Data Management L3 Flashcards

1
Q

What is GDPR?

A

EU General Data Protection Regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the purpose of GDPR?

A

Protect citizens personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What constitutes personal data?

A

Any information related to a person or ‘Data Subject’ that can be used to identify a person EG names, photo, email address, bank details etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Examples of personal data under GDPR that could apply to property companies?

A
  • Tenant information
  • Client information
  • HR - background checks, payroll and employee information
  • Customer data for marketing
  • Also, data relating to investors, fund managers, valuations, compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

To what organisations does GDPR apply?

A

The UK GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are penalties for GDPR breaches?

A

4% of annual global turnover up to 20 million euros

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the ‘right to access’ under GDPR?

A

Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a breach notification under GDPR?

A
  • Need to report within 72 hours of becoming aware of breach
  • If breach high risk, then need to notify individual without delay
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How are data breaches typically discovered?

A

Access logs, reported thefts, lost equipment or data security incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How have consent conditions been strengthened under GDPR?

A
  • Consent must be given using plain and clear language
  • Must be as easy to withdraw consent as it is to give it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is ‘right to be forgotten’ under GDPR?

A

Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances where…
- Data no longer necessary
- Data been processed unlawfully

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is data portability?

A

Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is privacy by design?

A
  • Legal requirement under GDPR
  • Calls for inclusion of data protection from onset of designing systems, rather than as addition
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is data protection officer?

A
  • An individual appointed to monitor internal compliance and advise on an organisations data protection obligations
  • Only required if organisation is public body, authority or carrying out certain type of processing activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Examples of data held by surveying practices?

A
  • Payroll and HR
  • Customer data for marketing
  • Emails and correspondence relating to clients and employees
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are obligations imposed by GDPR?

A
  • Must have knowledge of data you store and process
  • Need to be able to provide information on how data is used and the rights of individuals regarding their data
  • Need to be able to demonstrate data is being managed in compliant manner
  • Must be able to delete every instance of an individuals data in compliance with ‘right to be forgotten’
  • Must keep data in format that allows portability to another data processor, should the need arise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Who regulates GDPR in the UK?

A

Information Commissioners Office

18
Q

RICS best practice points for complying with GDPR?

A
  • Conduct data review
  • Anonymise data where possible
  • Encrypt everything where possible
  • Treat commercial data in same way as personal data, even though not covered by GDPR
19
Q

What are your company’s policies for data protection breaches?

A

Report to line manager or Data Protection Officer within the firm

20
Q

RICS recommendations for using confidential information?

A
  • Document purposes for which you are allowed to hold information
  • Keep record of consent for processing, storage and retention
  • Check if you have appropriate contractual clauses for use of information
21
Q

What information should be included in firms privacy notice?

A
  • What information you have
  • What information will be used for
  • Which third parties information will be shared with
  • How long information will be stored for
  • What legal rights they have
22
Q

When did GDPR come into effect

A

25 May 2018

23
Q

What Act implemented GDPR in the UK?

A
  • Data Protection Act (2018)
  • Replaced Data Protection Act 1998
24
Q

What are the key requirements of GDPR?

A
  • Obligation to conduct data protection impact assessments for high risk holding of data
  • New rights for individuals to have access to information on what personal data is held, and to have it erased
  • Data controller decides how and why personal data is processed and is directly responsible for GDPR
  • A new principle of ‘data accountability’ ensuring that organisations can prove to the Information Commissioner’s Office (ICO) how they comply with the new regulations
  • Data security breaches need to be reported to ICO within 72 hours where there is a loss of personal data and a risk of harm to individuals
  • An increase in fines - up to 4% global turnover or 20 million euros (whichever is greater)
  • Policed by ICO
25
Q

8 individual rights under GDPR?

A
  1. Right to Information
  2. Right to Access
  3. Right to Rectification
  4. Right to Erasure
  5. Right to Restrict Processing
  6. Right to Data Portability
  7. Right to Object
  8. Right to avoid Automated Decision Making
26
Q

What are the principles of GDPR?

