Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-E > Chapter 10 (Security of Personal Data) > Flashcards

Chapter 10 (Security of Personal Data) Flashcards

1
Q

Article 5(1)(f) of the GDPR establishes what principle?

A

The security principle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Article 32 expands upon Article 5(1)(f) of the GDPR by setting out that the security principle requires what?

A

The taking of appropriate technical and organizational measures to ensure a level of security that is appropriate to the level of prevailing security risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Are Articles 5(1) and 32 of the GDPR focused on controllers or processors?

A

Article 5(1) is focused on the processing of personal data.

Article 32 is directed at both the controller and processor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The accountability principe in Article 5(2), in conjunction with Article 24 places an obligation on whom to do what?

A

An obligation on controllers to demonstrate they are operating in a compliant fashion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What Article of the GDPR places an obligation on processors to demonstrate they are operating in a compliant fashion?

A

Article 28(3)(h) of the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the effect of Article 30 of the GDPR?

A

Requires controllers and processors to understand the full extent of their data processing operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Article 32 of the GDPR establishes what and whom does this obligation apply to?

A

It establishes the obligation to keep personal data secure, and it applies to both controllers and processors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 3 domains of security covered by Article 32 of the GDPR?

A
  1. Preventative security
  2. Incident detection and response
  3. Remedial security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is preventative security?

A

The controller and processor should act so as to limit risks of insecurity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is incident detection and response?

A

When security breaches happen, the controller and processor need to detect possible security failures and respond appropriately. Breach notification falls within this domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is remedial security?

A

In reaction to security risks and incidents, the controller and processor need to take steps to improve security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the phrase appropriate and technical organizational measures refer to within the context of the GDPR?

A

Controls to protect against complex technological threats such as malware and denial-of-service (DoS) attacks and other criminal threats, as well as to guard against negligent employees. Controller and processors are required to implement these controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Under the GDPR, does a security breach automatically result in a violation of the law?

A

No- regulators can’t assume legal failure from operational failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Article 32 of the GDPR requires what type of approach to making decisions about security controls? What 2 articles of the GDPR reinforce that approach?

A

Article 32 requires a risk-based approach to assessing what are appropriate controls.

Articles 25 and 35 reinforce the requirements for risk assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are 3 aspects of Article 32’s risk assessments?

A
  1. Must reflect on the nature of the data that are to be processed and reasonably foreseeable threats that will exploit business process and technical systems vulnerabilities.
  2. Include a state-of-the-art test
  3. Must consider costs of controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe the state-of-the-art test employed under Article 32’s risk assessment.

A

It has the effect of requiring controllers and processors to consider industry best practices, not just industry average practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are 3 examples of the importance of the consensus of professional opinion in the realm of security?

A
  1. Encryption (adopted even before legally required because in a security sense it was the right thing to do)
  2. Requirements of “confidentiality, integrity, availability, and resilience” codified in Article 32(1)(b), (c), and (d).
  3. Article 32(3) which talks about the role that can be played by codes of conduct and certification mechanisms in proving compliance with the security principle.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Article 32(4) is concerned about what types of activities?

A

The activities of employees and other workers who act under the authority of the controller or processor. Essentially, a duty of confidence created by the work relationship.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Article 28 contains specific provisions for what rule of relationships?

A

The controller-processor relationship and the supply chain. It is concerned with the entirety of the relationship between the controller and processor and all the data protection principles, not just security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the intention of Article 28(1) of the GDPR with regard to the security principle?

A

To flow down the security principle and security requirements into the processor’s organization and through the supply chain to sub-processors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What device does Article 28 of the GDPR use to limit the controller’s use of processors?

A

Limits them to processors who can provide sufficient guarantees about the implementation of appropriate technical and organizational measures for compliance with the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are some methods controllers can uses to assess proof of processors’ competence in providing sufficient guarantees about implementing proper security controls?

A
  1. Inspections
  2. Third-party assessments
  3. Provision and validation of certificates
  4. Audits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How does Article 4(12) of the GDPR define a personal data breach?

A

As a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Does the definition of a personal data breach under the GDPR include the risk of security breaches? How does this contrast with the security principle?

A

No, the risks of a security breach are not caught by the definition.

On the other hand, the security principle does seek to to prevent risks.

25
Q

What requirements does Article 33 of the GDPR set out?

A

It sets out the requirements for
1. Notification of personal data breaches to the data protection regulators, and
2. For keeping of registers of breaches and remedial action.

26
Q

What triggers a controller’s duty to notify appropriate DPAs?

A

The detection of a personal data breach event, i.e. once the controller becomes aware of the breach.

27
Q

Once a suspected breach is detected, what 2 things does a controller need to determine in order to decide whether notification is required?

