GDPR Training Refresher Quiz

Questions and Answers

Which of the following is NOT considered personal data under GDPR?

• Purchase price of property
• The weather forecast in London (correct)
• Email address
• Date of birth

According to the content, what is one of the key responsibilities of the Data Protection Officer?

• Handling subject data access requests (correct)
• Gathering and storing personal data for the organization
• Processing personal data on behalf of the controller
• Providing consent for the processing of personal data

What is the primary purpose of GDPR?

• To protect personal data and privacy of individuals (correct)
• To ensure the security of government databases
• To collect personal data for statistical analysis
• To regulate the use of social media platforms

Which of the following is NOT a legal basis for processing data under GDPR?

Financial Gain (C)

Which of these is a valid GDPR principle for processing data?

Processing data fairly and transparently (D)

If a company needs to process personal data for a specific purpose, which legal basis would be most appropriate if the data subject has explicitly agreed to the processing?

Consent (B)

What is the official name for the regulatory body mentioned in the content that oversees data protection in the UK?

Information Commissioners Office (D)

What does the acronym GDPR stand for?

General Data Protection Regulations (A)

What is the purpose of collecting proof of funds?

To assess the suitability of tenants for a property (A), To check the financial capabilities of prospective buyers (D)

What is the minimum period for which personal data can be kept by Webbers?

The minimum period necessary for the purpose for which it is collected (B)

Which of the following is NOT a method of collecting personal data for property transactions as mentioned in the text?

Through social media platforms (C)

Which of the following is NOT a right of individuals under the GDPR?

Right to withdraw consent (B)

Based on the text, what is the primary function of a Subject Access Request (SAR)?

To provide an individual with their personal information held by a company (D)

What is one of the measures for compliance with accountability requirements?

Data protection policies (D)

Which of the following is considered a personal data breach?

Data encrypted by ransomware (D)

What should be done immediately after identifying a serious data breach?

Report to Karlie Baker (C)

Which action is NOT recommended for handling client data outside the office?

Leaving data overnight in a vehicle (B)

What must staff do to minimize the risk of a data breach?

Lock computers when leaving workstations (A)

Flashcards

GDPR

Regulations to protect personal data and privacy in the EU and UK.

Personal Data

Any information that can identify a person directly or indirectly.

Data Protection Officer

Responsible for data access requests and ensuring compliance with GDPR.

Data Controller

Entity that gathers and stores personal data (e.g., Webbers).

Legal Basis for Processing

Conditions under which personal data can be processed legally.

Consent

Explicit agreement from a person for their data to be processed.

GDPR Principles

Core directives that guide data processing, including legality and security.

Data Subject

The individual whom personal data is about.

Legitimate Interests

Data collection for market appraisals and legal compliance.

Contractual Data Collection

Personal data used for marketing, selling, and managing properties.

Right to Access

The right to request personal data a company holds on you.

Right to Erasure

The right to have personal data deleted, also known as forgetting.

Subject Access Request (SAR)

Legal right to request your personal data from an organization.

Accountability in Data Protection

Measures to ensure compliance with data protection laws.

Types of Personal Data Breaches

Examples include unauthorized access and loss of devices.

Reporting Data Breaches

Notify GDPO within 72 hours for serious breaches.

Client Data Handling Outside Office

Protocols for securing data in vehicles and avoiding visibility.

Staff Responsibilities to Prevent Breaches

Lock computers, secure data, and confirm consent.

Study Notes

UK General Data Protection Regulations Training Refresher

• GDPR Officers:
  • Compliance Officer: Malcolm Prescott
  • General Data Protection Officer: Karlie Baker
  • Information Commissioner's Office Registration Number: Z5129639
  • The Webbers GDPR Policy is stored on the company L Drive.

GDPR

• Definition: GDPR refers to regulations designed to protect personal data and privacy for individuals within the EU and the UK.
• Who it applies to: Any organization based in the EU or UK that uses personal data, including processing by law enforcement, national security, and personal/household activities.

