Data Management

Question 1

What is GDPR? 

Answer 1

General Data Protection Regulation

Question 2

What is the significance of GDPR?

Answer 2

As a surveyor, I must ensure that any personal or client data is processed lawfully, stored securely, and only used for legitimate purposes in line with GDPR and the Data Protection Act 2018

Question 3

When did GDPR come into effect?

Answer 3

25 May 2018  - same day as Data Protection Act 2018 which was to incorporate new EU GDPR Legislation.

Question 4

Who regulates GDPR in the UK? 

Answer 4

Information Commissioners Office

Question 5

Key persons outlined in GDPR?

Answer 5

Controller - A data controller determines the purposes and means of the processing of personal data

Processor - A processor engages in personal data processing on behalf of the controller.

Data protection officer - Responsible for overseeing the data protection approach, strategy and implementation

Question 6

What is the purpose of GDPR?  

Answer 6

Protect citizens personal data  

Question 6

What constitutes personal data?

Answer 6

Any information related to a person or ‘Data Subject’ that can be used to identify a person e.g. names, photo, email address, bank details, etc 

Question 7

Examples of personal data under GDPR that could apply to property companies? 

Answer 7

Data relating to investors, fund managers, valuations, compliance, background checks by HR, etc 

Question 8

What Act implemented GDPR in the UK? 

Answer 8

Data Protection Act (2018) 

Question 9

What is the significance of the Data Protection Act (2018)?

Answer 9

Controls how your personal information is used by organisations, businesses or the government. It is the UK’s implementation of the GDPR

Replaced Data Protection Act 1998 

Question 10

What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR)

Answer 10

LAAPSID

Lawfulness, fairness, transparency 

Accuracy  

Accountability  

Purpose limitation 

Storage limitation 

Integrity and confidentiality 

Data minimisation 

Question 11

8 individual rights under GDPR? (Common question)

Answer 11

Right to Information 

Right to Access 

Right to Rectification 

Right to Erasure 

Right to Restrict Processing 

Right to Data Portability 

Right to Object 

Right to Automated Decision-Making  

Question 12

To what organisations does GDPR apply? 

Answer 12

GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK)

Question 13

 What are penalties for GDPR breaches?

Answer 13

Power to issue fines of up to £17.5 million (20M euros) or 4% of your annual worldwide turnover, whichever is higher.

Question 14

What is the ‘right to access’ under GDPR? 

Answer 14

Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data 

Question 14

What is a breach notification, what are the timescales?

Answer 14

Need to report within 72 hours of becoming aware of breach  

If breach high risk, then need to notify the individual without delay 

Question 15

What is ‘right to be forgotten’ under GDPR? 

Answer 15

Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances 

Data no longer necessary for original purpose

Data been processed unlawfully  

Question 15

How are data breaches typically discovered? 

Answer 15

Access logs, reported thefts, lost equipment or data security incident  

Question 16

How have consent conditions been strengthened under GDPR? 

Answer 16

Consent must be given using plain and clear language 

Must be as easy to withdraw consent as it is to give it  

Question 17

What is data portability? 

Answer 17

Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller

Question 18

What is privacy by design? 

Answer 18

Legal requirement under GDPR  

Calls for inclusion of data protection from onset of designing systems, rather than as addition 

Question 19

What is data protection officer? 

Answer 19

A Data Protection Officer (DPO) is a senior individual appointed to oversee a company’s data protection strategy and compliance with the UK GDPR and Data Protection Act 2018

Question 20

Examples of data held by surveying practices?  

Answer 20

Data held to help service a Client (accounting info, compliance systems)

Emails and other correspondence

Other physical records held on file

Customer data held for marketing purposes

Question 21

What are obligations imposed by GDPR? 

Answer 21

Must have knowledge of the data you store and process (including its location and security)

Have to be able to delete every instance of an individuals data

Must demonstrate compliance in managing data

Must be able to prove how information is being used

Must offer data portability

Question 22

RICS best practice points for complying with GDPR? 

Answer 22

Conduct data review   Anonymise data where possible   Encrypt everything where possible   Treat commercial data in same way as personal data, even though not covered by GDPR  Understand the data process

Question 23

What are your company's policies for data protection breaches? 

Answer 23

Report to line manager or Data Protection Officer within the firm 

Question 24

RICS recommendations for using confidential information? 

Answer 24

Document purposes for which you are allowed to hold information  Keep record of consent for processing, storage and retention   Check if you have appropriate contractual clauses for use of information 

Question 25

What information should be included in firms privacy notice? 

Answer 25

What information you have  What information will be used for  Which third parties information will be shared with  How long information will be stored for   What legal rights they have   

Question 26

What is SAR? 

Answer 26

Subject Access Request   Demand that the individual be given all the information that a company holds on them 

Question 26

What was the Freedom of Information Act? 

Answer 26

Came into effect in 2000  Allows an individual to request access to information held by a public body  Public body is required to provide that information (within 20 working days) in requested format  They can charge a fee for this  

Question 27

What is required for a Land Registry Compliant Plan?

Answer 27

What is required for a Land Registry Compliant Plan? Drawn to scale of 1:100 or 1:200 Have a scale measurement bar Have the scale noted on a plan Include a 1:1250 scale map of the location Full address North point Demise in red outline

Question 28

What is the difference between a deed and a registered title?

