Data Management Flashcards
1
Q
What is GDPR and when was it brought in?
A
- Represents the largest change in data protection law across to EU
- Came into force on 25th May 2018 and replaced the data protection 1998
- Aims to create a single data protection regime for anyone doing business in the EU
- It gives people stronger rights to be informed about how their personal information is used.
2
Q
What is the Data Protection Act 2018?
A
- UK’s implementation of the General Data Protection Regulation 2016 (GDPR)
- Complete data protect system – as well as governing personal data covered by GDPR, it covers all other general data as previously covered by the 1998 Act
3
Q
When did GDPR come into force?
A
25th May 2018
4
Q
What are the key changes between GDPR and the previous directive?
A
- Increased territorial scope
- Penalties – fine up to 4% of global turnover or 20m euros
- Consent – conditions for consent have strengthened, the request for consent must be given with the purpose for data processing attached to that consent. Must be clear and simple language and must be easy to withdraw
- Breach notification – breaches must be reported to ICO within 72 hours of breach
- Right to access – individuals will have the right to access their personal data
- Right to be forgotten – individuals have the right to have personal data erased. Right is not absolute, and only applies in certain circumstances. E.g. information is no longer necessary, individual objects to you processing information for direct marketing purposes.
- Data protection offices – internal record keeping requirements with DPO appointments mandatory for controllers and processors. Whose core activities involve regular and systematic monitoring of data subjects on a large scale.
5
Q
What are the key requirements under GDPR?
A
- Obligation to conduction data protection impact assessments for high risk holding of data
- New rights for individuals to have access to information on what personal data is held and to have it erased
- A data controller decides how and why personal data is processed and is directly responsible for GDPR
- ‘Data accountability’ ensuring that organisations can prove to the Information Commissioners Office (ICO) how they comply with the new regulations
6
Q
What happens if you breach GDPR? What is the penalty?
A
- Data security breaches need to be reported to Information Commissioners Office (ICO) within 72 hours where there is a loss of personal data and a risk of harm to individuals
- An increase in fines up to 4% global turnover of the company or €20m (whichever is the greater)
- Policed by the ICO
7
Q
How does GDPR affect surveying practices?
A
- Data you hold to service clients – e.g. valuation systems or compliance systems e.g. accounts, payroll and HR
- Any customer data held for marketing purposes.
- Email and correspondence as contains personal data.
- Need to provide information on how the data you have is used and the rights of the individual regarding data
- Must be able to, on request, the details of the data you hold and how it has been used.
- Need to be able to delete every instance of an individual’s data in compliance with the right to be forgotten.
- Must offer this data in a format that allows portability to other data processors should need to arise.
8
Q
What is a data breach and what should you do if you discover a breach?
A
- Breach = a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Data breaches must be reported to the ICO but only likely to result in a risk to the rights and freedoms of individuals.
- Breaches are discovered through access logs, reported thefts, lost equipment or a data security incident that involves personal data.
- The initial report must be made within 72 hours of having become aware of it
9
Q
Give some examples of best practice to be compliant with the new GDPR
A
- Conduct a data review- understand the risks, access rights, purpose for storing and ensure you have the consent to store data for the purpose in which you are using it.
- Anonymise data wherever possible
- Encrypt everything
- Create a Breach Responses Policy
- Understand the data subject request process – This procedure is run when a person asks for the information that your organisation holds about them in relation to a specific topic, invokes the right to be forgotten, requests you update the data hold on them
- Data storage – revise the length of time that the data is held for
- Consider the purpose the data is held for and decide whether to retain it
- Securely destroy information
10
Q
What does Article 5(1) of GDPR state in relation to the processing of data?
A
- Data must be processed lawfully, fairly and in a transparent manner in relation to individuals
11
Q
What does Article 5(1) of GDPR state in relation to the collection of data?
A
- Data must be collected or specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
12
Q
What does Article 5(1) of GDPR state in relation to the relevance of data?
A
- Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
13
Q
What does Article 5(1) of GDPR state in relation to the accuracy of data?
A
- Data must be accurate and, where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay
14
Q
What does Article 5(1) of GDPR state in relation to the form which data is kept in?
A
- Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
15
Q
What does Article 5(1) of GDPR state in relation to the processing of data?
A
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures
16
Q
Who does Article 5(2) of GDPR state is responsible for the compliance with the principles outlined in Article 5(1)?
A
- The data controller shall be responsible for, and be able to demonstrate compliance with the principles
17
Q
What are the 8 individual Rights under GDPR?
A
AIRER POA:
- Right of access
- Right to be informed
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability (to use for their own purposes)
- Right to object
- Rights to automated decision making and profiling (as undertaken by insurance companies)
18
Q
How has your firm changed their data management practices to comply with GDPR?
A
- Conducted data protection impact assessments i.e. evaluated risks associated with holding information about individuals
- Ensure data accountability through the appointment of a named data controller
- Contacted individuals who were on distribution lists to confirm that they wanted to be contacted
- Trained staff
- Ensured correct firewalls were in place to ensure appropriate security of personal data
19
Q
Under GDPR, would you be able to transfer personal data you hold outside of the UK?
