Data Management

Question 1

What is GDPR?

Answer 1

The EU General Data Protection Regulation
Designed to harmonise data privacy laws, to protect and empower all EU citizens data privacy

Question 2

What is the purpose of GDPR?

Answer 2

Protect citizens’ personal data
Make legislation more widely standardised across the EU

Question 3

What constitutes personal data?

Answer 3

Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify a person
E.g. names, photo, email address, bank details, IP address

Question 4

Give some examples of personal data under GDPR that could apply to property companies

Answer 4

For property companies: data relating to investors, fund managers, valuations, compliance, bookkeeping payroll, background checks and human resources

Question 5

To what organisations does GDPR apply?

Answer 5

All organisations, however, there are exceptions for organisations with fewer than 250 employees
Private individuals not engaged in business activities are exempt

Question 6

What are the penalties for GDPR breaches?

Answer 6

Up to 4% of annual global turnover
OR
€20m
Whichever is greater

Question 7

What is the ‘right to access’ under GDPR?

Answer 7

Individuals have the right to obtain confirmation that their data is being processed, access to their personal data and other supplementary information

Question 8

What is a breach notification under GDPR?

Answer 8

GDPR introduces a duty on all organisations to report certain data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible
Where the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, they must be informed without delay

Question 9

How are data breaches typically discovered?

Answer 9

Access logs, reported thefts, lost equipment or data security incident

Question 10

How have consent conditions been strengthened under GDPR?

Answer 10

Consent must be given with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
It must be as easy to withdraw consent as it is to give it

Question 11

What is the ‘right to be forgotten under GDPR’?

Answer 11

Under Article 17 of the GDPR individuals have the right to have personal data erased in certain circumstances
Including: their personal data is no longer necessary for its original purpose, their data has been processed unlawfully, the organisation is relaying on consent as the lawful basis for holding the data etc.

Question 12

What is data portability?

Answer 12

Introduced by GDPR
The right for a data subject to receive personal data concerning them which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller

Question 13

What is privacy by design?

Answer 13

Legal requirement under GDPR
Calls for the inclusion of data protection from the onset of designing systems, rather than as an addition

Question 14

What is a data protection officer?

Answer 14

An individual appointed to monitor internal compliance, inform and advise on an organisations’ data protection obligations
Only required if organisation is a public body or authority or if the organisations carries out certain types of processing activities

Question 15

Provide some examples of types of data help by surveying practices that are covered under GDPR?

Answer 15

Data help to service client such as data in compliance systems, including account, bookkeeping, payroll and HR
Working papers that support compliance work which contain personal data
Customer data held for marketing purposes
Emails and correspondence as they will relate to client’s and their employees
Other physical records held on file

Question 16

What are the obligations imposed by GDPR?

Answer 16

Must have knowledge of the data you store and process, its geography (where it resides), security usage and composition

Must be able to provide information on how the data is used and on the rights of individuals regarding their data

Must demonstrate that you are managing personal data in a manner compliant with the regulations and be able to supply, on request, the details of the data you hold and how it has been used

Have to be able to delete every instance of an individual’s data in compliance with the right to be forgotten (including data held in backups)

Must offer this data in a format that allows portability to other data processors should the need arise.

Question 17

Who regulates GDPR in the UK?

Answer 17

The Information Commissioner’s Office

Question 18

What are the RICS’ best practice points for compliance with GDPR?

Answer 18

Conduct a data review to understand risks, access rights, purpose for storing etc.
Anonymise data where possible
Encrypt everything where possible
Create breach response policy
Understand the data subject request process
Treat commercial data in the same way as personal data, even though it is not covered by GDPR
Consider the data landscape – policies should include provisions for personal devices to ensure that employees are compliant

Question 19

What is your company’s policy for data protection breaches?

Answer 19

Suspected breaches should be reported to the individual’s line manager or the firm’s data protection officer

Question 20

What is the RICS’ best practice recommendations for using confidential information?

Answer 20

Think about whether the information held is personal information, sensitive personal information or confidential information from clients or other stakeholders

Document the purposes for which you are allowed to hold the information and the processes for gaining consent

Keep a record of consent (where necessary) for processing, storage and retention

Check if you have appropriate contractual clauses for use of the information or that data used for measurement, valuation, calculations, analysis, etc. is owned or licensed for that use

Question 21

What should be included in a firm’s privacy notice?

Answer 21

What information you have
What the information will be used for
Which third parties you might share the information with
How long you will keep the information for
What legal rights they have

Question 22

When did GDPR come into effect?

Answer 22

25th May 2018

Question 23

What Act implemented GDPR in the UK?

Answer 23

The Data Protection Act (2018) which replaced the Data Protection Act 1998

Question 24

What are the principles of Data Protection Act 2018?

Answer 24

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

Question 25

What are the 8 individual rights under GDPR?

Answer 25

Right to Information
Right of Access
Right of Rectification
Right to Erasure
Right to Restrict Processing
Right to Data Portability
Right to Object
Right to Automated Decision Making

Question 26

What is a SAR?

Answer 26

Subject Access Request – Demand that the individual be given all the information that a company holds on them.

Question 27

When was the Freedom of Information Act Enforced, and what does it do?

Answer 27

The freedom of information Act came into effect in 2000
Allows an individual to request access to information held by a public body
The public body is required to provide that information (normally in 20 working days) in the requested format, however they can charge a fee for this.

Question 28

What are the 7 principles of GDPR?

Answer 28

Lawfulness, fairness and transparency.
Purpose Limitation – be specific about the purpose of the data collection.
Data minimization – only collect it when you need.
Accuracy.
Storage Limitations – store data for a necessary limited period and then erase.
Integrity and confidentiality – keep it secure.
Accountability – record and prove compliance.

Question 29

What is required for a Land Registry compliant plan?

Answer 29

Drawn to scale of 1:100 or 1:200
Have a scale measurement bar
Have the scale noted on the plan
Include a 1:1250 scale map of the location (for urban areas)
Full address including postcode
A north point
Demise in red outlined on inside edge of the property

Question 30

What are the provisions of the Land Registry Act (2002)?

Answer 30

A framework for the electronic property conveyancing
All freeholds and leases over 7 years must be registered
New regime for adverse possession (over 10 years)
Works towards the Land Registry’s goal of having all property registered electronically by 2030

Question 31

Can you name some disadvantages of some of the systems you use?

Answer 31

Often relying on data input completed by others – subject to human error
External systems – firm isn’t in control of security
Not user friendly and require specific staff training