A

A breach has to be notified if:
1. It meets the definition of personal data breach, and
2. Whether it is the kind of breach likely to cause risks to the rights and freedoms of individuals.

28
Q

Is there a time limit of the controller’s duty to notify that a data breach has occurred?

A

Yes it must make the notification without undue delay, subject to a 72-hour limit.

29
Q

When does a controller become aware of a data breach?

A

When that controller has a reasonable degree of certainty that a security incident has occurred that has led the personal data to be compromised.

30
Q

The WP29 guidelines suggest that controllers consider what 7 things when assessing whether a personal data breach should be notified?

A
  1. The type of breach
  2. The nature, sensitivity, and volume of personal data affected
  3. How easy it will be for a person in receipt of compromised data to identify the individuals affected
  4. The severity of the consequences for the individuals affected
  5. The special characteristics of the individuals affected
  6. The special characteristics of the controller
  7. The number of individuals affected
31
Q

What requirement does Article 33(5) lay out with regard to keeping records of beaches?

A

Controllers must maintain full records of every personal data breach they decide does not fall within the requirements for disclosure, as well as records for every breach that does.

32
Q

What are processors’ duties with regards to notification of data breaches?

A

The must notify controllers of all personal data breaches without undue delay (regardless of whether they think the breach is a risk to subjects rights and freedoms).

33
Q

What does Article 34 of the GDPR require controller to do?

A

To inform data subjects of personal data breaches if those breaches are likely to present high risks to the rights and freedoms of individuals.

34
Q

What are 3 exceptions to controllers’ duty to notify data subjects of breaches?

A
  1. Where measures have been taken to render personal data unintelligible (e.g. encryption)
  2. Where the controller has taken steps to prevent the high risks from materializing
  3. Where data breach disclosure would involve disproportionate effort, which is most likely to arise where the controller is unable to id all the individuals impacted by the breach
35
Q

What are 2 contexts that can result in a high risk to data subjects, and this trigger a controller’s duty to notify data subjects of a breach?

A
  1. Impact to a large number or data subjects or
  2. A particularly large amount of damage to certain individuals.
36
Q

What are 4 examples provided by the WP29 of high-risk breaches that may require notification to individuals?

A
  1. Cyberattacks affecting online services that result in data exfiltration
  2. Ransomware attacks that encrypt data that are not backed up or cannot be easily restored
  3. Hospital medical record being unavailable for thirty hours due to a cyberattack
  4. A direct marketing email to multiple individuals that disclosed the e-mail address to every participant
37
Q

What 7 factors should processors and controllers address when designing their security failure responses?

A
  1. The performance of threat and vulnerability assessments and security maturity assessments
  2. The management of security
  3. Human factors
  4. The physical environment
  5. The cyber and technology environment
  6. The policy, controls, and business processes framework
  7. Incident detection response
38
Q

The GDPR’s security rules identify what 2 things as appropriate technical and organizational measures that might be deployed as controls within a risk based approach to security?

A
  1. Pseudonymisation
  2. Encryption
39
Q

In addition to encryption and pseudonymisation, what are 6 other controls and mechanisms to consider as possible data security controls?

A
  1. Incident detection technologies
  2. Firewalls and perimeter security
  3. Antivirus and malware protection
  4. Endpoint protection and data loss prevention
  5. Intrusion prevention and protection
  6. Identity and access management technologies (including multi-factor authentication)
40
Q

In order to promote data security at the organizational level appropriate management structures are needed. An engaged management will do what 2 things?

A
  1. Know who is responsible for what, when, and why
  2. Create clear management structures
41
Q

What are 7 key components of a company having a good culture for security?

A
  1. Understanding the people risk (knowing the security risks within the job and how they will be addressed)
  2. The recruitment processing being designed to get the right person for the job
  3. Components of offer letter and employment contract
  4. Providing core policy docs to employee after acceptance of offer
  5. Induction day training
  6. Continual and role based training
  7. Monitoring performance
42
Q

What is one of the first steps to achieving operational security under the GDPR?

A

Having adequate and well-kept paperwork documenting a company’s security policies, controls, and process frameworks.

43
Q

What 3 principles under the GDPR presuppose the creation and distribution of good security records?

A
  1. Data protection by design
  2. DPIAs
  3. The accountability principle
44
Q

Which is cheaper for regulators: operation based or policy based regulation? Why?

A

Policy-based because it is quicker and more efficient since it can be performed at a regulator’s desk and with the probability of more certain results since determining the adequacy of paperwork is almost a box-ticking exercise.

45
Q

In the context of a 3-layered approach to security paperwork, what does each layer address?

