C. Physical assessments

Question 1

Data Assessment

Answer 1

Help inventory and track personal information and determine the impact org systems/processes will have on Privacy

Question 2

Benefits of a Data Assessment (4)

Answer 2

1) Help identify privacy risks to individuals in advance and deal with them effectively
2) Help achieve more robust compliance
3) Help reduce cost in the long run

Question 3

Three types of Inventories/Records

Answer 3

1) Data inventory or data map
2) Inventory of applicable laws and regulations
3) Records of processing activities

Question 4

Data inventories help answer

Answer 4

1) How do you know where your personal information is?
2) How it is used in the organization
3) Why the data is important

Question 5

Data categorized by subject area helps

Answer 5

1) Identify inconsistent data
2) Remediate discrepancies in data
3) Determine which is the most/least important data

Question 6

Data inventory topics to cover (5)

Answer 6

1) Collection
2) Usage
3) Transfers
4) Retention
5) Destruction

Question 7

Responsibility of Data inventory

Answer 7

Often shared between Privacy and IT

Question 8

Elements of data inventory (11)

Answer 8

1) The nature of a repository of privacy-related information
2) The owner of the repository
3) Location of the repository
4) The volume of information in repository
5) Format of information
6) Use of information
7) Type of privacy related information
8) Where data is stored
9) Where data is accessed
10) International transfers
11) with whom the data is shared

Question 9

Data inventories can be used to (3)

Answer 9

1) address incidents and risk assessments
2) Help set organization’s priorities for privacy initiatives
3) Provide data locations, usage, storage, and access

Question 10

Methods to build Data inventory (3)

Answer 10

1) Spreadsheet
2) GRC software
3) Internally developed system

Question 11

Inventory of applicable laws and regulations considerations (3)

Answer 11

1) Gap analysis
2) International, local, and industry specific standards and laws
3) Including the legal team

Question 12

Why Records of Processing activities are important

Answer 12

Required for controllers and processors under GDPR

Question 13

What to include in Record of processing - both (3)

Answer 13

1) Name and contact information of the controller/processor
2) Any international transfers to third countries
3) General descriptions of security controls

Question 14

What to include in Record of processing - controller (4)

Answer 14

1) Purpose of processing
2) categories of data and categories of data subjects
3) Categories of recipients
4) Retention periods for various categories of personal data

Question 15

What to include in Record of processing - processor (1)

Answer 15

Categories of data and categories of processing

Question 16

Exceptions to requirement to provide detailed record of processing (3)

Answer 16

If the company has less than 250 employees and processing is

1) occasional
2) does not include sensitive personal information
3) not likely to result in risk to the data subject

Question 17

Data flow analysis

Answer 17

Helps meet the requirements of providing a detailed record of processing under GDPR