Data Management

Question 1

What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR)

Answer 1

Lawfulness, fairness, transparency

Accuracy

Accountability

Purpose limitation

Storage limitation

Data minimisation

Integrity and confidentiality

(LAAP SDI)

Question 2

Examples of personal data under GDPR that could apply to property companies?

Answer 2

Data relating to:

investors, fund managers, valuations, compliance, background checks by HR etc

IF CV

Question 3

When did GDPR come into effect

Answer 3

25 May 2018

Question 4

What is GDPR?

Answer 4

EU General Data Protection Regulation

Question 5

To what organisations does GDPR apply?

Answer 5

All organisations of more that 250 employees

Question 6

What are penalties for GDPR breaches?

Answer 6

4% of annual global turnover or £17.5million pounds.

Question 7

How are data breaches typically discovered?

Answer 7

Access logs, reported thefts, lost equipment or data security incident
(ATLS)

Question 8

Examples of data held by surveying practices?

Answer 8

Payroll and HR

Customer data for marketing

Emails and corrspondance relating to clients and employees

(CEP)

Question 9

What Act implemented GDPR in the UK?

Answer 9

Data Protection Act (2018)

Question 10

Disadvantages of the systems you use?

Answer 10

Rely on data input completed by others - human error

External systems - firm is not in control of security

Not user friendly and lots of staff training required!

(HES)

Question 11

What is Data protection Act 2018 and what is the purpose?

Answer 11

The Data Protection Act 2018 (DPA 2018) governs how personal data should be processed, protecting the privacy rights of individuals.

Purpose -

1.Aims to create single data protection regime for anyone doing business in EU

2. Empowers individuals to take control of how their data is used by third parties.

Question 12

What are the 8 individual rights under GDPR

Answer 12

Right to be informed

Right of access

Right of rectification

Right to erasure

Right to restrict processing

Right to data portability (to use for own purposes)

Right to object

Right to automated decision making and profiling (as undertaken by insurance companies)

I,A,R,E R D,O,D

Question 13

RICS best practice points for complying with GDPR?

Answer 13

Conduct data review

Anonymise data where possible

Encrypt everything where possible

CAE

Treat commercial data in same way as personal data, even though not covered by GDPR

Question 14

What is ‘right to be forgotten’ under GDPR?

Answer 14

Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances

Data no longer necessary

Data been processed unlawfully

Question 15

What is SAR?

Answer 15

Subject Access Request:

individual can request for all the information that a company holds on them.

Fill in form outlining who they are inwriting and on headed paper.

Question 16

What is the ‘right to access’ under GDPR?

Answer 16

Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data

Question 17

When would you report a data breach?

Answer 17

Need to report within 72 hours of becoming aware of breach .

Inform Data protection officer
Informing IT

If breach high risk, then need to notify ICO without delay.

Question 18

What is data portability?

Answer 18

Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller.

Question 19

What is data protection officer?

Answer 19

An individual appointed to monitor internal compliance and advise on an organisations data protection obligations

Only required if organisation is public body, authority or carrying out certain type of processing activity

Question 20

What is privacy by design?

Answer 20

data protection through technology design

Question 21

What are the obligations imposed by GDPR?

Answer 21

Knowledge of data you store.

Need to be able to (Provide information on how data is used) and the rights of individuals regarding their data

Need to be able to (Demonstrate data is being managed in compliant manner).

Must be able to (Delete every instance of an individuals data) - in compliance with ‘right to be forgotten’

(Must keep data in format that allows portability) to another data processor, should the need arise

Question 22

What is a Freedom of Information Act ?

Answer 22

Act of parliament that creates a public right of access

Allows an individual to request access to information held by a public body - Government for example.

Public body is required to provide that information (within 20 working days) in requested format

They can charge a fee for this

Question 23

What is an information barrier and how should it be enforced?

Answer 23

1. Different surveyor should act for each client.
2. They must be physically separated preferably in different
   buildings or on different floors with separate support teams.
3. All information regarding the instruction should be securely stored.
4. The firms compliance officer must oversee all actions.

Question 24

Who regulates GDPR in the UK?

Answer 24

Information Commissioners Office (ICO)

Question 25

RICS Professional statement for data management?

Answer 25

RICS PROFESSINAL STATMENT ON DATA HANDILING AND PREVENTIATION OF CYBER CRIME

Question 26

commercial v personal

Answer 26

treat both equally

Question 27

What is copyright?

Answer 27

It is a set of exclusive rights granted to the author. Rights can be licensed, assigned or transferred. Cannot reproduce copyright without the expressed consent of the author.

Question 28

What ways can you protect your data?

Answer 28

Disk encryption Regular back ups Password protection firewalls

Question 29

Is there any other way to formalise sensitive information between two parties?

Answer 29

NDA (Non Disclosure Agreement) - Legally enforceable contract between two parties relating to sensitive information.

Question 30

What is the purpose of a CPSE?

Answer 30

Commercial property standard enquiries and are in place to help foresee a smooth transition of a new tenancy by providing the relevant documentations; lease plans, licenses, SC budgets, EPCs etc.

Question 31

What is intellectual property? examples

Answer 31

This is data owned by a company/individual and cannot profit from the data. Examples: Copyright, branding.

Question 32

What is data accountability ?

Answer 32

Ensures that organisations can prove to the ICO how to comply with the new regulations. Exemptions are if there is a criminal matter which is under investigation.

Question 33

Can the tenants request to know what information you have on them and are you under an obligation to provide it?

Answer 33

Under subject access request - individuals have the right to obtain confirmation that their data is being processed, and access to their personal data.

Question 34

What is sensitive data?

Answer 34

Data which identifies someone

Question 35

What information is required on an ‘input form’?

Answer 35

Input forms are primarily used for new tenancies, so it'' outline the below: - Date of lease commencement - Rent commencement - any breaks, rent reviews - interest rates on non payment - lease end date - repairing clause - alterations clause - use class

Question 36

Retention of files and Limitation Act 1980

Answer 36

Retention act - Must hold clients files for 6 years Limitation Act 1980 provides timescales for which the breach of (negligence) must be actioned - 6 years from the date on which the breach occurred. Where a contract is executed as a ‘deed’ this is extended to 12 years.

Question 37

What is a data room

Answer 37

A data room is where there is a sale of a property and within the sale, you would need to provide leases, licenses, any relevant information for the sale of that property; Planning,