1
Q
What is GDPR?
A
- law designed to protect peoples personal data and privacy
- Sets out rules on how governments, companies and organisations can collect, store and use personal information
2
Q
When did GDPR come into effect?
A
25th May 2018 - same day is data Protection Act
(Incorporated as part of new EU GDPR legislation)
3
Q
Who regulates GDPR in the UK?
A
Information Commissioners Office (ICO)
4
Q
Key persons outlined in GDPR?
A
Controller - decides how and why personal data is used
Processor - Handles personal data on behalf of controller
Data officer - Oversees data protection and ensures compliance with rules
5
Q
What is the purpose of GDPR?
A
Protect citizens information
6
Q
What constitutes personal data?
A
Information that is used to identify a person or data subject e.g photos, names, email address
7
Q
Examples of personal data under GDPR that could apply to property companies?
A
Data relating;
- Background checks by HR
- Investors
- Fund managers
- Valuations
- Compliance
8
Q
What Act implemented GDPR in the UK?
A
- Data protection Act 2018 - implemented GDPR
- Replaced 1998 Data Protection Act 1998
9
Q
What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR) LAAPSID
A
- Lawfulness, transparency & fairness
- Accountability
- Accuracy
- Purpose Limitation
- Storage Limitation
- Integrity & Confidentiality
- Data minimisation
10
Q
8 individual rights under GDPR? (IARERDOA)
A
- Right to be informed
- Right of Access
- Right to Rectfication
- Right to Forgotten
- Right to Restriction Processing
- Right to Data Portability
- Right to Object
- Rights related to Automated Decision making and Profiling
11
Q
To what organisations does GDPR apply?
A
Any and all businesses and organisations responsible for holding data in the EU
12
Q
What are penalties for GDPR breaches?
A
- Fines of up to 17.5m
- 4% of worldwide turnover
13
Q
What is the ‘right to access’ under GDPR?
A
- Right obtain whether their personal data is being processed
- Access to their own personal data that is being held
14
Q
What is a breach notification under GDPR?
A
- Formal requirement for organisations (and their data controllers) to notify inform authorities and in some cases individuals if teh breach is likely to risk their rights and freedom
- Need to report 72 hours after becoming aware
15
Q
How are data breaches typically discovered?
A
- Automated security systems
- Internal audits
- Lost equipment
16
Q
How have consent conditions been strengthened under GDPR?
A
- Consent must given in plain and clear language (best practice to get thsi in writing)
- Ability to withdraw consent at any time
17
Q
What is ‘right to be forgotten’ under GDPR?
A
- Under article 17 individuals have right to have personal data erased in certain circumstances
- I.e. if they no longer are employed by a firm
18
Q
What is data portability?
A
Right to obtain and reuse personal data across different services or distributed to a new controller
19
Q
What is privacy by design?
A
- Legal requirement of GDPR
- data protection from onset in designing systems rather than as addition later on
20
Q
What is data protection officer?
A
- They are responsible for monitoring internal compliance and obligations for data protection
- Only required by entities involved in large-scale processing of personal data
21
Q
Examples of data held by surveying practices?
A
- Data to serve clients (accounting info, compliance)
- Lease documents
- Emails and other correspondence
22
Q
What are obligations imposed by GDPR?
A
- Must be knowledgeable about the data you store (location, security)
- Must be able to be deleted at any time
- Individuals can request to see all their personal data held
- Must demonstrate compliance in data handling
- Must offer data portability
- Must be able to prove how information is being used
23
Q
RICS best practice points for complying with GDPR?
A
- Conduct data review
- Anonymise and encrypt data where possible
- Understand data processing
- Treat commercial data in the same as you would treat personal data although it is not covered by GDPR
24
Q
What are your company’s policies for data protection breaches?
A
- Report to line manager or data protection officer in firm
- Email GDPR group at Workman
25
RICS recommendations for using confidential information?
- Keep secure record of consent for data processing
- Maintain confidentiality of information without explicit permission from party
- Check if you have appropriate contractual clauses to use information
26
What information should be included in firms privacy notice?
- What information you hold
- How will it be used
- How long it will be held for
- Which third parties it will be shared with
- Legal rights
27
What is SAR?
- Subject Access Request
- Demand that an individual be given all information a company holds under GDPR
28
What was the Freedom of Information Act 2000?
- Allows individual to request all personal information held by public body
- Must be done in 20 days
- Can charge for this
29
What are the provisions of the Land Registry Act (2002)?
- Provides complete and accurate reflection on state of title of land at any given time
- Aim for all land in England and Wales to have a title before 2030
30
What is required for a Land Registry Compliant Plan? (think of plan in case study)
- Demised Red Line
- North arrow
- Scale
- Drawn to scale of 1:100 or 1:200
- Location of property drawn to scale of 1:1250
- Measurement bar
31
What is the difference between a deed and a registered title?
- Deed - physical record of ownership declaring person's legal ownership
- Registered Title - ownership recorded in land registry
- Land Registry Act 2002 states registered title is conclusive
32
Are electronic signatures accepted by the Land Registry?
Yes, witnessed electronic signatures are accepted from July 2020
33
Disadvantages of the systems you use?
