Data Management Flashcards
What is GDPR?
The EU General Data Protection Regulation
Designed to harmonise data privacy laws, to protect and empower all EU citizens data privacy
What is the purpose of GDPR?
Protect citizens’ personal data
Make legislation more widely standardised across the EU
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify a person
E.g. names, photo, email address, bank details, IP address
Give some examples of personal data under GDPR that could apply to property companies
For property companies: data relating to investors, fund managers, valuations, compliance, bookkeeping payroll, background checks and human resources
To what organisations does GDPR apply?
All organisations, however, there are exceptions for organisations with fewer than 250 employees
Private individuals not engaged in business activities are exempt
What are the penalties for GDPR breaches?
Up to 4% of annual global turnover
OR
€20m
Whichever is greater
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, access to their personal data and other supplementary information
What is a breach notification under GDPR?
GDPR introduces a duty on all organisations to report certain data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible
Where the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, they must be informed without delay
How are data breaches typically discovered?
Access logs, reported thefts, lost equipment or data security incident
How have consent conditions been strengthened under GDPR?
Consent must be given with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
It must be as easy to withdraw consent as it is to give it
What is the ‘right to be forgotten under GDPR’?
Under Article 17 of the GDPR individuals have the right to have personal data erased in certain circumstances
Including: their personal data is no longer necessary for its original purpose, their data has been processed unlawfully, the organisation is relaying on consent as the lawful basis for holding the data etc.
What is data portability?
Introduced by GDPR
The right for a data subject to receive personal data concerning them which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller
What is privacy by design?
Legal requirement under GDPR
Calls for the inclusion of data protection from the onset of designing systems, rather than as an addition
What is a data protection officer?
An individual appointed to monitor internal compliance, inform and advise on an organisations’ data protection obligations
Only required if organisation is a public body or authority or if the organisations carries out certain types of processing activities
Provide some examples of types of data help by surveying practices that are covered under GDPR?
Data help to service client such as data in compliance systems, including account, bookkeeping, payroll and HR
Working papers that support compliance work which contain personal data
Customer data held for marketing purposes
Emails and correspondence as they will relate to client’s and their employees
Other physical records held on file
What are the obligations imposed by GDPR?
Must have knowledge of the data you store and process, its geography (where it resides), security usage and composition
Must be able to provide information on how the data is used and on the rights of individuals regarding their data
Must demonstrate that you are managing personal data in a manner compliant with the regulations and be able to supply, on request, the details of the data you hold and how it has been used
Have to be able to delete every instance of an individual’s data in compliance with the right to be forgotten (including data held in backups)
Must offer this data in a format that allows portability to other data processors should the need arise.
Who regulates GDPR in the UK?
The Information Commissioner’s Office
What are the RICS’ best practice points for compliance with GDPR?
Conduct a data review to understand risks, access rights, purpose for storing etc.
Anonymise data where possible
Encrypt everything where possible
Create breach response policy
Understand the data subject request process
Treat commercial data in the same way as personal data, even though it is not covered by GDPR
Consider the data landscape – policies should include provisions for personal devices to ensure that employees are compliant
What is your company’s policy for data protection breaches?
Suspected breaches should be reported to the individual’s line manager or the firm’s data protection officer
What is the RICS’ best practice recommendations for using confidential information?
Think about whether the information held is personal information, sensitive personal information or confidential information from clients or other stakeholders
Document the purposes for which you are allowed to hold the information and the processes for gaining consent
Keep a record of consent (where necessary) for processing, storage and retention
Check if you have appropriate contractual clauses for use of the information or that data used for measurement, valuation, calculations, analysis, etc. is owned or licensed for that use
What should be included in a firm’s privacy notice?
What information you have
What the information will be used for
Which third parties you might share the information with
How long you will keep the information for
What legal rights they have
When did GDPR come into effect?
25th May 2018
What Act implemented GDPR in the UK?
The Data Protection Act (2018) which replaced the Data Protection Act 1998
What are the principles of Data Protection Act 2018?
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
What are the 8 individual rights under GDPR?
Right to Information
Right of Access
Right of Rectification
Right to Erasure
Right to Restrict Processing
Right to Data Portability
Right to Object
Right to Automated Decision Making
What is a SAR?
Subject Access Request – Demand that the individual be given all the information that a company holds on them.
When was the Freedom of Information Act Enforced, and what does it do?
The freedom of information Act came into effect in 2000
Allows an individual to request access to information held by a public body
The public body is required to provide that information (normally in 20 working days) in the requested format, however they can charge a fee for this.
What are the 7 principles of GDPR?
Lawfulness, fairness and transparency.
Purpose Limitation – be specific about the purpose of the data collection.
Data minimization – only collect it when you need.
Accuracy.
Storage Limitations – store data for a necessary limited period and then erase.
Integrity and confidentiality – keep it secure.
Accountability – record and prove compliance.
What is required for a Land Registry compliant plan?
Drawn to scale of 1:100 or 1:200
Have a scale measurement bar
Have the scale noted on the plan
Include a 1:1250 scale map of the location (for urban areas)
Full address including postcode
A north point
Demise in red outlined on inside edge of the property
What are the provisions of the Land Registry Act (2002)?
A framework for the electronic property conveyancing
All freeholds and leases over 7 years must be registered
New regime for adverse possession (over 10 years)
Works towards the Land Registry’s goal of having all property registered electronically by 2030
Can you name some disadvantages of some of the systems you use?
Often relying on data input completed by others – subject to human error
External systems – firm isn’t in control of security
Not user friendly and require specific staff training
