures data is only accessible by individuals with the authority.
This helps the confidentiality in terms of the security of data as well as data minimised - limited to this use only.
Can you use confidential information in negotiations?
If the information is confidential, you shouldn’t have access to it.
If you do, you need to tell the source that you have it by mistake so they are aware.
What is a NDA?
Non-Disclosure Agreement
This is where parties enter into a contract to not share the details of the parties of the work.
How do you comply with GDPR and the Data Protection Act (2018) in your role?
I store all files securely with password protection.
I ensure that only authorised personnel have access to sensitive client information.
If a client exercises their rights under GDPR, such as requesting access to their personal data, I respond promptly and provide the information.
I only collect and retain data that is necessary for the purpose it was gathered.
I stay up to date with GDPR regulations by attending CPD on data protection.
Give me an example of how you process and handle confidential information.
When a client was looking to acquire an office and requested that their identity and involvement remain confidential, I ensured their details were stored securely using password-protected files and encrypted systems. I followed the RICS bye-laws on confidentiality, making sure no information was shared with third parties without the client’s explicit consent. Throughout the process, I maintained strict confidentiality, ensuring that all communications and actions respected the client’s privacy and professional standards.
What is the Freedom of Information Act (2000)?
What are some examples of Data security technologies?
Data encryption
Regular backups off site
Cloud Storage
Password protection
Use of Anti-virus software
Firewalls
