Data Management Flashcards
What is GDPR?
EU General Data Protection Regulation
What is the purpose of GDPR?
Protects citizens personal data
What constitutes personal data?
any information relating to a person / Data Subject that can be used to identify them
EG names, photos, email addresses, bank details
Examples of personal data under GDPR that could apply to property companies?
- investors / fund managers data
- valuations
- background checks by HR
- compliance checks
To what organisations does GDPR apply?
All organisations with more than 250 employees
What are penalties for GDPR breaches?
4% of annual global turnover or 20 million euros (whichever is greater)
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, and to access their personal data
What is a breach notification under GDPR?
- need to report breach within 72 hours of becoming aware of it
- if breach is high risk, then notify individual(s) impacted without delay
How are data breaches typically discovered?
- access logs
- reported thefts
- lost equipment
- data security incident
How have consent conditions been strengthened under GDPR?
- consent must be given using plain and clear language
- it must be as easy to withdraw consent as it is to give it
What is the ‘right to be forgotten’ under GDPR?
Individuals have right to have personal data erased in certain circumstances
- data no longer necessary
- data been processed unlawfully
What is data portability?
right for data subject to receive personal data concerning them, which they have previously provided, and have it transferred to another controller
What is privacy by design?
- legal requirement under GDPR
- calls for inclusion of data protection from onset of designing systems, rather than as an addition
Data Protection Officer
- individual appointed to monitor internal compliance
- they advise on an organisations data protection obligations
Examples of data held by surveying practices?
- payroll and HR information
- customer data for marketing
- emails relating to clients / employees
What are obligations imposed by GDPR?
- have knowledge of what data is stored/processed
- provide information on how data is used and the individuals rights
- demonstrate data is being managed in compliant manner
- delete every instance of individuals data in accordance with ‘right to be forgotten’
- keep data in format that allows portability to another data processor
Who regulates GDPR in the U.K.?
Information Commissioner’s Office
RICS best practice points for complying with GDPR?
- conduct data review
- anonymise data where possible
- encrypt everything where possible
- treat commercial data in same way as personal data (even though not covered by GDPR)
What are your company policies for data protection breaches?
- report to line manager
- report to Data Protection Officer
RICS recommendations for using confidential information?
- document purpose for which you are holding the information
- keep record of consent for processing, storage and retention
- check if you have appropriate contractual clauses for use of information
What information should be included in firms privacy notice?
- what information you have
- what information will be used
- which 3rd parties information will be shared with
- how long information will be stored for
- what legal rights they have
When did GDPR come into effect?
25 May 2018
What Act implemented GDPR in the UK?
Data Protection Act 2018
(replaced Data Protection Act 1998)
What are the 7 principles of Data Protection Act 2018?
- lawfulness, fairness, transparency
- purpose limitation
- storage limitation
- data minimisation
- accuracy
- accountability
- integrity and confidentiality
8 individual rights under GDPR?
- right to information
- right to access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- right to automated decision making
What is SAR?
Subject Access Request
- demand that the individual be given all the information that a company holds on them
Freedom of Information Act 2000
- allows an individual to request access to information held by a public body
- public body is required to provide that information (within 20 working days) in requested format
- they can charge a fee for this
Land Registry Act 2002
- provides complete accurate reflection of the state of the title of the land at any given time
- aim is to get all freehold land in England and Wales registered by 2030 (required for all freeholds of over 7 years)
Disadvantages of the systems you use?
- rely on data input completed by others (human error)
- external systems - firm is not in control of their security
- not user friendly and lots of training required!
How did GDPR tighten up the former Data Protection Act 1998?
- customer has greater control over their data
- harsh penalties if fail to comply
- GDPR is binding piece of legally enforceable regulation
- applies to all EU nations and every company holding data on EU citizens
- breaches have to be reported to relevant authority within 72 hours
- companies will be accountable for data protection
- any firm with over 250 people need data protection officer
Privacy and Electronic Communications Regulations 2003
Make it unlawful to transmit an automated recorded message for direct marketing purposes via telephone without prior consent of subscriber
Copyright
Exclusive legal right given to the creator of original work for fixed number of years
- rights can be licensed, assigned or transferred
Can copyright be transferred?
Yes