- Rely on others for data input - human error
- External system - firm not in control of security
34
How did it tighten up the former DPA 1998?
- Customers greater control over data
- Firms over 250 need a designated DPO
- Fines
- Introduction of breach notification
35
How do you comply with GDPR in your role?
- I report suspected breaches
- I dont share confidential or personal information
- I keep consent for data processing
36
Give me an example of how you process and handle confidential information.
- When sending information to solicitors I ensure files are uploaded to a secure data room
- Change password for management systems and computer login every month
- Anonymise employee liability for TUPE
37
What does encryption mean?
- Mathematical encoding of data that only authorised users can access
38
What is a fire wall?
- Network security system that monitors and controls network traffic based on predetermined security rules
39
Tell me about how you extract data from a source regularly used in your role?
- Extract data from leases, which is then put into data input forms, sent to my line manager to approve and then inputted by the data input team to appear on management systems
40
Can you tell me about the retention of files and the Limitations Act 1980?
- Section 5 states legal action must be brought about within six years of issues arising
- Requires businesses to keep documents on file 6 years after tehy expire
41
Give me an example of how you ensure that data is kept securely.
- Access is restricted to users by password
- Firewalls but in place by IT team to stop hacking
- Appropriate training undertaken to understand processes
42
What is copyright?
- Legal right given to the creator of original works exclusive control over use of their creations for a certain period of time.
- In property; marketing material & intellectual property
43
What is an AVM?
- Automated Valuation Model
- mathematical/statistical modelling with databases of existing properties and transactions to calculate real estate values
- Used by lenders and banks, developers, agents and brokers
Pro - speed & cost-effective
Con - Human expertise required to interpret AVM outputs
44
Does RICS provide any guidance on AVM?
- RICS Roadmap: Automated Valuation Modelling 2021
- Outlines strategic direction and implementation of AVM in valuation
- Outlines best practice for AVM -> importance of balancing information with standards and ethical practices
45
Explain the growing use of AVMs in the industry?
- Has merit in science of valuation with growing availability of data
- Speed, cost-effective, potential to reduce litigation
46
What is an Electronic Document Management System?
- Software that stores, organises and manages documents
- Sharepoint
47
How do you ensure GDPR compliance and security in the office?
- Clear desk policy
- Use shredder for disposal of docs with confidential information
- Lock screen
- Password protect
- External back up drive
48
How do you monitor compliance on QUOODA/riskwise?
- Linked to email so get a notification when essential compliance document is nearing expiry/overdue
- Quarterly audits of system to identify discrepancy
49
How do you apply your firms data protection policy?
- I report suspected breaches
- Anonymise data where possible
- Dont share confidential info
- Keep consent for data processing
50
How to ensure data accuracy?
- Double check against docs
- Checked by line manger
- Data audits
51
What are CPSEs?
Commercial Property Standards Enquiries
52
If a tenant would like to access CCTV footage, what is required?
- Subject Access Request (SAR) - only my police & insurers
- Liaise with DPO on what can be given
53
How do you store confidential data in your office?
- Using password protected devices which require dual authentication for access
- Anonymise all personal data (use property codes for files rather than names)
54
What would you do if you realised that you had received confidential data in an email, from another surveyor, which you should not have seen?
- Cannot use information
- Report to DPO & Compliance officer
- Advise client/sender of error
- Dispose securely of information
55
How do you ensure the data on the systems you use is accurate?
- Data is cross-checked by multiple parties
- Internal and external systems get audited
- Prelist get raised and required to be approve by PM
56
Benefits of cloud based storage systems?
- Access from multiple users at one time
- Info backed up on securely encrypted servers
- Environmentally friendly and cheaper
57
What is a Non-disclosure agreement - NDA ?
- Used to protect against or sharing any confidential data
- NDA in property sales
58
If two separate department within your firm were working for two rival companies how would you ensure client sensitive data was managed?
- make client aware of risks
- COI check
- Seek letter of instruction that both parties are happy for you to continue
- Implement information barrier
59
What things must companies put in place to ensure GDPR compliance?
- Raising awareness - through mandatory training courses
- Audit all personal data
- Update privacy policy - to explain how data is processed
- Appoint DPO if over 250
- Data breach response plan
60
How have you advised client on DM?
Recognised MEES coming to force old managing agents didn’t have a tracker for EPC
61
Horizon & Tramps limitations
- 3rd party we dont have control of the security
- Human error in data input
- Training not user friendly
62
What are exemptions to Data Protection Act 2018 ?
- National Security
- Law Enforcement
- Public health
63
What does block chain mean?
- Decentralised digital ledger
- Can facilitate data sharing, streamline collection on rental collections and payments to landlords
64
What is BIM and how can it be used?
- Building information modelling - creates 3D representations of buildings
- Help with design visualisation of stakeholders
- Aids cost management
- Used by our building surveyors in refurbishments of properties
64
What is an index map?
- Provides all information on all land that is registered or being registered on HM Land Registry
65
How do you source title information?
- Land registry
- Title searches
65
What is Intellectual Property and can it be transferred?
- IP encompasses creations like patents, copyrights, trademarks and trade secrets.
- Yes can be transferred
Data Management APC Q&A
flashcards
Decks in class (1)
# Cards
