Data Protection

Question 1

What is GDPR?

Answer 1

Legislation that governs how companies handle personal data [in the EU].

Question 2

What are the key principles of GDPR (7)?

Answer 2

• Lawfulness, fairness and transparency.
• Purpose limitation (data shouldn’t be use for other purposes than originally intended).
• Data minimisation (data should be collected for specific purpose).
• Accuracy.
• Storage limitation (shouldn’t be kept for longer than necessary).
• Integrity and confidentiality (security)
• Accountability.

Question 3

Through which piece of legislation are the General Data Protection Regulations (GDPR) implemented?

Answer 3

The Data Protection Act 2018.

Question 4

Can you name 3 of the 8 principles of the Data Protection Act 2018?

Answer 4

ASS.
- Accuracy: Personal data must be accurate [and kept up to date].
- Storage: Personal data shouldn’t be kept longer than necessary.
- Security: Personal data must be kept secure.

• Fairly and lawfully processed.
• Purpose.
• Adequacy.
• Accuracy.
• Storage.
• Rights.
• Security.
• International transfers.

[- Fairly and lawfully processed: Personal data must be processed fairly and lawfully.
- Purpose: Personal data must be obtained for one or more specified and lawful purpose.
- Adequacy: Personal data must be relevant and not excessive.
- Accuracy: Personal data must be accurate and kept up to date.
- Storage: Personal data must not be kept longer than is necessary.
- Rights: Right to see any data held on you [and to correct inaccurate data].
- Security: Personal data must be kept secure.
- International transfers: Personal data must not be transferred to other countries outside the European Economic Area, unless those countries have similar data protection laws.]

Question 5

How long should a firm hold a client’s data for following completion of an instruction?

Answer 5

• Min 6 years from when the incident occurred.
• 12 years for some instructions (projects – 12 deed limitation period).
• 15 years to protect against negligence claims.

Question 6

Who should data breaches be reported to?
When does this need to be reported?

Answer 6

• Information Commissioner’s Office (ICO).
• Data protection officer.
• Within 72 hours.

Question 7

How does your company securely store data?

Answer 7

• Cloud storage.
• Encrypted.
• VPN.
• Passwords.
• Two-factor authentication.

Question 8

Is there any legislation or legal process your company will follow for data?

Answer 8

• Data Protection Act 2018.
• GDPR.

Question 9

Can you provide an example of a legal requirement that your company will have to follow regarding data?
What GDPR principle does that relate to?

Answer 9

• Someone can request a copy of their data (Subject Access Request).
• Right of access.

Question 10

How do you verify your data?

Answer 10

• Use reliable sources e.g. land registry.
• Cross reference with other sources
• Confirm information with client.

Question 11

How does your treatment of data comply with current legislation?

Answer 11

• Personal data kept securely.
• Provide personal data held on request (SAR).
• Client data kept for 6 years (underhand)/12 years (deed) [from when the incident occurred].

Question 12

What is meant by Article 5 of GDPR when it says ‘kept in a form that permits identification of data subjects for no longer than is necessary’? How is this relevant to your role?

Answer 12

• You’re not allowed to hold personal information for longer than necessary i.e. contact information.
• Relevance: information has to be archived after a certain period (6 years/12 years).

Question 13

Why do you think data you hold needs to be accurate?

Answer 13

• To comply with GDPR [Article 5].
• States personal data must be accurate or deleted.

Question 14

What are the consumer rights under GDPR?

Answer 14

• Access (SAR) [right of].
• Erasure [right of].
• Rectification [right to].
• Informed [right to be].
• Object [right to].
• Restriction of processing [right to].
• Data portability [right to].
• Rights related to automated decision-making and profiling.

Question 15

What is the definition of personal data?

Answer 15

Information relating to an identifiable person.

Question 16

What would constitute a security breach?
What is your company policy on reporting a breach?
How long do you have to report it to ICO (Information Commissioner’s Office)?

Answer 16

• Losing confidential files, stolen laptop.
• Notify affected parties [and describe the impact].
• Must notify the ICO within 72 hours of becoming aware of breach.

Question 17

How long should you keep deeds on file?

Answer 17

Minimum of 15 years.
[Claim of negligence can be made up to 15 years after the negligent act occurred].

Question 18

What are the penalties for a data breach?

Answer 18

• Fine (from ICO - enforced under DPA 2018).
• Discplinary action.
  [RICS - breach of ROC (competence, acting with integrity)].
  [Could lead to formal investigation, suspension or expulsion from RICS].

Question 19

If servers are kept abroad does the Data Protection Act apply?

Answer 19

Yes, if you process personal data in the UK then DPA 2018 and GDPR applies no matter where the servers are located.