Data Management

Question 1

Who regulates GDPR in the UK?

Answer 1

Information Commissioners Office

Question 2

What are the keys persons outlined in GDPR?

Answer 2

Controller - decides how and why personal data is used
Processor - handles personal data on behalf of controller
Data officer - oversees data protection and ensures compliance

Question 3

What is the purposes of GDPR?

Answer 3

Protects citizens information

Question 4

What act implemented GDPR in the UK?

Answer 4

Data Protection Act 2018, replaced Data Protection Act 1998

Question 5

What are the 7 principal of GDPR?

Answer 5

Lawfulness, transparency & fairness
Accountability
Accuracy
Purpose Limitation
Storage Limitation
Integrity & Confidentiality
Data minimisation

Question 6

What are the 8 individual rights under GDPR?

Answer 6

Right to be informed
Right of Access
Right to Rectfication
Right to Forgotten (erasure)
Right to Restriction Processing
Right to Data Portability
Right to Object
Rights related to Automated Decision making and Profiling

Question 7

Who does GDPR apply to?

Answer 7

Any and all business and organisations responsible for holding data.

Question 8

What are the penalties for breaches to GDPR?

Answer 8

Fine of up to 17.5 million, or 4% of your annual turnover, whichever is higher

Question 9

How and when should a breach of GDPR be notified?

Answer 9

Notify the Information Commissioners Office within 72 hours of the breach.

Question 10

What are the obligations set out in GDPR?

Answer 10

The obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform.
Ensure data is accurate and kept up-to-date.
Only relevant data must be collected
Only store for as long as is necessary

Question 11

What is a firewall?

Answer 11

An electronic protection system that prevents unauthorised access to the firms network and data. All incoming and outgoing messages have to pass through this.

Question 12

What is included in your firms privacy notice?

Answer 12

Categories of data we process
Purposes for processing your data
Who has access to that data
How it is stored securely
How long we retain that data
Rights of the consumer

Question 13

What is a subject access request?

Answer 13

The demand of an individual to be given all information a company holds under GDPR

Question 14

What does the the Freedom of Information Act 2000 implement?

Answer 14

Individuals request personal information from PUBLIC bodies. Must be done within 20 days and can be charged for the admin.

Question 15

How do you comply with GDPR in your role?

Answer 15

Report any suspected breaches
I do not share confidential or personal information
I keep consent for data processing

Question 16

How long should you retain files?

Answer 16

6 years after the relationship expires, as legal action can be bought forward within this timeframe (Limitations Act 1980)

Question 17

What does your firm use to store data?

Answer 17

an Electronic Document Management System (Sharepoint)

Question 18

How do you ensure GDPR compliance and security in the office?

Answer 18

Clear desk policy
Shred any files with confidential information
Lock screen
Password protect
External back-up

Question 19

What would you do if you received confidential information that your should not have seen?

Answer 19

Do not use it
Report to DCO and compliance office
Advise the client or sender of error
Dispose of the information securely and properly

Question 20

What are the exemptions to Data Protection Act 2018?

Answer 20

National Security
Law enforcement
Public health

Question 21

What are the benefits of Cloud based storage systems?

Answer 21

Information is backed up securely on encrypted servers
Accessibility can be managed via online settings
Cloud is often cheaper than the cost of storing physical files
It is more convenient to send electronic files than mailing physical files
Cloud systems are more environmentally friendly
Multiple users can assess the same document at once.

Question 22

What is an NDA?

Answer 22

Non- disclosure agreement
Used to protect against disclosure or sharing of confidential data

Question 23

Who are the key persons outlined in GDPR?

Answer 23

Controller - person or entity that determines the purposes of the processing of data (BM)
Processor - the person who processes that information (could be me)
DPO (Data protection officer) - leadership role required within companies that process personal data of EU citizens and is responsible for overseeing the data protection approach, strategy and implementation.

Question 24

What are the 8 individual rights under GDPR?

Answer 24

• right to be informed (of how data is used)
• right of access (know exactly what information is held and how it is being processed)
• the right to rectification (correction)
• right to erasure (removal without any specific reason)
• right to restrict processing
• right to data portability (allows individuals to retain and reuse data for own purpose)
• right to object
• right to automated decision making and profiling

Question 25

What things must companies put in place to ensure GDPR compliance?

Answer 25

Raise awareness across the business
Audit all personal data held
Update Privacy notice
Review procedures to support the 8 rights
Identify and document the legal basis for processing personal data under GDPR
Review how we seek, obtain and record consent