A

Article 5(1) - Principles relating to storage of personal data must be:

  • Processed lawfully, fairly and in transparent manner
  • adequate, relevant and limited to what is necessary for the purpose
  • Kept up to data
  • Eradicated if inaccurate, or rectified without delay
  • Kept in a form that permits identification of data subjects for no longer than is necessary
  • Processed in manner than ensures appropriate security of personal data, including protection from unlawful processing, accidental loss, destruction or damage

Article 5(2) - the controller shall be responsible for, and be able to demonstrate, compliance with the principles

27
Q

What is SAR?

A
  • Subject Access Request
  • Demand that the individual be given all the information that a company holds on them
28
Q

What was the Freedom of Information Act?

A
  • Came into effect in 2000
  • Allows an individual to request access to information held by a public body
  • Public body is required to provide that information (within 20 working days) in requested format
  • They can charge a fee for this
29
Q

What are the provisions of the Land Registry Act (2002)?

A
  • Provides a complete and accurate reflection of the state of the title of the land at any given time
  • Aim is to get all freehold land in England and Wales registered by 2030
30
Q

Disadvantages of the systems you use?

A
  • Rely on data input completed by others - human error
  • External systems - firm is not in control of security
  • Not user friendly and lots of staff training required!
31
Q

How did it tighten up the former DPA 1998?

A
  • Customer has greater control over their data
  • Harsh penalties if fail to comply - up to 20 million euros
  • GDPR is binding piece of legally enforceable regulation
  • Applies to all EU nations and every company holding data on EU citizens
  • Breaches have to be reported to the relevant authorities within 72 hours
  • Companies will be accountable for data protection
  • Any firm with over 250 people required dedicated data protection officer
32
Q

What is the Freedom of Information Act? 

A

Act of parliament that creates a public right of access to Information held by public authorities. 

33
Q

Principles of Data Protection Act/GDPR?

A

Lawfulness, fairness, transparency
Purpose limitation
Data minimisation
Storage limitation
Accuracy
Integrity / confidentiality
accountability

34
Q

What is a ROPA?

A

Reporting of processing activities

35
Q

What is an information barrier and how should it be enforced?

A
  1. Different surveyor should act for each client.
  2. They must be physically separated preferably in different buildings or on different floors with separate support teams.
  3. All information regarding the instruction should be securely stored.
  4. The firms compliance officer must oversee all actions.
36
Q

What is a firewall?

A

A firewall is a device configured to permit, deny, or encrypt all computer traffic between different secure locations.

37
Q

What encryption?

A

Encryption is a method which allows information to be hidden so that it cannot be read without special knowledge or tools.

38
Q

What was your advice in your Level 3 examples?

A

Covid-19 concessions:
- Create sharepoint
- Encrypt / password protected
- Only issued to relevant parties as per my firm’s Data Protection Privacy Policy

HR employee information:
- Redact sensitive information
- Password protect
- 2 factor authenticate - Email password protected information and confirm password over the phone

39
Q

What is you firm’s data protection policy?

A
  • Complies with DPA 2018
  • Subject to appropriate legal safeguards in DPA and UK GDPR
  • Workman is a data processor and controller
  • Firm is responsible for notifying ICO of the data it holds
  • Has a DPO for ensuring compliance
  • Adheres to data protection priciples
40
Q

What are Workman’s principles?

A
  • Be processed fairly, lawfully and in a transparent manner and shall not be processed unless
    certain conditions are met.
  • Be collected for specific, explicit and legitimate purposes and shall not be processed in any
    manner incompatible with those purposes.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and, where necessary, kept up to date. (Every reasonable step shall be taken to
    ensure that personal data that are inaccurate, having regard to the purposes for which they
    are processed, are erased or rectified without delay.)
  • Not be kept for longer than is necessary for a specific purpose.
  • Be processed in accordance with the data subject’s rights.
  • Be kept secure from unauthorised or unlawful processing and protected against accidental
    loss, destruction or damage by using the appropriate technical and organisational measures.
  • Not be transferred to a country or territory outside the UK, unless that country or territory
    ensures an adequate level of protection for the rights and freedoms of data subjects in
    relation to the processing of personal data.