Data Management

Question 1

What is a Subject Access Request

Answer 1

when a user requests information under Article 15 of GDPR

Question 2

If a tenant would like access to some CCTV footage, what is required?

Answer 2

Subject Access Request

• liaise with data protection officer on what is required and what can be given

Question 3

What are the fines for breaching GDPR

Answer 3

4% of global annual turnover or up to 20 million euros

Question 4

What is a firewall

Answer 4

Network security system that monitors and controls incoming and outgoing network traffic, based on predetermined security rules

Question 5

What is encryption

Answer 5

Mathematical function that codes data so only authorized users can access it
- Makes readable text unreadable unless a code or decryption key is known

Question 6

What are the principles of GDPR and DPA 2018

Answer 6

Information must be used lawfully and transparently
Information must be collected for a legitimate and specified purpose
Information must be adequate and limited to necessity
Information must be accurate and kept up to date
Information must be kept safe and no longer than necessary

Question 7

What are the obligations of GDPR

Answer 7

Must have knowledge of the data you store and process
Must be able to delete every instance of an individuals data
Must demonstrate compliance in managing data
Must offer data portability
Must be able to prove how information is being processed

Question 8

What are individuals rights with respect to data?

Answer 8

Right to be informed
Right to access
Right to rectification
Right to restrict processing
Right to erasure
The right to Object
Right to data portability

Question 9

How do you treat / manage confidential information

Answer 9

Conduct data reviews
Anonymise data where possible
Encrypt data here possible
Treat commercial data as personal data
Understand what data we hold and how it is processed
Password protection and secure data sites
Use of firewalls
Have a breach policy response

Question 10

How do you protect data?

Answer 10

Anonymise data where possible
Encrypt data here possible
Understand what data we hold and how it is processed
Password protection and secure data sites
Use of firewalls
Report suspected breaches
Have a breach policy response

Question 11

What other legislation is there relating to data management apart from GDPR and Data protection Act 2018?

Answer 11

Freedom of information act 2000
Limitations Act 1980

Question 12

How long can you hold data for?

Answer 12

No specific time limit – GDPR says no longer than necessary. Organisations privacy policy should dictate
As short as possible and as agreed with the data subject

Question 13

Why was GDPR introduced?

Answer 13

To consolidate data protection laws across EU member countries and provide greater protection and rights to individuals

Question 14

Why is it important that data is uploaded correctly

Answer 14

To ensure protection of individuals data and compliance with legislation

Question 15

When are you allowed to upload data / share date? How did you know you were allowed to do this?

Answer 15

Firms privacy notice dictates what data we hold, how it is processed and also how and when we might share with a third party and which third party it would be shared with.
For example, at the sale of a property.
This privacy notice is issued to all tenants.

Question 16

How have consent conditions been strengthened under GDPR

Answer 16

Consent must be clear and indistinguishable from other matters
Consent must be provided in an intelligible and easily accessible form, using clear and plain language
Must be as easy to withdraw consent as it is to give consent

Question 17

When can an individual request for their information to be deleted?

Answer 17

If an individuals data has been unlawfully processed
If an individuals data is no longer necessary for the purpose it was originally collected

Question 18

What is privacy of design and is it a legal requirement?

Answer 18

Implementation of security systems into the original design of management systems as opposed to later additions – yes it’s a legal requirement

Question 19

List the 7 key principles of GDPR?

Answer 19

1. Lawfulness, fairness and transparency
2. Purpose Limitation
3. Data minimisation
4. Accuracy
5. Storage Limitations
6. Integrity and Confidentiality
7. Accountability

Question 20

What are the consequences non-compliance of GDPR for a firm?

Answer 20

Fines of up to 20million euros or up to 4% of total global revenue of the preceding year, whichever is greater

Question 21

How long can you hold data for?

Answer 21

Shortest time is 6 years for accounting VAT/tax purposes but the limitation Act 198- provides for a period of up to 15 years for a professional negligence claim.

Depends on different factors though such as, do they include any original contracts or leases, do they relate to a current project, do you need them to justify your fees, are the files relevant to any disputes and are they needed for any litigation.

Question 22

If an assignment completed on a lease please can you confirm how long you should hold the assignor information for on the system?

Answer 22

Would depend on the terms of the assignment
Is there an AGA in place, if so you would hold the assignor details until the end of the lease and then 6 plus one year.

Same for privity of contract

Could also argue you can hold details until arrears are cleared in full

Question 23

What did you actually have to do in the sale of spreadeagle? You say you provided information, what sort format did you put that information together?

Answer 23

Assist solicitors with questions from the purchaser and provide requested documents such as property info and H&S compliance info (i.e answers to CPSE)
Uploaded to a secure data room which is password protected and protected by a fire wall.
Anonymised data where possible

Question 24

What are CPSEs?

Answer 24

Commercial Property Standard Enquiries

Question 25

Who was responsible for the security of the data room?

Answer 25

The solicitors

Question 26

How was the data room secured?

Answer 26

Only authorized users could access it – password protected
Also protected by a fire wall

Question 27

Did you have access to the data room?

Answer 27

Yes I was provided a username and password to upload requested information

Question 28

What typically would you expect to find in a data room for a sale of this sort of property?

Answer 28

CPSE responses
H&S compliance information
Property information such as title plans
Leases and licences
Budgets and reconciliations
H&S reports and environmental reports
Refurbishment / project works completion statements and warrantys

Question 29

What is the current legislation we adhere to in the UK for data protection?

Answer 29

Data Protection Act 2018

Question 30

What does the data protection act include?

Answer 30

EU GDPR

Question 31

What does GDPR stand for?

Answer 31

General Data Protection Regulation

Question 32

What rights do the public have on their data?

Answer 32

The right to information
The right to access
The right to erasure
The right to rectification
The right to restrict processing
The right to data portability
The right to object
The right to automated decision making

Question 33

What are the penalties of breach of GDPR / data protection?

Answer 33

4% of annual global turnover or 20 million euros

Question 34

How do you keep data secure within your office?

Answer 34

Follow out privacy policy:
Understand the data we hold and what it is used for
Understand when we can share the data and who with
Do not send sensitive data unless in accordance with privacy policy
Ensure all data is secure and only authorized users can access through password protection
Data is protected by firewall implemented by IT

Question 35

How do you ensure accuracy?

Answer 35

Have it checked by colleagues
Check against original documents

Question 36

What are the provisions of the Land Registry Act 2002?

Answer 36

Freeholds over 7 years require electronic registering
Aim to have all original documents registered electronically by 2030
Changes to adverse possession years