Chapter 2H: Accountability Requirements Flashcards

1
Q

How can ‘accountability’ be defined?

A

Best described as the different obligations with which an organisation must comply in order to show and evidence their compliance with the data protection framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Where was the concept of accountability first outlined?

A

In 1980 in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

N.B. it was also featured in the Data Protection Directive (not explicitly, but the issues that support the principle were addressed, e.g. the requirement for orgs to register with national DPAs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do regulators expect of companies in relation to ‘accountability’?

A

Companies should be able to show that they have developed and embedded a culture of data protection within their corporate DNA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In what article of the GDPR is accountability first introduced?

A

Article 5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Article 5(2) specifically provides that not only is the data controller responsible for complying with the six principles set out in Article 5(1), but that it must also…

A

Be able to demonstrate compliance with the 6 principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Article 24(1) codifies the accountability obligation and requires data controllers to…

A

‘Implement appropriate technical and organisational measures to ensure that data processing is performed in accordance with the regulation and review and update those measures where necessary’ - those measures should take into account the nature, scope, context and purposes of the processes and the risks to the rights and freedoms of individuals.

If the relevant processing results in a higher risk to the rights of the individual, they need to adopt greater measures to protect against the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Recital 75 provides some examples of high risk processing - including processing which gives rise to……

A

Discrimination
Identity theft, fraud or financial loss
Reputational damage
Loss of confidentiality of personal data protected by professional secrecy
Unauthorised reversal of pseudonymisation
Any significant economic or social disadvantage
Processing which deprives individual of rights and freedoms of prevents them from exercising control over their personal data
Processing special categories of personal data, the personal data of children or the personal data related to criminal convictions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Article 24(2) introduces the requirement that the data controller should implement…

A

Appropriate data protection policies - but just implementing policies is unlikely to be enough, and controllers should consider internal policies, internal allocation of responsibilities and training to achieve compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What should an internal policy re: data protection do?

A

Outline the basic contours of the measures to take in the processing and handling of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should an internal policy re: data protection cover in scope?

A

The policy should include a brief statement that explains to whom the internal policy applies and the type of processing activities it covers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should the policy statement in an internal data protection policy cover?

A

The company’s commitment to or position that concerns personal data processed.

A description of the purposes for which it collects and processes personal data and a specification of the types of legitimate businesses purposes for this.

Reiterate the principles of processing personal data (Article 5(1)) as the applicable fundamental principles should be addressed within the internal policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What employee responsibilities should an internal data protection policy put in place?

A

The different areas for which employees are directly responsible when processing personal data, including the limitations around the use of the collected personal data and the steps that must be followed in order to ensure that the personal data is maintained accurately.

In addition:
Security obligations
Any steps that should be taken before transferring any personal data
Responsibilities re: destruction or deletion of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does an information security policy typically address?

A

Detailed technical standards that apply to the physical and digital security of all data held.
Some companies base these policies on industry standards, such as ISO 27001/2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What should an internal data protection policy put in place re: management responsibilities?

A
  • A clear list of senior management roles across the business that are responsible for assessing business risk arising as a result of personal data
  • A clear list of who those senior managers must work with to develop procedures and controls and identify and address risks appropriately (e.g. an internal DPO)
  • Clearly outline responsibilities for everything from determining risk-based technical, physical and administrative safeguards to establishing procedures and requirements for transferring personal data to countries other than the collection country, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What should an internal data protection policy outline re: reporting incidents?

A

Employees should be expressly required to immediately report all incidents that involve suspected or actual loss, thef, unauthorised disclosure or inappropriate use of personal data (clearly identify to which business areas a report should be made). Timescales should be made clear.

Should also be a clear path for those raised by a third party processor to an employee.

Incident response teams should be calledo ut in the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should an internal data protection policy outline re: compliance?

A

Non-compliance or failure to comply with applicable data protection laws could mean that an employee may subject the company and the individuals involves to civil and criminal penalties - which could severely damage the company’s reputation. Therefore failure to comply with the policy may result in disciplinary action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What approach should an organisation take to the internal allocation of responsibilities?

A

The data controller must be able to demonstrate and provide information to DPAs about their various data protection management resources and also take primary responsibility for the internal data protection framework to ensure internal compliance.

A privacy team or council would comprise representatives from either business function areas or business key stakeholders; alternatively, or simultaneously, an individual could be appointed to hold primary responsibility for the data protection framework (a DPO).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What training should a data controller devise?

