_GDPR Flashcards
What is GDPR and what is its purpose?
The General Data Protection Regulation (GDPR) is a European Union law that sets out rules for how companies must protect the personal data of EU citizens. Its purpose is to give individuals more control over their personal data and to ensure that companies are transparent about how they use it.
How does GDPR define personal data?
Personal data is any information relating to an identified or identifiable natural person. This includes names addresses email addresses
IP addresses
and other online identifiers. GDPR requires organizations to protect the personal data of individuals and ensure that it is processed in a secure and transparent manner.
GDPR What are the 7 key principles of GDPR?
Lawfulness fairness and transparency — Processing must be lawful fair
and transparent to the data subject.Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.Accuracy — You must keep personal data accurate and up to date.Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security
integrity
and confidentiality (e.g. by using encryption).Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles. Source: https://gdpr.eu/what-is-gdpr/
Section: GDPR What are some examples of personal data that organizations must protect under GDPR?
Personal data that organizations must protect under GDPR includes names addresses phone numbers
email addresses
IP addresses
biometric data
and financial information. Additionally
organizations must also protect any sensitive personal data such as racial or ethnic origin
political opinions
religious or philosophical beliefs
and health information. Finally
organizations must also protect any data related to criminal convictions or offenses.
Section: GDPR How does GDPR define consent?
GDPR defines consent as a freely given specific informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to them. It must involve a clear affirmative action
such as ticking a box when visiting an internet website
or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Consent must be verifiable and easily withdrawn.
Section: GDPR What are the consequences of failing to comply with GDPR?
The consequences of failing to comply with GDPR can be severe. Organizations can face fines of up to 4% of their global annual turnover or €20 million whichever is greater. Additionally organizations may face reputational damage and legal action from customers and other stakeholders.
Section: GDPR What is a Data Protection Officer (DPO) and when is an organization required to have one?
The Data Protection Officer or DPO is an organization’s GDPR focal point and will have to possess expert knowledge of data protection law and practices. All organizations
regardless of the type or size
that handle EU residents’ personal information should have someone in the organization who is tasked with monitoring GDPR compliance (part of the “organizational measures” referred to in Article 25). That said
hiring an actual Data Protection Officer is only required by the GDPR if you meet one of three criteria:Public authority — The processing of personal data is done by a public body or public authorities
with exemptions granted to courts and other independent judicial authorities.Large scale
regular monitoring — The processing of personal data is the core activity of an organization who regularly and systematically observes its “data subjects” (which
under the GDPR
means citizens or residents of the EU) on a large scale.Large-scale special data categories — The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.Source: https://gdpr.eu/data-protection-officer/
What are the steps an organization can take to ensure GDPR compliance?
GDPR outlines a detailed checklist that organizations can follow to take steps toward compliance. The checklist involves taking actions in the following areas: 1. Lawful basis and transparency
2. Data security
3. Accountability and governance
4. Privacy rights
Source: https://gdpr.eu/checklist/
What is a Data Protection Impact Assessment (DPIA) and when is it required?
A Data Protection Impact Assessment (DPIA) is a process used to identify and reduce the data protection risks of a project or activity. It is required when processing operations are likely to result in a high risk to the rights and freedoms of individuals. A DPIA must be conducted before any processing begins and should be regularly reviewed to ensure that data protection risks are managed appropriately.
How does GDPR impact the collection and storage of data from third-party vendors or partners?
GDPR requires organizations to be transparent about how they collect and store data from third-party vendors or partners. Organizations must ensure that the data is collected and stored securely and that individuals have the right to access delete
or modify their data. Additionally
organizations must obtain explicit consent from individuals before collecting any personal data.
