Data Management Flashcards
What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR)
Lawfulness, fairness, transparency
Accuracy
Accountability
Purpose limitation
Storage limitation
Data minimisation
Integrity and confidentiality
(LAAP SDI)
Examples of personal data under GDPR that could apply to property companies?
Data relating to:
investors, fund managers, valuations, compliance, background checks by HR etc
IF CV
When did GDPR come into effect
25 May 2018
What is GDPR?
EU General Data Protection Regulation
To what organisations does GDPR apply?
All organisations of more that 250 employees
What are penalties for GDPR breaches?
4% of annual global turnover or £17.5million pounds.
How are data breaches typically discovered?
Access logs, reported thefts, lost equipment or data security incident
(ATLS)
Examples of data held by surveying practices?
Payroll and HR
Customer data for marketing
Emails and corrspondance relating to clients and employees
(CEP)
What Act implemented GDPR in the UK?
Data Protection Act (2018)
Disadvantages of the systems you use?
Rely on data input completed by others - human error
External systems - firm is not in control of security
Not user friendly and lots of staff training required!
(HES)
What is Data protection Act 2018 and what is the purpose?
The Data Protection Act 2018 (DPA 2018) governs how personal data should be processed, protecting the privacy rights of individuals.
Purpose -
1.Aims to create single data protection regime for anyone doing business in EU
- Empowers individuals to take control of how their data is used by third parties.
What are the 8 individual rights under GDPR
Right to be informed
Right of access
Right of rectification
Right to erasure
Right to restrict processing
Right to data portability (to use for own purposes)
Right to object
Right to automated decision making and profiling (as undertaken by insurance companies)
I,A,R,E R D,O,D
What are some of the data security technologies you could use?
It demands that the individual be given all the information that a company holds on them.
RICS best practice points for complying with GDPR?
Conduct data review
Anonymise data where possible
Encrypt everything where possible
CAE
Treat commercial data in same way as personal data, even though not covered by GDPR
What is ‘right to be forgotten’ under GDPR?
Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances
Data no longer necessary
Data been processed unlawfully
What is SAR?
Subject Access Request:
individual can request for all the information that a company holds on them.
Fill in form outlining who they are inwriting and on headed paper.
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data
When would you report a data breach?
Need to report within 72 hours of becoming aware of breach .
Inform Data protection officer
Informing IT
If breach high risk, then need to notify ICO without delay.
What is data portability?
Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller.
What is data protection officer?
An individual appointed to monitor internal compliance and advise on an organisations data protection obligations
Only required if organisation is public body, authority or carrying out certain type of processing activity
What is privacy by design?
data protection through technology design
What are the obligations imposed by GDPR?
Knowledge of data you store.
Need to be able to (Provide information on how data is used) and the rights of individuals regarding their data
Need to be able to (Demonstrate data is being managed in compliant manner).
Must be able to (Delete every instance of an individuals data) - in compliance with ‘right to be forgotten’
(Must keep data in format that allows portability) to another data processor, should the need arise
What is a Freedom of Information Act ?
Act of parliament that creates a public right of access
Allows an individual to request access to information held by a public body - Government for example.
Public body is required to provide that information (within 20 working days) in requested format
They can charge a fee for this
What is an information barrier and how should it be enforced?
- Different surveyor should act for each client.
- They must be physically separated preferably in different
buildings or on different floors with separate support teams. - All information regarding the instruction should be securely stored.
- The firms compliance officer must oversee all actions.
Who regulates GDPR in the UK?
Information Commissioners Office (ICO)
RICS Professional statement for data management?
RICS PROFESSINAL STATMENT ON DATA HANDILING AND PREVENTIATION OF CYBER CRIME
commercial v personal
treat both equally
What is copyright?
It is a set of exclusive rights granted to the author. Rights can be licensed, assigned or transferred.
Cannot reproduce copyright without the expressed consent of the author.
What ways can you protect your data?
Disk encryption
Regular back ups
Password protection
firewalls
Is there any other way to formalise sensitive information between two parties?
NDA (Non Disclosure Agreement)
- Legally enforceable contract between two parties relating to sensitive information.
What is the purpose of a CPSE?
Commercial property standard enquiries and are in place to help foresee a smooth transition of a new tenancy by providing the relevant documentations; lease plans, licenses, SC budgets, EPCs etc.
What is intellectual property?
This is data owned by a company/individual and cannot profit from the data.