Data Management Flashcards
Who regulates GDPR in the UK?
Information Commissioners Office
What are the keys persons outlined in GDPR?
Controller - decides how and why personal data is used
Processor - handles personal data on behalf of controller
Data officer - oversees data protection and ensures compliance
What is the purposes of GDPR?
Protects citizens information
What act implemented GDPR in the UK?
Data Protection Act 2018, replaced Data Protection Act 1998
What are the 7 principal of GDPR?
Lawfulness, transparency & fairness
Accountability
Accuracy
Purpose Limitation
Storage Limitation
Integrity & Confidentiality
Data minimisation
What are the 8 individual rights under GDPR?
Right to be informed
Right of Access
Right to Rectfication
Right to Forgotten (erasure)
Right to Restriction Processing
Right to Data Portability
Right to Object
Rights related to Automated Decision making and Profiling
Who does GDPR apply to?
Any and all business and organisations responsible for holding data.
What are the penalties for breaches to GDPR?
Fine of up to 17.5 million, or 4% of your annual turnover, whichever is higher
How and when should a breach of GDPR be notified?
Notify the Information Commissioners Office within 72 hours of the breach.
What are the obligations set out in GDPR?
The obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform.
Ensure data is accurate and kept up-to-date.
Only relevant data must be collected
Only store for as long as is necessary
What is a firewall?
An electronic protection system that prevents unauthorised access to the firms network and data. All incoming and outgoing messages have to pass through this.
What is included in your firms privacy notice?
Categories of data we process
Purposes for processing your data
Who has access to that data
How it is stored securely
How long we retain that data
Rights of the consumer
What is a subject access request?
The demand of an individual to be given all information a company holds under GDPR
What does the the Freedom of Information Act 2000 implement?
Individuals request personal information from PUBLIC bodies. Must be done within 20 days and can be charged for the admin.
How do you comply with GDPR in your role?
Report any suspected breaches
I do not share confidential or personal information
I keep consent for data processing
How long should you retain files?
6 years after the relationship expires, as legal action can be bought forward within this timeframe (Limitations Act 1980)
What does your firm use to store data?
an Electronic Document Management System (Sharepoint)
How do you ensure GDPR compliance and security in the office?
Clear desk policy
Shred any files with confidential information
Lock screen
Password protect
External back-up
What would you do if you received confidential information that your should not have seen?
Do not use it
Report to DCO and compliance office
Advise the client or sender of error
Dispose of the information securely and properly
What are the exemptions to Data Protection Act 2018?
National Security
Law enforcement
Public health
What are the benefits of Cloud based storage systems?
Information is backed up securely on encrypted servers
Accessibility can be managed via online settings
Cloud is often cheaper than the cost of storing physical files
It is more convenient to send electronic files than mailing physical files
Cloud systems are more environmentally friendly
Multiple users can assess the same document at once.
What is an NDA?
Non- disclosure agreement
Used to protect against disclosure or sharing of confidential data
Who are the key persons outlined in GDPR?
Controller - person or entity that determines the purposes of the processing of data (BM)
Processor - the person who processes that information (could be me)
DPO (Data protection officer) - leadership role required within companies that process personal data of EU citizens and is responsible for overseeing the data protection approach, strategy and implementation.
What are the 8 individual rights under GDPR?
- right to be informed (of how data is used)
- right of access (know exactly what information is held and how it is being processed)
- the right to rectification (correction)
- right to erasure (removal without any specific reason)
- right to restrict processing
- right to data portability (allows individuals to retain and reuse data for own purpose)
- right to object
- right to automated decision making and profiling
What things must companies put in place to ensure GDPR compliance?
Raise awareness across the business
Audit all personal data held
Update Privacy notice
Review procedures to support the 8 rights
Identify and document the legal basis for processing personal data under GDPR
Review how we seek, obtain and record consent