A
  1. Layer 1: high level policy statements on controller’s position re confidentiality and security
  2. Layer 2: list controls that show how policies will be achieved
  3. Layer 3: operating procedures (the actual steps and processes that are to be followed to deliver the controls into operation
46
Q

What are 2 key focuses of security technologies?

A
  1. The filtering of electronic communications
  2. The monitoring of use of IT and communication systems
47
Q

What are the GDPR’s 3 requirements for engaging data processors?

A
  1. Choose reliable processors
  2. Maintain quality control and compliance throughout the duration of the arrangements
  3. Frame the relationship in a contract or other legally binding act
48
Q

What 4 things should a controller’s contract with a processor contain?

A

Requirement that the processor:
1. Implement and maintain appropriate security measures
2. Act only on the controller’s instruction
3. Cooperate with the controller on compliance (including breach disclosure)
4. Cascade these requirements through the supply chain

49
Q

What 10 things should controller should consider at the due diligence stage for selecting a processor?

A
  1. Verifying the processor is cognizant of the core requirements of data protection
  2. Researching whether the processor has suffered any recent or high-profile breaches of confidentiality or security
  3. Clarifying whether the processor is currently or has been under investigation for any breaches of data protection law
  4. Identifying the processor’s other clients
  5. Clarifying whether the processor is accredited under any informational security regime
  6. Reviewing the processor’s policy framework for security and data protection
  7. Carrying out site visits and inspections
  8. Carrying out audits
  9. Identifying the processor’s places of establishment
  10. Understanding the processor’s supply chain and subcontracting
50
Q

What are the 12 core requirements of a good incident response plan?

A
  1. Formal understanding and approval by senior leadership
  2. A governance model connected both to the anticipatory and response aspects of an incident response
  3. Principles for decision-making- the incident response team and everyone involved with the performance of incident response functions must know how, when, and why decisions can be made and for what purposes
  4. A list of who will be involved and what their roles will be
  5. Predictive, forward-looking outcome analysis
  6. Compulsory reporting up of “unusual” events
  7. A multidisciplinary/multi-jurisdictional expert view at the hint of detection, potentially including forensics and law enforcement
  8. Performance exercises, such as table top incidents
  9. Performance metrics- what is a successful response?
  10. Templates of public messages and communications
  11. Benchmarking against peers in the market place
  12. An update schedule to make sure the plan is in accordance with prevailing legal and regulatory environment.
51
Q

What 4 things should an org consider when making decisions about incident response functions?

A
  1. Ambitions v. Capabilities
  2. Gap analysis (between objectives and capabilities of response team)
  3. Discovery (what is being done, what is a hindrance, etc.)
  4. Reviewing previous events
52
Q

What does the NIS Directive advance?

A

The EU’s cybersecurity agenda that was first legislated in 2009.

53
Q

What are the 3 focus’s of the NIS Directive?

A
  1. Seeks to compel the development of national cybersecurity strategies and structures by EU member states
  2. Seeks to improve the security levels of operators of essential services and digital providers by requiring member states to pass laws that set out security requirements and incident notification requirements for these entities.
  3. Seeks to enhance cooperation between CSIRTs themselves, and cooperation in the member states between their CSIRT and regulator communities
54
Q

What does CSIRTs stand for?

A

Computer security incident response teams

55
Q

What qualifies as essential services under the NIS Directive?

A

Operators of:
1. Energy
2. Water
3. Transport
4. Health
5. Banking sectors

As well as providers of digital infrastructures

56
Q

What makes an operator essential under the NIS directive?

A

If :
1. They provide a service that is necessary for the maintenance of critical societal or economic activities
2. Their service depends on network and information systems
3. An incident would have significant disruptive effects on the service

57
Q

Under the NIS Directive the security and incident notification requirements for operators of essential services includes what?

A
  1. Taking appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and info systems.
  2. Taking appropriate measures to prevent and minimize the impacts of incidents, particularly with a view to maintaining continuity of services
  3. Notifying their CSIRTs or regulators of incidents having significant impact.
58
Q

What are the 6 changes NIS 2 (published by the Commission on Dec. 2020) proposes making to the NIS Directive?

A
  1. Bringing new sectors into the regulation’s scope (e.g. postal and courier services, waste management)
  2. Introducing more prescriptive risk management rules for covered entities, covering matters like incident response and crisis management
  3. The EU will coordinate risk assessments of critical ICT services, systems, products, and supply chains
  4. A new system for ICT certifications will be introduced, which regulates entities may be required to certify against
  5. New harmonized financial penalty powers for infringements, of up to 10 million pounds or 2% annual worldwide turnover (whichever is higher)
  6. Enhancing supervisory powers to include powers for regulators to demand inspections, audits, and performance of security scans

CIPP-E (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions