Data Management Flashcards
What is GDPR?
General Data Protection Regulation
Relates to personal data
Aims to create a single data protection regime for anyone doing business in the EU and to empower individuals to take control of how their data is used by third parties
Gives people stronger rights to be informed about how their personal information is used
When did GDPR come into effect?
25 May 2018 - same day as Data Protection Act 2018 which was to incorporate new EU GDPR Legislation.
Who regulates GDPR in the UK?
Information Commissioners Office
Key persons outlined in GDPR?
Controller - A data controller determines the purposes and means of the processing of personal data
Processor - A processor engages in personal data processing on behalf of the controller.
Data Protection officer - Responsible for overseeing the data protection approach, strategy and implementation
What is the purpose of GDPR?
Protect citizens personal data
What constitutes personal data?
Any information related to a person or ‘Data Subject’ that can be used to identify a person e.g. names, photo, email address, bank details, etc
Examples of personal data under GDPR that could apply to property companies?
Data relating to investors, fund managers, valuations, compliance, background checks by HR, etc
What Act implemented GDPR in the UK?
Data Protection Act (2018) - controls how your personal information is used by organisations, businesses or the government. It is the UK’s implementation of the GDPR
Replaced Data Protection Act 1998
What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR) LAAPSID
Lawfulness, fairness, transparency
Accuracy
Accountability
Purpose limitation
Storage limitation
Integrity and confidentiality
Data minimisation
8 individual rights under GDPR?
Right to Information
Right to Access
Right to Rectification
Right to Erasure
Right to Restrict Processing
Right to Data Portability
Right to Object
Right to Automated Decision-Making
To what organisations does GDPR apply?
GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK)
What are penalties for GDPR breaches?
Power to issue fines of up to £17.5 million (20M euros) or 4% of your annual worldwide turnover, whichever is higher.
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data
What is a breach notification under GDPR?
Need to report within 72 hours of becoming aware of breach
If breach high risk, then need to notify the individual without delay
How are data breaches typically discovered?
Access logs, reported thefts, lost equipment or data security incident
How have consent conditions been strengthened under GDPR?
Consent must be given using plain and clear language
Must be as easy to withdraw consent as it is to give it
What is ‘right to be forgotten’ under GDPR?
Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances
Data no longer necessary for original purpose
Data been processed unlawfully
What is data portability?
Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller
What is privacy by design?
Legal requirement under GDPR
Calls for inclusion of data protection from onset of designing systems, rather than as addition
What is data protection officer?
An individual appointed to monitor internal compliance and advise on an organisations data protection obligations
Only required if organisation is public body, authority or carrying out certain type of processing activity
Examples of data held by surveying practices?
Data held to help service a Client (accounting info, compliance systems)
Emails and other correspondence
Other physical records held on file
Customer data held for marketing purposes
What are obligations imposed by GDPR?
Must have knowledge of the data you store and process (including its location and security)
Have to be able to delete every instance of an individuals data
Must demonstrate compliance in managing data
Must be able to prove how information is being used
Must offer data portability
RICS best practice points for complying with GDPR?
Conduct data review
Anonymise data where possible
Encrypt everything where possible
Treat commercial data in same way as personal data, even though not covered by GDPR
Understand the data process
What are your company’s policies for data protection breaches?
Report to line manager or Data Protection Officer within the firm
RICS recommendations for using confidential information?
Document purposes for which you are allowed to hold information
Keep record of consent for processing, storage and retention
Check if you have appropriate contractual clauses for use of information
What information should be included in firms privacy notice?
What information you have
What information will be used for
Which third parties information will be shared with
How long information will be stored for
What legal rights they have
What is SAR?
Subject Access Request
Demand that the individual be given all the information that a company holds on them
What was the Freedom of Information Act?
Came into effect in 2000
Allows an individual to request access to information held by a public body
Public body is required to provide that information (within 20 working days) in requested format
They can charge a fee for this
What are the provisions of the Land Registry Act (2002)?
Provides a complete and accurate reflection of the state of the title of the land at any given time
Aim is to get all freehold land in England and Wales registered by 2030
What is required for a Land Registry Compliant Plan?
Drawn to scale of 1:100 or 1:200
Have a scale measurement bar
Have the scale noted on a plan
Include a 1:1250 scale map of the location
Full address
North point
Demise in red outline
What is the difference between a deed and a registered title?
Deed is a physical document declaring a person’s legal ownership
Registered title is ownership recorded with Land Registry electronically
Are electronic signatures accepted by the Land Registry?
