Data Management L3 Flashcards
What is GDPR?
EU General Data Protection Regulation
What is the purpose of GDPR?
Protect citizens personal data
What constitutes personal data?
Any information related to a person or ‘Data Subject’ that can be used to identify a person EG names, photo, email address, bank details etc
Examples of personal data under GDPR that could apply to property companies?
- Tenant information
- Client information
- HR - background checks, payroll and employee information
- Customer data for marketing
- Also, data relating to investors, fund managers, valuations, compliance
To what organisations does GDPR apply?
The UK GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
What are penalties for GDPR breaches?
4% of annual global turnover up to 20 million euros
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data
What is a breach notification under GDPR?
- Need to report within 72 hours of becoming aware of breach
- If breach high risk, then need to notify individual without delay
How are data breaches typically discovered?
Access logs, reported thefts, lost equipment or data security incident
How have consent conditions been strengthened under GDPR?
- Consent must be given using plain and clear language
- Must be as easy to withdraw consent as it is to give it
What is ‘right to be forgotten’ under GDPR?
Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances where…
- Data no longer necessary
- Data been processed unlawfully
What is data portability?
Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller
What is privacy by design?
- Legal requirement under GDPR
- Calls for inclusion of data protection from onset of designing systems, rather than as addition
What is data protection officer?
- An individual appointed to monitor internal compliance and advise on an organisations data protection obligations
- Only required if organisation is public body, authority or carrying out certain type of processing activity
Examples of data held by surveying practices?
- Payroll and HR
- Customer data for marketing
- Emails and correspondence relating to clients and employees
What are obligations imposed by GDPR?
- Must have knowledge of data you store and process
- Need to be able to provide information on how data is used and the rights of individuals regarding their data
- Need to be able to demonstrate data is being managed in compliant manner
- Must be able to delete every instance of an individuals data in compliance with ‘right to be forgotten’
- Must keep data in format that allows portability to another data processor, should the need arise
Who regulates GDPR in the UK?
Information Commissioners Office
RICS best practice points for complying with GDPR?
- Conduct data review
- Anonymise data where possible
- Encrypt everything where possible
- Treat commercial data in same way as personal data, even though not covered by GDPR
What are your company’s policies for data protection breaches?
Report to line manager or Data Protection Officer within the firm
RICS recommendations for using confidential information?
- Document purposes for which you are allowed to hold information
- Keep record of consent for processing, storage and retention
- Check if you have appropriate contractual clauses for use of information
What information should be included in firms privacy notice?
- What information you have
- What information will be used for
- Which third parties information will be shared with
- How long information will be stored for
- What legal rights they have
When did GDPR come into effect
25 May 2018
What Act implemented GDPR in the UK?
- Data Protection Act (2018)
- Replaced Data Protection Act 1998
What are the key requirements of GDPR?
- Obligation to conduct data protection impact assessments for high risk holding of data
- New rights for individuals to have access to information on what personal data is held, and to have it erased
- Data controller decides how and why personal data is processed and is directly responsible for GDPR
- A new principle of ‘data accountability’ ensuring that organisations can prove to the Information Commissioner’s Office (ICO) how they comply with the new regulations
- Data security breaches need to be reported to ICO within 72 hours where there is a loss of personal data and a risk of harm to individuals
- An increase in fines - up to 4% global turnover or 20 million euros (whichever is greater)
- Policed by ICO
8 individual rights under GDPR?
- Right to Information
- Right to Access
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
- Right to avoid Automated Decision Making
What are the principles of GDPR?
Article 5(1) - Principles relating to storage of personal data must be:
- Processed lawfully, fairly and in transparent manner
- adequate, relevant and limited to what is necessary for the purpose
- Kept up to data
- Eradicated if inaccurate, or rectified without delay
- Kept in a form that permits identification of data subjects for no longer than is necessary
- Processed in manner than ensures appropriate security of personal data, including protection from unlawful processing, accidental loss, destruction or damage
Article 5(2) - the controller shall be responsible for, and be able to demonstrate, compliance with the principles
What is SAR?
- Subject Access Request
- Demand that the individual be given all the information that a company holds on them
What was the Freedom of Information Act?
- Came into effect in 2000
- Allows an individual to request access to information held by a public body
- Public body is required to provide that information (within 20 working days) in requested format
- They can charge a fee for this
What are the provisions of the Land Registry Act (2002)?
- Provides a complete and accurate reflection of the state of the title of the land at any given time
- Aim is to get all freehold land in England and Wales registered by 2030
Disadvantages of the systems you use?
- Rely on data input completed by others - human error
- External systems - firm is not in control of security
- Not user friendly and lots of staff training required!
How did it tighten up the former DPA 1998?
- Customer has greater control over their data
- Harsh penalties if fail to comply - up to 20 million euros
- GDPR is binding piece of legally enforceable regulation
- Applies to all EU nations and every company holding data on EU citizens
- Breaches have to be reported to the relevant authorities within 72 hours
- Companies will be accountable for data protection
- Any firm with over 250 people required dedicated data protection officer
What is the Freedom of Information Act?
Act of parliament that creates a public right of access to Information held by public authorities.
Principles of Data Protection Act/GDPR?
Lawfulness, fairness, transparency
Purpose limitation
Data minimisation
Storage limitation
Accuracy
Integrity / confidentiality
accountability
What is a ROPA?
Reporting of processing activities
What is an information barrier and how should it be enforced?
- Different surveyor should act for each client.
- They must be physically separated preferably in different buildings or on different floors with separate support teams.
- All information regarding the instruction should be securely stored.
- The firms compliance officer must oversee all actions.
What is a firewall?
A firewall is a device configured to permit, deny, or encrypt all computer traffic between different secure locations.
What encryption?
Encryption is a method which allows information to be hidden so that it cannot be read without special knowledge or tools.
What was your advice in your Level 3 examples?
Covid-19 concessions:
- Create sharepoint
- Encrypt / password protected
- Only issued to relevant parties as per my firm’s Data Protection Privacy Policy
HR employee information:
- Redact sensitive information
- Password protect
- 2 factor authenticate - Email password protected information and confirm password over the phone
What is you firm’s data protection policy?
- Complies with DPA 2018
- Subject to appropriate legal safeguards in DPA and UK GDPR
- Workman is a data processor and controller
- Firm is responsible for notifying ICO of the data it holds
- Has a DPO for ensuring compliance
- Adheres to data protection priciples
What are Workman’s principles?
- Be processed fairly, lawfully and in a transparent manner and shall not be processed unless
certain conditions are met. - Be collected for specific, explicit and legitimate purposes and shall not be processed in any
manner incompatible with those purposes. - Be adequate, relevant and not excessive for those purposes.
- Be accurate and, where necessary, kept up to date. (Every reasonable step shall be taken to
ensure that personal data that are inaccurate, having regard to the purposes for which they
are processed, are erased or rectified without delay.) - Not be kept for longer than is necessary for a specific purpose.
- Be processed in accordance with the data subject’s rights.
- Be kept secure from unauthorised or unlawful processing and protected against accidental
loss, destruction or damage by using the appropriate technical and organisational measures. - Not be transferred to a country or territory outside the UK, unless that country or territory
ensures an adequate level of protection for the rights and freedoms of data subjects in
relation to the processing of personal data.
