Data Management Flashcards
What is GDPR?
General Data Protection Regulation
What is the purpose of GDPR?
Protect citizens personal data
What constitutes personal data?
Any information related to a person or ‘Data Subject’ that can be used to identify a person EG names, photo, email address, bank details etc
Examples of personal data under GDPR that could apply to property companies?
Investor information, employee information, marketing, tenant, client information.
To what organisations does GDPR apply?
All organisations of more that 250 employees
What are penalties for GDPR breaches?
4% of annual global turnover or up to 20 million euros.
What is the ‘right to access’ under GDPR? How would they do this?
Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data
Through a SAR or Special Access request under Article 15 of of the UK GDPR Act. An individual can request a company provides any information a company holds on that person. The SAR does not have to be formally stated, it can be verbally or in writing or even on social media.
If someone makes a SAR, consult the Workman compliance team on the next steps. You can clarify the request and you can withhold information under certain reasonable grounds which must be stated.
What is a breach notification under GDPR?
Need to report within 72 hours of becoming aware of breach
If breach high risk, then need to notify individual without delay
How are data breaches typically discovered?
Access logs, reported thefts, lost equipment or data security incident, technology/systems audits
How have consent conditions been strengthened under GDPR?
Consent must be given using plain and clear language
Must be as easy to withdraw consent as it is to give it
What is ‘right to be forgotten’ under GDPR?
Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances
Data no longer necessary
Data been processed unlawfully
What is data portability?
Under Article 20 - Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller
What is privacy by design?
Legal requirement under GDPR
Calls for inclusion of data protection from onset of designing systems, rather than as addition
What is data protection officer?
An individual appointed to monitor internal compliance and advise on an organisations data protection obligations
Only required if organisation is public body, authority or carrying out certain type of processing activity
Examples of data held by surveying practices?
Payroll and HR
Customer data for marketing
Emails and correspondence relating to clients and employees
What are obligations imposed by GDPR?
Must have knowledge of data you store and process
Need to be able to provide information on how data is used and the rights of individuals regarding their data
Need to be able to demonstrate data is being managed in compliant manner
Must be able to delete every instance of an individuals data in compliance with ‘right to be forgotten’
Must keep data in format that allows portability to another data processor, should the need arise
Data must be securely stored with sufficient access controls and encryption where necessary
Who regulates GDPR in the UK?
Information Commissioners Office - ICO
RICS best practice points for complying with GDPR? How does Workman compl
Conduct data review
Anonymise data where possible
Encrypt everything where possible
Treat commercial data in same way as personal data, even though not covered by GDPR
What are your companys policies for data protection breaches?
Report to line manager or Data Protection Officer/compliance team within the firm
RICS recommendations for using confidential information?
Document purposes for which you are allowed to hold information
Keep record of consent for processing, storage and retention
Check if you have appropriate contractual clauses for use of information
What information should be included in firms privacy notice?
What information you have
What the information will be used for
Which third parties information will be shared with
How long information will be stored for
What legal rights they have
When did GDPR come into effect under the Data Protection Act 2018?
May 2018
What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR)
Lawfulness, fairness, transparency
Accuracy
Accountability
Purpose limitation
Storage limitation
Data minimisation
Integrity and confidentiality
8 individual rights under GDPR?
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Restrict Processing
Right to Data Portability
Right to Object
Right to Automated Decision Making
What was the Freedom of Information Act?
Came into effect in 2000
Allows an individual to request access to information held by a public body
Public body is required to provide that information (within 20 working days) in requested format
They can charge a fee for this
What are the provisions of the Land Registry Act (2002)?
Provides a complete and accurate reflection of the state of the title of the land at any given time
Aim is to get all freehold land in England and Wales registered by 2030
Disadvantages of the systems you use?
Rely on data input completed by others - human error
External systems - firm is not in control of security
Not user friendly and lots of staff training required!
How do you comply with GDPR in your role?
Don’t forward on email chains
Don’t share passwords or log ins
Wouldn’t sent an email to more than one tenant copied in, BCC.
Give me an example of how you ensure that data is kept securely.?
Strong password protection
Firewall
Anti-virus software
What is copyright?
The exclusive and assignable legal right given to the originator for a fixed number of years, to print, perform, film or record literacy, artistic or musical material.
What does block chain mean?
Shared ledger system that facilitates process of recording transactions across a computer network
What are the obligations under GDPR?
Need to have knowledge of data held and processed
Have the ability to delete data every instance of data on subject
Demonstrate data management compliance
Prove how data is used
Prove data portability (allow subject to reuse personal data for own purpose)
Explain the growing use of AVMs in the industry?
Automated valuation models
- Speed, cost and removal of human errors
- Issue is that prop isnt inspected and lack of comparable data
Can you give me some examples of reports that you run?
Arrears report
Tenancy schedules
Service charge analysis
What is a firewall?
Computer network security system that restricts internet traffic
Which records are manually kept in your office and why?
Financial records e.g. invoices and receipts - In case the system ever goes down
Who is exempt from GDPR?
National security
Journalism (In some circumstances)
Law enforcement
Academic research
Public health
Each of these organisations have their own rules to follow
Can you tell me how CCTV relates to GDPR and the principles that underpin it?
Data transparency - Lawful/fair
Purpose limitation - requires personal data to be collected
Storage limitation - Only retained for time period
Secured against unauthorised access - data controller etc
How do you access and use your Data Management systems, such as HORIZON
Property Management System eg Horizon
1) Encrypted login
2) Two factor authentication
3) Search up property on system - go to data source needed e.g. invoice
What is an electronic document management system?
Workman use EFS - Electronic Filing System
What are the limitations of secondary data sources?
No control on what is contained in data
Lack of confidence could be wrong and inaccurate - validity
above link to GDPR
How do you comply with GDPR in your role?
Report breaches
Do not give out personal info
Keep records of data consent
Ensure info held is in line with GDPR
Can you tell me about the retention of files and limitations act 1980?
Sets out how long business should keep documents
for. States legal action must be brought within 6 years of issue arising
What is BIM and how can it be used?
Building information modelling
- Generate and manage digital representations of elements of a building e.g. project planning and historic preservation
Explain how the H&S updates you make ensure you can monitor compliance on Meridian and Quooda?
Time stamped record of actions completed and comments made as well as who made them
See when risk assessments run out - Instruct
Can intellectual property be transferred?
Yes - Written agreement e.g. contract/assignment
What are CPSES?
Commercial Property Standard Enquiries
What constitutes personal data?
Any info relating to identified person
How is data managed on the Tramps (Horizon + Sharepoint) platform?
Collaboration and sharing between different teams
within businesses (and between business)
Only authorised users can access certain files
Audit trails document activity
How does your firm ensure property management systems are correct?
Property managers can view certain information on the property management system but they cannot alter anything
For any changes, they must submit a data input form which must be signed off by an associate or higher. The data input controllers can only input what is on the forms.
Client accountants can make some changes to the property management system but most changes require the data input controllers
Any changes have a digital receipt which shows who made a change and when.
How does Workman ensure confidential information is kept secure?
The compliance team operate a red, amber, green system.
Red - document is marked as confidential and cannot be shared externally or edited
Amber - Internal firm wide documents eg detailing Workman policy - only Workman user accounts may access them and they will be rejected if shared to external recipients. Workman used Azure Information Protection (AIP) to track and encrypt documents
Green - Documents can be shared freely