Personal Data

• Definition: Any piece of information that can be used directly or indirectly to identify a person.
• Examples: Names, addresses, phone numbers, email addresses, dates of birth, photo IDs, proof of funds, purchase/sale prices of property, and debt history.

Data Protection Roles

• Data Protection Officer (DPO) - Karlie Baker: Handles subject data access requests, breach records, reports to the ICO, and maintains data protection compliance.
• Controller: An entity that gathers and stores data, like Webbers.
• Processor: Responsible for processing personal data on behalf of a controller.
• Data Subject: The individual whose personal data is about.

GDPR Principles

• Collected for specific, explicit, and legitimate reasons: Data collected must have a clear and lawful purpose.
• Processed lawfully, fairly, and transparently: Processing must be lawful and fair, and individuals must understand how their data is used.
• Accurate and kept up-to-date: Data must be accurate and kept current.
• Kept in an identifiable form for no longer than necessary: Data must be stored in a format that allows identification and only for the required period.
• Processed with appropriate security: Data must be processed with appropriate security measures.
• Adequate, relevant, and limited to what is necessary: Data collected must be adequate, relevant, and limited to what is necessary for the stated purpose.

Legal Basis for Processing Data

• Consent: Unambiguous, informed, and explicit consent for processing personal data.
• Contract: Processing personal data to fulfill a contract.
• Legal Obligation: Processing required to comply with laws.
• Public Task: Processing in the public interest.
• Legitimate Interests: Processing as part of a legitimate business interest.
• Vital Interests: Processing to protect someone's vital interests.

Webbers and Personal Data

• Collection Methods: Emails, phone calls, property portals, tenancy applications, proof of funds, and face-to-face interviews.
• Data Collection (Legitimate Interests): Market assessments, providing information to buyers, sellers, and tenants, and complying with legal obligations.
• Data Collection (Contractual Reasons): Marketing, selling, letting of a property, finding suitable purchasers/tenants, managing properties, and completing transactions.
• Data Storage: Can be kept in locked filing cabinets or on a computer system with appropriate security measures and stored only for the required minimum period.

Individual Rights Under GDPR

• Right to be Informed: About collection and use of personal data.
• Right to Access: Known as a Subject Access Request (SAR).
• Right to Rectification: To have inaccurate information corrected.
• Right to Erasure: Also known as the right to be forgotten.
• Right to restrict processing: Request the restriction of data processing.
• Right to Data Portability: Information a data subject has provided to a controller that can be transferred.
• Right to Object: Absolute right to stop data being used for direct marketing.
• Rights relating to automated decision-making and profiling

Subject Access Request (SAR)

• Definition: Everyone in the UK has the legal right to request access to personal information held on them by a company.
• How to submit: Individuals need to write or email the organization with name, address, contact information and details of the specific information they need along with dates.
• Timeframe: Companies have one month to provide this information and they aren't allowed to charge.
• Webbers Policy: All SAR requests should be sent to Karlie Baker, the DPO.

Accountability and Governance Measures for Compliance

• Data protection policies: Data protection policies, documentation of processing activities, and written contracts with data processors, security measures.
• Activities: Recording/reporting of breaches, adhering to codes of conduct, and annual policy reviews.

Data Breaches

• Examples: Unauthorized third-party access, incorrect recipient of data, alteration without permission, data encrypted by ransomware, devices being lost/stolen, accidental loss/destruction of data.
• Reporting Procedure: Immediate report to Karlie Baker (DPO), who will record breaches and advise the ICO within 72 hours for serious breaches.

Handling Client Data Outside the Office

• Data security measures: Secure data in vehicles, prevent visibility of data through vehicle windows, avoid overnight storage of data in vehicles, shred diary printouts/notes, store data in plain folders or briefcases.

Staff Responsibilities

• Data Breach Avoidance: Lock computers when leaving workstations, ensure secure storage of personal data in locked cabinets and proper disposal of confidential waste, confirm and document client consent for third-party data sharing and inform the appropriate personnel if there is a data breach, and ensure contractors and developers have confirmed their GDPR policies are effective.
• Marketing Consent: Ask for marketing consent with each client, including second applicants as necessary.