A

A series of internal training programmes designed to address and inform employees of legal data protection obligations and policy requirements.

The controller should document and monitor rollout and completion rates, and also create and deliver regular messages and updates to remind employees of their privacy obligations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the requirement of ‘privacy by design and by default?

A

The requirement to integrate necessary safeguards for data processing ‘by design and by default’ (i.e. embedding data protection into design of new systems, projects, technologies).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Privacy by design was designed to…

A

Promote privacy and data protection compliance from the outset of the development of new products, services or technologies which in turn reduces privacy risks.

Logically should also address ongoing operation and management of such developments to enable companies to deal effectively with the entire life cycle of any personal data processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Privacy by default requires companies to…

A

Implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each purpose of the processing is processed.

Companies should take steps not only to limit or minimise what they collect, but to exercise greater controls over the extent of their processing.

The period of storage means that ‘by default’ companies should only hold personal data to the extent necessary for intended use and purposes. They should not store it for longer than necessary.

22
Q

How can companies comply with privacy by design and by default?

A

Article 25 provides that an approved certification mechanism - created pursuant to Article 42 of the Regulation - may be used to demonstrate compliant; however, this is currently theoretical.

23
Q

When implementing appropriate technical and organisational measures, as expected by Article 25, data controllers must take account of factors including…

A

State of the art
Cost of implementation
Nature, scope, context and purposes of processing
Varying likelihood and severity for rights and freedoms of natural persons

24
Q

What type of technical measures can be taken to ensure compliance with privacy by design and by default?

A

Minimising the amount of personal data processed
Pseudonymisation
Allowing individuals greater control over their personal data and visibility over what is being processed
Applying appropriate security standards

25
Q

To ensure compliance with Article 25, companies should review and assess data processing systems and operations to determine whether

A
  • Personal data is appropriately mapped, classified, labelled, stored and accessible to comply with data rights
  • Systems are set up for automated deletion in line with retention
  • Paper based forms and application are drafted appropriately to ensure not collecting excessive data
  • Personal data can be pseudonymised, where possible
  • Personal data can be singled out (e.g. opt out of marketing)
  • Personal data is structured in a commonly used, machine readable format to satisfy data portability
26
Q

The regulation has made changes from the directive’s obligation to notify a DPA of any processing; instead, it requires a company to keep records on processing - the requirements for this are…

A
  • They need to be in writing, which includes an electronic form
  • May need to be available to a DPA on DPA’s request

There is still a DPA registration requirement in the UK; companies must register with the ICO and pay the applicable failure on an annual basis, and failure to do so results in potential action being taken by the ICO.

27
Q

Article 30 outlines records must be kept by data controllers and processors - for a data controller, this record must include…

A

Controllers name, contact details and name and contact details of any joint controller, representative or DPO

Purposes of processing

Description of categories of data subjects and categories of personal data

Categories of recipients for disclosure and where applicable confirmation of third country and appropriate safeguards

Retention period

Technical/organisational security measures

28
Q

Article 30 outlines records must be kept by data controllers and processors - for a data processor, this record must include…

A

Processors name and contact details and name and contact details of representatives and DPOs

Name and contact details for each controller and, where applicable, their represenatives and DPOs

Categories of processing carried out for each controller

Details of the transfers of personal data to third counries, including identification of transferee third country and documentation of appropriate safeguards

A general description of the processor’s technical/organisational methods

29
Q

Which companies are exempt from ROPA?

A

Companies that employ fewer than 250 people - however this does not apply if the processing is

  • likely to result in a high risk to the rights and freedoms of data subjects
  • is frequent and not occasional
  • involves special categories of data
  • involves data re: criminal convictions and offences

most personal data will be caught in one of the above so the exemption will rarely be usable in this light.

30
Q

What is a DPIA?

A

Data Protection Impact Assessment - a process by which companies can assess and identify the privacy and data protection impacts of any products they offer and services they provide. It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimise the risk of those impacts.

31
Q

When does the regulation make a DPIA mandatory?

A

Projects likely to create high risks or before proceeding with any ‘risky’ personal data processing activities.

Risky types of processing are outlined in Article 35(3)

32
Q

Risky types of processing are outlined in Article 35(3)

A

Systematic and extensive profiling that produces legal effects or significantly affects individuals

Processing activities that use ‘special categories of personal data’ on a large scale

The systematic monitoring of a publicly accessible area on a large scale

33
Q

WP29 published revised guidelines on DPIA’s and determining whether processing is likely to result in a high risk on…

A

4 October 2017 (2016/679)

34
Q

When an assessment is required the company should seek the advice of…

A

It’s DPO, if one is appointed, when carrying this out.