A
- GDPR restricts transfers of personal data outside the European Economic Area (EEA), unless the rights of the individuals personal data is protected in another way
20
Q
Who has received the largest fine under GDPR?
A
EU - Google in 2019 - the French data protection watchdog, issued its first GDPR fine of $57 million (€50 million) claiming that Google has failed to comply with the EU’s General Data Protection Regulation (GDPR)
UK - British Airways received a £183m fine in 2019 after hackers stole the personal data (including login, payment card, name, address and travel booking information) from 500,000 customers
21
Q
What is the Freedom of Information Act 2000?
A
Gives individuals the right of access to information held by public bodies
22
Q
What does the Freedom of Information Act 2000 require of public bodies?
A
- Public body must tell any individual requesting sight of information whether it holds it
- Normally the public body is required to supply it in 20 working days in the format requested
- It can charge for the provision of the information
23
Q
What are the exemptions from the Freedom of Information Act 2000?
A
- Contrary to the GDPR requirements
- It would prejudice a criminal matter under investigation
- It would prejudice a person’s/organisation’s commercial interest
24
Q
What are the elements of a Non-Disclosure Agreement (NDA)?
A
- Identification of the parties
- Definition of what is deemed to be confidential
- Scope of the confidentiality obligation by the receiving party
- The exclusions from confidential treatment
- The length of term of the agreement
25
What do you understand by the term security of data?
Means ensuring that data is kept safe from corruption and that access to it is suitably controlled to ensure privacy and protection
26
How can security of data be improved?
- Disk encryption - encrypting data on a secure hard disk drive
- Regular back ups off site
- Password protection
- Use of anti-virus software protection
- Firewalls and disaster recovery procedures
27
What does copyright mean?
- A set of exclusive rights granted to the author or creator of any original work, including the right to copy
- These rights can be licensed, assigned or transferred
- Form of intellectual property
28
What does Crown Copyright cover?
- All materials created and prepared by the Government, such as laws, public records, official press releases and OS mapping
29
What is a deed?
A legal document made under seal
30
How can you prove ownership of land which is not registered with the Land Registry?
The Deeds will set out information about the ownership and details of a property
31
What do the Land Registry provide upon request and payment?
Copy of the official Title Register for registered property or land in the UK
32
What does Title indemnity insurance cover?
- Protects a party for any claim arising from the title of a property e.g. title defects, restrictive covenants and easements
- Paid as a one-off premium
33
What are restrictive covenants?
- Agreement to restrict the use of land in some way for the benefit of other land users
- They are enforceable by successors as they run with the land
34
How can a restrictive covenant be removed?
Make an application to the Upper Tribunal (Lands Chamber) but the grounds for discharge are very strict
35
What are MSCI Real Estate indices?
- Indices which provide investment performance statistics for owners and investors / fund management
36
What do MSCI Real Estate indices aim to provide?
- Draw on up-to-date valuations of selected UK properties
37
What are the RICS Data Standards, 2018?
- Set of standards to support the capture, verification and sharing of data in a common format
- They address issues of digital data consistency
38
What data are the RICS Data Standards, 2018 available for?
- International Property Measurement Standards (IPMS)
| - International Construction Measurement Standards (ICMS)
39
What additional data are the RICS Data Standards, 2018 going to be made available for?
- International Valuation Standards (IVS)
| - International Land Measurement Standard (ILMS)
40
As a result of our eventual departure from the European Union, will GDPR still apply in the UK?
- Government has been consistent in saying that it will still adopt all of the provisions of GDPR.
- Most of them have already be written into UK law through the Data Protection Act 2018.
41
What does the colour coding on Title Plans represent?
- Red Line – boundary of registered land
- Green Line – boundary of land removed from title
- Green Shading – land excluded from the title but within area
- Blue shading – right of way on registered land for use by other land
- Orange shading – right of way on other land for use by registered land
42
What are your Quality Assurance procedures relating to the creation of valuation reports?
- Operate a file checklist approach to ensure that all valuers are working to the same standard
- The checklist includes: conflict of interest check, terms of engagement, liability caps, due diligence, comparables, methodology, peer reviews, report sign-off
- Reports are peer reviewed and counter-signed by another valuer
43
What is included in a Land Registry title register?
- A: Property register - description of the property, tenure, the date the property was first registered and any rights it may benefit from e.g. private right of way
- B: Proprietorship register - name and address of the current owner, when they bought the property, how much was paid for it (if sold since 1 April 2000), any restrictions that limit the power of the owner and the class of the title
- C: Charges register - mortgages and other financial burdens received on the property. Other rights or interest that limit how the land or property can be used e.g. leases, rights of way or covenants
44
What is a SAR?
- Subject access request
| - Gives individuals rights to request any 'personal data' held on them. This right is a principle of GDPR
45
What is "personal data" as defined by GDPR?
Personal data are any information which are related to an identified or identifiable natural person e.g. the telephone number, email address
46
What should you do when transferring personal data outside of the European Economic Area (EEA) in order to act in accordance with GDPR?
- Confirm whether the restricted transfer is covered by an "adequacy decision" i.e. the data protection framework is robust enough in that region
- If not it can be covered by an 'appropriate safeguard' or 'exception'
- Ensure all data is encrypted
