Data Management

Question 1

What is GDPR? 

Answer 1

General Data Protection Regulation

Relates to personal data

Aims to create a single data protection regime for anyone doing business in the EU and to empower individuals to take control of how their data is used by third parties

Gives people stronger rights to be informed about how their personal information is used

Question 2

When did GDPR come into effect?

Answer 2

25 May 2018  - same day as Data Protection Act 2018 which was to incorporate new EU GDPR Legislation.

Question 3

Who regulates GDPR in the UK? 

Answer 3

Information Commissioners Office 

Question 4

Key persons outlined in GDPR?

Answer 4

Controller - A data controller determines the purposes and means of the processing of personal data

Processor - A processor engages in personal data processing on behalf of the controller.

Data Protection officer - Responsible for overseeing the data protection approach, strategy and implementation

Question 5

What is the purpose of GDPR?  

Answer 5

Protect citizens personal data 

Question 6

What constitutes personal data? 

Answer 6

Any information related to a person or ‘Data Subject’ that can be used to identify a person e.g. names, photo, email address, bank details, etc 

Question 7

Examples of personal data under GDPR that could apply to property companies? 

Answer 7

Data relating to investors, fund managers, valuations, compliance, background checks by HR, etc 

Question 8

What Act implemented GDPR in the UK? 

Answer 8

Data Protection Act (2018)  - controls how your personal information is used by organisations, businesses or the government. It is the UK’s implementation of the GDPR

Replaced Data Protection Act 1998 

Question 9

What are the 7 principles of Data Protection Act 2018? (AKA 7 principles of GDPR)  LAAPSID

Answer 9

Lawfulness, fairness, transparency 

Accuracy  

Accountability  

Purpose limitation 

Storage limitation 

Integrity and confidentiality 

Data minimisation 

Question 10

8 individual rights under GDPR? 

Answer 10

Right to Information 

Right to Access 

Right to Rectification 

Right to Erasure 

Right to Restrict Processing 

Right to Data Portability 

Right to Object 

Right to Automated Decision-Making  

Question 11

To what organisations does GDPR apply? 

Answer 11

GDPR applies to any and all businesses and organisations which are responsible for handling personal data in the European Union (and the UK)

Question 12

What are penalties for GDPR breaches? 

Answer 12

Power to issue fines of up to £17.5 million (20M euros) or 4% of your annual worldwide turnover, whichever is higher.

Question 13

What is the ‘right to access’ under GDPR? 

Answer 13

Individuals have the right to obtain confirmation that their data is being processed, and access to their personal data 

Question 14

What is a breach notification under GDPR? 

Answer 14

Need to report within 72 hours of becoming aware of breach  

If breach high risk, then need to notify the individual without delay 

Question 15

How are data breaches typically discovered? 

Answer 15

Access logs, reported thefts, lost equipment or data security incident  

Question 16

How have consent conditions been strengthened under GDPR? 

Answer 16

Consent must be given using plain and clear language 

Must be as easy to withdraw consent as it is to give it  

Question 17

What is ‘right to be forgotten’ under GDPR? 

Answer 17

Under Article 17 of GDPR, individuals have right to have personal data erased in certain circumstances 

Data no longer necessary for original purpose

Data been processed unlawfully 

Question 18

What is data portability? 

Answer 18

Right for data subject to receive personal data concerning them which they have previously provided, and have it transmitted to another controller 

Question 19

What is privacy by design? 

Answer 19

Legal requirement under GDPR  

Calls for inclusion of data protection from onset of designing systems, rather than as addition 

Question 20

What is data protection officer?

Answer 20

An individual appointed to monitor internal compliance and advise on an organisations data protection obligations  

Only required if organisation is public body, authority or carrying out certain type of processing activity 

Question 21

Examples of data held by surveying practices?  

Answer 21

Data held to help service a Client (accounting info, compliance systems)

Emails and other correspondence

Other physical records held on file

Customer data held for marketing purposes

Question 22

What are obligations imposed by GDPR? 

Answer 22

Must have knowledge of the data you store and process (including its location and security)

Have to be able to delete every instance of an individuals data

Must demonstrate compliance in managing data

Must be able to prove how information is being used

Must offer data portability

Question 23

RICS best practice points for complying with GDPR? 

Answer 23

Conduct data review  

Anonymise data where possible  

Encrypt everything where possible  

Treat commercial data in same way as personal data, even though not covered by GDPR 

Understand the data process

Question 24

What are your company’s policies for data protection breaches? 

Answer 24

Report to line manager or Data Protection Officer within the firm 

Question 25

RICS recommendations for using confidential information? 

Answer 25

Document purposes for which you are allowed to hold information  Keep record of consent for processing, storage and retention   Check if you have appropriate contractual clauses for use of information 

Question 26

What information should be included in firms privacy notice? 

Answer 26

What information you have  What information will be used for  Which third parties information will be shared with  How long information will be stored for   What legal rights they have 

Question 27

What is SAR? 

Answer 27

Subject Access Request   Demand that the individual be given all the information that a company holds on them 

Question 28

What was the Freedom of Information Act? 

Answer 28

Came into effect in 2000  Allows an individual to request access to information held by a public body  Public body is required to provide that information (within 20 working days) in requested format  They can charge a fee for this    

Question 29

What are the provisions of the Land Registry Act (2002)? 

Answer 29

Provides a complete and accurate reflection of the state of the title of the land at any given time   Aim is to get all freehold land in England and Wales registered by 2030 

Question 30

What is required for a Land Registry Compliant Plan?

Answer 30

Drawn to scale of 1:100 or 1:200 Have a scale measurement bar Have the scale noted on a plan Include a 1:1250 scale map of the location Full address North point Demise in red outline

Question 31

What is the difference between a deed and a registered title?

