Data Management Flashcards
What is GDPR?
EU General Data Protection Regulation
What is the purpose of GDPR?
Protects citizens personal data
What constitutes personal data?
any information relating to a person / Data Subject that can be used to identify them
EG names, photos, email addresses, bank details
Examples of personal data under GDPR that could apply to property companies?
- investors / fund managers data
- valuations
- background checks by HR
- compliance checks
To what organisations does GDPR apply?
All organisations with more than 250 employees
What are penalties for GDPR breaches?
4% of annual global turnover or 20 million euros (whichever is greater)
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, and to access their personal data
What is a breach notification under GDPR?
- need to report breach within 72 hours of becoming aware of it
- if breach is high risk, then notify individual(s) impacted without delay
How are data breaches typically discovered?
- access logs
- reported thefts
- lost equipment
- data security incident
How have consent conditions been strengthened under GDPR?
- consent must be given using plain and clear language
- it must be as easy to withdraw consent as it is to give it
What is the ‘right to be forgotten’ under GDPR?
Individuals have right to have personal data erased in certain circumstances
- data no longer necessary
- data been processed unlawfully
What is data portability?
right for data subject to receive personal data concerning them, which they have previously provided, and have it transferred to another controller
What is privacy by design?
- legal requirement under GDPR
- calls for inclusion of data protection from onset of designing systems, rather than as an addition
Data Protection Officer
- individual appointed to monitor internal compliance
- they advise on an organisations data protection obligations
Examples of data held by surveying practices?
- payroll and HR information
- customer data for marketing
- emails relating to clients / employees
What are obligations imposed by GDPR?
- have knowledge of what data is stored/processed
- provide information on how data is used and the individuals rights
- demonstrate data is being managed in compliant manner
- delete every instance of individuals data in accordance with ‘right to be forgotten’
- keep data in format that allows portability to another data processor
Who regulates GDPR in the U.K.?
Information Commissioner’s Office
RICS best practice points for complying with GDPR?
- conduct data review
- anonymise data where possible
- encrypt everything where possible
- treat commercial data in same way as personal data (even though not covered by GDPR)
What are your company policies for data protection breaches?
- report to line manager
- report to Data Protection Officer
RICS recommendations for using confidential information?
- document purpose for which you are holding the information
- keep record of consent for processing, storage and retention
- check if you have appropriate contractual clauses for use of information
What information should be included in firms privacy notice?
- what information you have
- what information will be used
- which 3rd parties information will be shared with
- how long information will be stored for
- what legal rights they have
When did GDPR come into effect?
25 May 2018
What Act implemented GDPR in the UK?
Data Protection Act 2018
(replaced Data Protection Act 1998)
What are the 7 principles of Data Protection Act 2018?
- lawfulness, fairness, transparency
- purpose limitation
- storage limitation
- data minimisation
- accuracy
- accountability
- integrity and confidentiality
