Data Management

Question 1

If two separate departments within your firm were working for two competitors, how would you ensure client sensitive data was managed?

Answer 1

• Set up password and personel restricted files
• Segregate teams working on the same commission
• Information barriers / physical barriers

Question 2

What data systems do you use at CBRE?

Answer 2

Microsoft Teams
SharePoint
Client IQ / CIQ
Shared Drive (S:Drive)

Question 3

What is GDPR?

Answer 3

General Data Protection Regulations - law regarding data protection and how personal data can be used.

Question 4

Can you name the individual rights of GDPR?

8 rights

Answer 4

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restrict processing
6. Right to data portability (to use for their own purposes)
7. Right to object
8. Rights to automated decision making and profiling (as undertaken by insurance companies)

Question 5

How long should you keep data for?

Answer 5

6 years if underhand.
12 years if deed.
RICS recommends 15 years as this is how long claims can be up to.

Question 6

What is the Data Protection Act?

Answer 6

UK’s implementation of GDPR.

The act ensures data is used fairly, lawfully and transparently, used in a way that is relevant to it’s purpose and is not retained for any longer than necessary.

Question 7

What are a persons right under the DPA?

Answer 7

• To be informed
• To access
• To rectify (incorrect data)
• To have data erased
• To stop processing
• To object to the use

Question 8

Who are the key people under the GDPR rules?

Answer 8

• Controller - determines the purpose and means of processing the data
• Processor - processes personal data on behalf of controller
• Data Protection Officer - leadership role required by GDPR by companies who process data of EU citizens.

Question 9

What are the sanctions for breach of GDPR?

Answer 9

Up to £20m appropriate to the breach or 4% of turnover

Question 10

What is data triangulation?

Answer 10

When considering reliability of data and risks, where possible, verify data against alternative source through ‘triangulation’.

Question 11

Who enforces GDPR? Say there is a breach of data, who enforces GDPR?

Answer 11

ICO – Information Commissioners Office

Question 12

What enforcing powers does the Informations Commissions Offuce (ICO) have?

Answer 12

• Conduct audit checks to check you are complying with obligations
• Serve an Enforcement Notice order if there has been a breach
• Issue Monetary penalties – fines
• Prosecute you if you fail to comply with Enforcement Notices
• Report to Parliament on issues of concern.

ICO also has the power to impose more substantial fines of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.

Question 13

What actions are undertaken at CBRE to ensure data security?

Answer 13

• Mandatory training
• CBRE File transfer systems
• Firewalls and blocked sites
• Phishing security check on emails – IT team verify if email/link is safe.
• Password protected computers – password updated every 3 months
• Email retention

Question 14

Name some data security technologies.

Answer 14

• regular backups off site,
• password protection,
• anti-virus software,
• firewalls,

Question 15

What is copyright?

Answer 15

• It is rights granted to author for the right to copy.
• Crown Copyright refers to Government material such as laws, official press, press releases, OS mapping.
• You must acknowledge copyright in your work.

Question 16

Does EU GDPR apply to the UK?

Answer 16

• No, EU GDPR no longer applies in UK and entirely replaced by UK GDPR.
• UK GDPR is supplemented by Data Protection Act 2018 (this replaces Data Protection Act 1998).
• It gives people right to be informed about how their personal information is used.

Question 17

What is a data controller?

Answer 17

Article 5(2) of UK GDPR requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”

Question 18

What is Data Accountability?

Answer 18

• Ensures organisations prove to the Information Commissioners Office (ICO) that they comply with new regulations

Question 19

In what timeframe do data breaches need to be reported to ICO?

Answer 19

• 72hrs where there is loss of personal data and risk of harm to individuals.

Question 20

What is the fine for a data breach?

Answer 20

• 4% global turnover of the company or £17.5m (whichever is greater)

Question 21

What is the Freedom of Information Act 2000

Answer 21

Gives individuals the right to access information held by public bodies.
* Public body must tell individual requesting the data whether it holds it
* Public body must supply data in 20 working days in the format requested.
* It can charge for the provision of the information.

Exemptions are allowed if contrary to GDPR requirements.

Question 22

What is NDAs?

Answer 22

Non-Disclosure Agreement.

Prevents all involved parties from sharing any data about the relevant project or process.

Question 23

Who is Data Protection Officer at CBRE?

Answer 23

• Geraldine Mash until she retired. Now Sarah Butterworth

Question 24

Is breaching GDPR civil or criminal offence?

Answer 24

Criminal

Question 25

What are the 7 principles of the Data Protection Act?

Answer 25

1. Lawfulness, fairness, and transparency;
2. Purpose limitation;
3. Data minimisation;
4. Accuracy;
5. Storage limitation;
6. Integrity and confidentiality;
7. Accountability