Answer 31

Deed is a physical document declaring a person's legal ownership Registered title is ownership recorded with Land Registry electronically

Question 32

Are electronic signatures accepted by the Land Registry?

Answer 32

Yes, witnessed electronic signatures accepted from July 2020

Question 33

Disadvantages of the systems you use? 

Answer 33

Rely on data input completed by others - human error  External systems - firm is not in control of security   Not user friendly and lots of staff training required!

Question 34

How did it tighten up the former DPA 1998? 

Answer 34

Customer has greater control over their data   Harsh penalties if fail to comply - up to £17.5M GDPR is binding piece of legally enforceable regulation   Applies to all EU nations (inc. UK) and every company holding data on EU citizens   Breaches have to be reported to the relevant authorities within 72 hours   Companies will be accountable for data protection  Any firm with over 250 people requires a dedicated data protection officer 

Question 35

How do you comply with GDPR in your role? 

Answer 35

I report suspected breaches I do not give out confidential or personal information I keep records of consent for processing, storing and retaining data I understand the information we hold that is protected by GDPR

Question 36

Give me an example of how you process and handle confidential information. 

Answer 36

I use document systems to add, amend and remove information - Data input forms When sending information to solicitors, i ensure files are uploaded to a secure data room Anonymised employee liability information for TUPE Password and account to enter management systems

Question 37

What does encryption mean?

Answer 37

Mathematical function that encodes data in such a way that only authorised users can access it

Question 38

What is a fire wall?

Answer 38

Network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules

Question 39

Tell me about how you extract data from a source regularly used in your role?

Answer 39

Extract data from leases and enter into a new lease input form. This is securely sent to Data Input who then upload the information to TRAMPS/Horizon where the data is held securely for those with password access

Question 40

Can you tell me about the retention of files and the Limitations Act 1980?

Answer 40

Section 5 of Limitations Act 1980 says legal action must be brought within 6 years of issue arising Business then have a responsibility to keep documents for at least 6 years after they expire

Question 41

Give me an example of how you ensure that data is kept securely. 

Answer 41

Access is restricted to users by password Firewalls in place by IT team to protect against hacking Appropriate training undertaken to understand processes

Question 42

What is copyright? 

Answer 42

The exclusive and assignable legal right given to the originator for a fixed number of years, to print, perform, film or record literacy, artistic or musical material. 

Question 43

Can copyright be transferred?

Answer 43

Yes

Question 44

What is an AVM?

Answer 44

Automated Valuation Model - Mathematical / Statistical modelling with databases of existing properties and transactions to calculate real estate values

Question 45

Does RICS provide any guidance on AVM?

Answer 45

INSIGHT PAPER - RICS Road Map: Automated Valuation Models Roadmap for RICS members and stakeholders, 2021

Question 46

Explain the growing use of AVMs in the industry?

Answer 46

Use of computer modelling in the science of valuation has merit in a world with increased availability and use of data - may reduce expensive litigation

Question 47

What is an Electronic Document Management System?

Answer 47

Type of software that stores, organises and manages documents in the form of electronic files -> Sharepoint

Question 48

How do you ensure GDPR compliance and security in office?

Answer 48

Clear desk policy, lock screens, external back-up drive, password protection

Question 49

How do you monitor compliance on QUOODA/riskwise?

Answer 49

Linked to my email so get notified if action required or if document is non-compliant Get notified if document becoming overdue in next 30 days/ of any actions

Question 50

How do you apply your firms data protection policy?

Answer 50

I report suspected breaches I anonymise data where possible I don't send protected data unless it is to the individual it concerns I use password protections

Question 51

How to ensure data accuracy? 

Answer 51

Check against original document  Have it double checked by colleague

Question 52

What are CPSEs?

Answer 52

Commercial Property Standard Enquiries

Question 53

If a tenant would like to access CCTV footage, what is required? 

Answer 53

Subject Access Request - can only be given to police/insurers Liaise with Data Protection Officer on what is required / what can be given

Question 54

How do you store confidential data in your office? 

Answer 54

Login to password protected system that uses dual-factor authentication (face ID and code)  Keep data anonymised if it is personal data 

Question 55

What would you do if you realised that you had received confidential data in an email, from another surveyor, which you should not have seen? 

Answer 55

Cannot use information for own purposes  Client and sender/receiver should be advised of error  Matter should be recorded in note to firms Compliance Officer  Dispose securely of the information

Question 56

How do you ensure the data on the systems you use is accurate?  

Answer 56

Internal and external systems get audited   Prelists get raised 

Question 57

Benefits of cloud based storage systems?

Answer 57

Info backed up securely on encrypted servers Environmentally friendly Multiple users can assess the same docs Often cheaper

Question 58

Non-disclosure agreement - NDA

Answer 58

Used to protect against the disclosure and sharing of any confidential data

Question 59

If two separate department within your firm were working for two rival companies how would you ensure client sensitive data was managed?

Answer 59

Make clients aware of risks Conflict of interest check Seek letter of instruction that both parties are happy for us to continue Implement an information barrier

Question 60

What things must companies put in place to ensure GDPR compliance?

Answer 60

Raise awareness across your business - via training Audit all personal data Update privacy policy Review how we seek, obtain and record consent.

Question 61

Data portability

Answer 61

individuals or organizations have control over their data and can easily switch

Question 62

How have you advised client on DM

Answer 62

Recognised MEES coming to force old managing agents didn’t have a tracker for EPC

Question 63

Horizon limitations

Answer 63

3rd party we don't have control of the security Human error Training not user friendly