Yes, witnessed electronic signatures accepted from July 2020
Disadvantages of the systems you use?
Rely on data input completed by others - human error
External systems - firm is not in control of security
Not user friendly and lots of staff training required!
How did it tighten up the former DPA 1998?
Customer has greater control over their data
Harsh penalties if fail to comply - up to £17.5M
GDPR is binding piece of legally enforceable regulation
Applies to all EU nations (inc. UK) and every company holding data on EU citizens
Breaches have to be reported to the relevant authorities within 72 hours
Companies will be accountable for data protection
Any firm with over 250 people requires a dedicated data protection officer
How do you comply with GDPR in your role?
I report suspected breaches
I do not give out confidential or personal information
I keep records of consent for processing, storing and retaining data
I understand the information we hold that is protected by GDPR
Give me an example of how you process and handle confidential information.
I use document systems to add, amend and remove information - Data input forms
When sending information to solicitors, i ensure files are uploaded to a secure data room
Anonymised employee liability information for TUPE
Password and account to enter management systems
What does encryption mean?
Mathematical function that encodes data in such a way that only authorised users can access it
What is a fire wall?
Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules
Tell me about how you extract data from a source regularly used in your role?
Extract data from leases and enter into a new lease input form. This is securely sent to Data Input who then upload the information to TRAMPS/Horizon where the data is held securely for those with password access
Can you tell me about the retention of files and the Limitations Act 1980?
Section 5 of Limitations Act 1980 says legal action must be brought within 6 years of issue arising
Business then have a responsibility to keep documents for at least 6 years after they expire
Give me an example of how you ensure that data is kept securely.
Access is restricted to users by password
Firewalls in place by IT team to protect against hacking
Appropriate training undertaken to understand processes
What is copyright?
The exclusive and assignable legal right given to the originator for a fixed number of years, to print, perform, film or record literacy, artistic or musical material.
Can copyright be transferred?
Yes
What is an AVM?
Automated Valuation Model
- Mathematical / Statistical modelling with databases of existing properties and transactions to calculate real estate values
Does RICS provide any guidance on AVM?
INSIGHT PAPER - RICS Road Map: Automated Valuation Models Roadmap for RICS members and stakeholders, 2021
Explain the growing use of AVMs in the industry?
Use of computer modelling in the science of valuation has merit in a world with increased availability and use of data
- may reduce expensive litigation
What is an Electronic Document Management System?
Type of software that stores, organises and manages documents in the form of electronic files -> Sharepoint
How do you ensure GDPR compliance and security in office?
Clear desk policy, lock screens, external back-up drive, password protection
How do you monitor compliance on QUOODA/riskwise?
Linked to my email so get notified if action required or if document is non-compliant
Get notified if document becoming overdue in next 30 days/ of any actions
How do you apply your firms data protection policy?
I report suspected breaches
I anonymise data where possible
I don’t send protected data unless it is to the individual it concerns
I use password protections
How to ensure data accuracy?
Check against original document
Have it double checked by colleague
What are CPSEs?
Commercial Property Standard Enquiries
If a tenant would like to access CCTV footage, what is required?
Subject Access Request - can only be given to police/insurers
Liaise with Data Protection Officer on what is required / what can be given
How do you store confidential data in your office?
Login to password protected system that uses dual-factor authentication (face ID and code)
Keep data anonymised if it is personal data
What would you do if you realised that you had received confidential data in an email, from another surveyor, which you should not have seen?
Cannot use information for own purposes
Client and sender/receiver should be advised of error
Matter should be recorded in note to firms Compliance Officer
Dispose securely of the information
How do you ensure the data on the systems you use is accurate?
Internal and external systems get audited
Prelists get raised
Benefits of cloud based storage systems?
Info backed up securely on encrypted servers
Environmentally friendly
Multiple users can assess the same docs
Often cheaper
Non-disclosure agreement - NDA
Used to protect against the disclosure and sharing of any confidential data
If two separate department within your firm were working for two rival companies how would you ensure client sensitive data was managed?
Make clients aware of risks
Conflict of interest check
Seek letter of instruction that both parties are happy for us to continue
Implement an information barrier
What things must companies put in place to ensure GDPR compliance?
Raise awareness across your business - via training
Audit all personal data
Update privacy policy
Review how we seek, obtain and record consent.
Data portability
individuals or organizations have control over their data and can easily switch
How have you advised client on DM
Recognised MEES coming to force old managing agents didn’t have a tracker for EPC
Horizon limitations
3rd party we don’t have control of the security
Human error
Training not user friendly