35
Q

Under Article 35(7) of the regulation, the DPIA must contain and document at least the following -

A

A description of the envisaged processing operations and the purposes of the processing, including any legitimate interests pursued

Assessment of necessity and proportionality of the processing operations in relation to the purposes

An assessment of risks to rights and freedoms of individuals

The measures adopted to address risks, including safeguards, security measures and mechanisms to ensure protection of personal data

When appropriate, it may also be necessary to seek the views of affected individuals or their representatives.

36
Q

When a DPIA has been completed and it poses a high risk with no sufficient measures capable of mitigating the risk, the controller will be required…

A

To consult their DPA before commencing processing. If consultation is required, it may take time whether to consider whether the company’s processing activities are compatible with requirements under the regulation (8 weeks with the option to extend by 6 weeks and the power to suspend if waiting for information from the controller).

37
Q

Under what circumstances must a controller or processor appoint a DPO…

A

When processing is carried out by public authority

If the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale

If the core activities consist of processing special categories of personal data on a large scale

38
Q

In revised guidance adopted by WP29 on 5 April 2017, how does WP29 define ‘core activities’?

A

Key operations necessary to achieve the controller’s or processor’s goals (i.e. that data processing is an inextricable part of the controller’s or processor’s activity’.

39
Q

How does WP29 define ‘large scale’?

A

With particular reference to number of data subjects rather than size of the organisation - this means an org with few employees may engage in large scale processing if it serves a large customer base.

  • The number of data subjects concerned
  • The volume of data or the range of different data items being processed
  • The duration of the data processing activity
  • The geographical extent of processing activity
40
Q

‘Regular and systematic monitoring of data subjects’ includes all forms of internet based tracking and profiling but is not restricted to the online environment and online tracking. The WP29 interprets ‘regular’ to mean one or more of the following…

A

Ongoing or occurring at particular intervals for a particular period
Recurring or repeated at fixed times
Constantly or periodically taking place

41
Q

‘Regular and systematic monitoring of data subjects’ includes all forms of internet based tracking and profiling but is not restricted to the online environment and online tracking. The WP29 interprets ‘systematic’ to mean one or more of the following…

A

Occurring according to a system
Prearranged, organised or methodical
Taking place as part of a general plan for data collection
Carried out as part of a strategy

42
Q

The regulation provides that a DPO must be appointed if required by member state law - true or false?

A

True.

But although DPOs will be mandatory in the public sector, private sector commercial organisations will need to assess themselves against criteria to decide whether to appoint a DPO.

43
Q

A DPO can be appointed for several undertakings but

A

Subject to the condition they are easily accessible to all.

44
Q

What is the role of the DPO?

A

To be involved properly and in a timely manner on all issues relating to the protection of personal data.

To operate independently and be un-dismissable (can have other roles provided they don’t give rise to conflict of interest)

45
Q

What is the limitation to the length of tenure of a DPO?

A

There is none - DPOs can be appointed for a fixed term of the role can be terminated upon notice for performance or conduct issues.

46
Q

What should a DPO’s reporting line be?

A

Highest management level of a company; they should also have access to the company’s data processing operations and sufficient knowledge and expertise.

47
Q

DPOs need the ability to…

A

Inform and advise the company and the employees of their obligations under the regulation

Monitor compliance with company policies, including managing internal data protection activities, training staff and conducting internal audits

Provide advice concerning the DPIAs and monitor performance

Cooperate with supervisory authorities

Act as point of contact for supervisory authority on issues relating to processing, etc.

48
Q

What is a BCR?

A

Biding corporate rules - a privacy framework or code implemented by companies to support accountability frameworks, sometimes referred to as the gold standard of global data protection.

BCRs compel organisations to demonstrate compliance with all aspects of applicable data protection legislation. They are a laborious undertaking.

49
Q

Who created BCRs?

A

The European Commission to facilitate cross-border transfers of personal data.

50
Q

BCRs allow personal data to…

A

Move freely between various entities of a corporate group worldwide by ensuring that all members of the group comply with the same high level of protection by means of a single set of binding and enforceable rules.

51
Q

Under BCRs, the privacy compliance framework, among other things, must…

A

Show that a policy is in place, employees are aware of it and have been trained, a person responsible for compliance has been appointed, audits are undertaken, a system for handling complaints has been set up and the organisation is being transparent about data transfers.