Data Management L3 Flashcards
What is GDPR?
EU General Data Protection Regulation
What is the purpose of GDPR?
Protect citizens personal data
What constitutes personal data?
Any information related to a person or ‘Data Subject’ that can be used to identify a person EG names, photo, email address, bank details etc
Examples of personal data under GDPR that could apply to property companies?
- Tenant information
- Client information
- HR - background checks, payroll and employee information
- Customer data for marketing
- Also, data relating to investors, fund managers, valuations, compliance
To what organisations does GDPR apply?
The UK GDPR applies to ‘controllers’ and ‘processors’.
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
What are penalties for GDPR breaches?
4% of annual global turnover up to 20 million euros
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data
What is a breach notification under GDPR?
- Need to report within 72 hours of becoming aware of breach
- If breach high risk, then need to notify individual without delay
How are data breaches typically discovered?
Access logs, reported thefts, lost equipment or data security incident
How have consent conditions been strengthened under GDPR?
- Consent must be given using plain and clear language
- Must be as easy to withdraw consent as it is to give it
What is ‘right to be forgotten’ under GDPR?
Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances where…
- Data no longer necessary
- Data been processed unlawfully
What is data portability?
Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller
What is privacy by design?
- Legal requirement under GDPR
- Calls for inclusion of data protection from onset of designing systems, rather than as addition
What is data protection officer?
- An individual appointed to monitor internal compliance and advise on an organisations data protection obligations
- Only required if organisation is public body, authority or carrying out certain type of processing activity
Examples of data held by surveying practices?
- Payroll and HR
- Customer data for marketing
- Emails and correspondence relating to clients and employees
What are obligations imposed by GDPR?
- Must have knowledge of data you store and process
- Need to be able to provide information on how data is used and the rights of individuals regarding their data
- Need to be able to demonstrate data is being managed in compliant manner
- Must be able to delete every instance of an individuals data in compliance with ‘right to be forgotten’
- Must keep data in format that allows portability to another data processor, should the need arise