Data Protection Flashcards
What is GDPR?
A law that dictates how personal data is processed and transferred in the European Union (EU).
What are the key principles of GDPR (7)?
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security)
- Accountability.
Through which piece of legislation are the General Data Protection Regulations (GDPR) implemented?
The Data Protection Act 2018.
Can you name 3 of the 8 principles of the Data Protection Act 2018?
- Fairly and lawfully processed: Personal data must be processed fairly and lawfully.
- Purpose: Personal data must be obtained for one or more specified and lawful purpose.
- Adequacy: Personal data must be relevant and not excessive.
- Accuracy: Personal data must be accurate and kept up to date.
- Storage: Personal data must not be kept longer than is necessary.
- Rights: Your rights include the right to see any data held on you, and the right to correct inaccurate data.
- Security: Personal data must be kept secure.
- International transfers: Personal data must not be transferred to other countries outside the European Economic Area, unless those countries have similar data protection laws.
How long should a firm hold a client’s data for following completion of an instruction?
6 years from when the incident occurred, 12 years for some instructions (projects – 12 deed limitation period).
Who should data breaches be reported to?
Manager, data protection officer.
How does your company securely store data?
Cloud storage, encrypted, VPN.
Is there any legislation or legal process your company will follow for data?
Data Protection Act 2018.
GDPR.
Can you provide an example of a legal requirement that your company will have to follow regarding data?
Someone can request a copy of their data (Subject Access Request).
How do you verify your data?
Use public records e.g. land registry.
Compare against multiple sources to confirm consistency.
How does your treatment of data comply with current legislation?
- Personal data is kept securely.
- Client date is kept for 6 years from when the incident occurred, 12 years for some instructions (projects – 12 deed limitation period).
What is meant by Article 5 of GDPR when it says ‘kept in a form that permits identification of data subjects for no longer than is necessary’? How does this relevant to your role?
- You’re not allowed to hold personal information for longer than necessary i.e. contact information.
- This is relevant becuase this information has to be archived after a certain period of time (6 years or 12 years for some instructions - 12 year deed limitation).
Why do you think data you hold needs to be accurate?
To comply with GDPR [Article 5] - states personal data must be accurate otherwise it must be deleted.
What are the consumer rights under GDPR?
- Right to be informed.
- Right of access.
- Right to rectification.
- Right erasure.
- Right to restriction of processing.
- Right to data portability.
- Right to object.
- Rights related to automated decision-making and profiling.
What is the definition of personal data?
Any information relating to an identifiable person.
What would constitute a security breach? What is your company policy on reporting a breach? How long do you have to report it to ICO (Information Commissioner’s Office)?
- Losing confidential files, stolen laptop.
- Notify the affected parties and describe the impact.
- Must notify the ICO within 72 hours of becoming aware of breach.
How long should you keep deeds on file?
Minimum of 15 years.
[Claim of negligence can be made up to 15 years after the negligent act occurred].