Answer 28

Deed is a physical document declaring a person's legal ownership Registered title is ownership recorded with Land Registry electronically

Question 29

Are electronic signatures accepted by the Land Registry?

Answer 29

Yes, witnessed electronic signatures accepted from July 2020

Question 29

Disadvantages of the systems you use? 

Answer 29

Rely on data input completed by others - human error  External systems - firm is not in control of security   Not user friendly and lots of staff training required! 

Question 30

How did it tighten up the former DPA 1998? 

Answer 30

Customer has greater control over their data   Harsh penalties if fail to comply - up to £17.5M GDPR is binding piece of legally enforceable regulation   Applies to all EU nations (inc. UK) and every company holding data on EU citizens   Breaches have to be reported to the relevant authorities within 72 hours   Companies will be accountable for data protection  Any firm with over 250 people requires a dedicated data protection officer  

Question 31

Give me an example of how you process and handle confidential information. 

Answer 31

I use document systems to add, amend and remove information - Data input forms When sending information to solicitors, i ensure files are uploaded to a secure data room Anonymised employee liability information for TUPE Password and account to enter management systems

Question 31

How do you comply with GDPR in your role? 

Answer 31

I report suspected breaches I do not give out confidential or personal information I keep records of consent for processing, storing and retaining data I understand the information we hold that is protected by GDPR

Question 32

What does encryption mean?

Answer 32

Mathematical function that encodes data in such a way that only authorised users can access it

Question 32

What is a fire wall?

Answer 32

Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules

Question 32

Tell me about how you extract data from a source regularly used in your role?

Answer 32

Extract data from leases and enter into a new lease input form. This is securely sent to Data Input who then upload the information to TRAMPS/Horizon where the data is held securely for those with password access

Question 33

Can you tell me about the retention of files and the Limitations Act 1980?

Answer 33

Section 5 of Limitations Act 1980 says legal action must be brought within 6 years of issue arising Business then have a responsibility to keep documents for at least 6 years after they expire

Question 34

Give me an example of how you ensure that data is kept securely. 

Answer 34

Access is restricted to users by password Firewalls in place by IT team to protect against hacking Appropriate training undertaken to understand processes

Question 35

What is copyright? 

Answer 35

The exclusive and assignable legal right given to the originator for a fixed number of years, to print, perform, film or record literacy, artistic or musical material. 

Question 36

Can copyright be transferred?

Answer 36

Yes

Question 37

What is an AVM?

Answer 37

Automated Valuation Model - Mathematical / Statistical modelling with databases of existing properties and transactions to calculate real estate values

Question 38

Does RICS provide any guidance on AVM?

Answer 38

INSIGHT PAPER - RICS Road Map: Automated Valuation Models Roadmap for RICS members and stakeholders, 2021

Question 39

Explain the growing use of AVMs in the industry?

Answer 39

Use of computer modelling in the science of valuation has merit in a world with increased availability and use of data - may reduce expensive litigation

Question 40

What is an Electronic Document Management System?

Answer 40

Type of software that stores, organises and manages documents in the form of electronic files -> Sharepoint

Question 41

How do you ensure GDPR compliance and security in office?

Answer 41

Clear desk policy, lock screens, external back-up drive, password protection 

Question 42

How do you apply your firms data protection policy?

Answer 42

I report suspected breaches I anonymise data where possible I don't send protected data unless it is to the individual it concerns I use password protections

Question 42

How do you monitor compliance on QUOODA/riskwise?

Answer 42

Linked to my email so get notified if action required or if document is non-compliant Get notified if document becoming overdue in next 30 days/ of any actions

Question 43

How to ensure data accuracy? 

Answer 43

Check against original document  Have it double checked by colleague

Question 44

What are CPSEs?

Answer 44

Commercial Property Standard Enquiries 

Question 45

If a tenant would like to access CCTV footage, what is required?

Answer 45

Subject Access Request - can only be given to police/insurers Liaise with Data Protection Officer on what is required / what can be given 

Question 46

How do you store confidential data in your office? 

Answer 46

Login to password protected system that uses dual-factor authentication (face ID and code)  Keep data anonymised if it is personal data  

Question 47

What would you do if you realised that you had received confidential data in an email, from another surveyor, which you should not have seen? 

Answer 47

Cannot use information for own purposes  Client and sender/receiver should be advised of error  Matter should be recorded in note to firms Compliance Officer  Dispose securely of the information  

Question 48

How do you ensure the data on the systems you use is accurate?  

Answer 48

Internal and external systems get audited   Prelists get raised 

Question 49

Benefits of cloud based storage systems?

Answer 49

Info backed up securely on encrypted servers Environmentally friendly Multiple users can assess the same docs Often cheaper

Question 49

What is a Non-disclosure agreement - NDA for?

Answer 49

Used to protect against the disclosure and sharing of any confidential data

Question 50

If two separate department within your firm were working for two rival companies how would you ensure client sensitive data was managed?

Answer 50

Make clients aware of risks Conflict of interest check Seek letter of instruction that both parties are happy for us to continue Implement an information barrier

Question 51

What things must companies put in place to ensure GDPR compliance?

Answer 51

Raise awareness across your business - via training Audit all personal data Update privacy policy Review how we seek, obtain and record consent.