Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

iapp training cipp/e cipm > CIPPE - Module 9 - Security of Processing > Flashcards

CIPPE - Module 9 - Security of Processing Flashcards

1
Q

What does Article 32 say about security of personal data processing?

A
  1. Controllers and Processors must implement appropriate TOMs to ensure data is provided a level of security appropriate to the risk.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

According to A32, what must the TOMs consider?

A
  1. State of the Art - consensus of security experts
  2. Costs of implementation
  3. Nature, scope, context and purpose of processing
  4. Level of risk to the data subject in case of breach
  5. Security measures commensurate with the risks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do TOMs consists of?

A
  1. Technical controls - encryption, pseudonymization etc.
  2. Organizational policies and procedures
  3. Ability to ensure the C, I, A and Resilience of data
  4. Ability to restore availability and access to personal data.
  5. Process for regularly testing, assessing and evaluating controls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are security controls? What are their attributes?

A

Security controls are the processes used to ensure security of the information system.
Their attributes are:
1. Confidentiality - data is accessed only on a need to know basis
2. Integrity - ensures that data is accurate and complete.
3. Availability - ensures data is accessible when needed
4. Resilience - Data is able to withstand and recover from errors and threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the obligations of the DC vis-a-vis data processors per Article 28?

A
  • Controllers can only use processors who provide sufficient guarantees for implementing appropriate TOMs.
  • A contract (or other legally binding instrument) must govern the relationship
  • “Sufficient guarantees” may also include vetting of DPs and audits.
  • Vetting may include pre-procurement due-diligence (RFI/RFP), recent incidents, the level of a processor’s knowledge, current investigations, accreditations, sub-processors used.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some of the issues that a contract between DC and DP address, per Article 28?

A
  • Subject matter, duration and nature
  • Nature and purpose
  • Types of personal data
  • Categories of data subjects
  • Obligations and rights of the controller.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the terms that the contract between DC and DP address?

A
  • DP must process only on DC’s documented instructions.
  • DP personnel must be under confidentiality commitment
  • Implement TOMs per Article 32 for security of processing
  • Assist DCs with requests from DS.
  • Assist DCs with ensuring compliance with security requirements
  • Make available to controller all information necessary to demonstrate compliance
  • Delete all data at the end of the services
  • Help with audits.
  • Not engage a sub-processor without DC’s consent, impose contracts on the sub-processor, and ultimately be liable if sub-processor does not fulfill its obligations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the data breach notification requirements in GDPR?

A
  • Articles 33 & 34
  • DP must notify DC without undue delay (no time limit specified)
  • DC must notify SA within 72 hours of becoming aware (otherwise must explain delay)
  • Becoming aware - starts once there is reasonable indication of a breach; which happens after an investigation
  • DC only needs to report if it affects data subjects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What must the DC include in its breach notification to SA?

A
  1. Categories of data subjects
  2. Number of data subjects and records
  3. Categories of data records
  4. Name and details of the DPO
  5. Consequences of the breach
  6. Measures taken to contain the effects

Controllers should also keep documentation of all security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What must the DC include in its breach notification to DS?

A
  1. Clear and plain language notification
  2. Notification not necessary when
    a) if there was encryption that makes the data useless
    b) if other post-breach measures reduce the risk to the DS
    c) individual notice requires disproportionate effort. In this case, a public notice may be appropriate.

SA may override the DC and force them to provide the notice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the NIS Directive?

A

Network & Information System Security Directive - effective as of May 2018
EU-wide cybersecurity law
Not specific to personal data
Three focus areas:
a) National capabilities
b) Cross-border collaboration
c) National supervision of critical sectors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are security controls in practice in an enterprise?

A
  1. Employee Buy-in - e.g. sign a contract at the beginning of employment
  2. Policies and procedures in place
  3. Physical Controls
  4. Digital Controls
  5. Incident Response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

iapp training cipp/e cipm (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions