Data Protection

Question 1

What is in Article 1 of the Universal Declaration of Human Rights (United Nation, 1948)?

Answer 1

Human dignity is recognized as an absolute fundamental right.

Question 2

Give an Example of a Country where privacy has been regarded as an element of liberty?

Answer 2

The United States

Question 3

What is Data Protection?

Answer 3

Data protection applies to any information relating to an identified or identifiable natural (living) person including names, dates of birth, photographs, video footage, email addresses, telephone numbers, and more.

Question 4

What does PII stands for?

Answer 4

Personal Identifiable Information

Question 5

Where does the notion of data protection originates from?

Answer 5

It originates from the right to privacy.

Question 6

What are the rights of the PII principal?

Answer 6

Fair processing
Transparency
Certain rights to access or change PII

Question 7

What are the principles of Data Protection?

Answer 7

PII controllers and PII processors
Consent and choice
Purpose legitimacy and specification
Collection limitation
Data minimization
Use, retention, and disclosure limitation
Accuracy and quality
Openness, transparency, and notice
Individual participation and access
Accountability
Information security
Privacy compliance

Question 8

Describe PII controllers and PII processors!

Answer 8

PII controllers: determine the means and purposes of processing PII. Controllers must ensure that applicable laws are adhered to, and they are obliged to demonstrate compliance.
A PII processor: follows the instructions of a PII controller in order to process PII. Under many regulations, the relationship between a controller and processor requires a written contract.

Question 9

Describe Consent and choice!

Answer 9

PII principals should have the choice of whether their data is processed.

Question 10

Describe Purpose legitimacy and specification!

Answer 10

All processing of PII must be compliant with applicable laws. The purpose of data processing must be communicated to the PII principals upfront, but it should be communicated again if the purpose changes over time.

Question 11

Describe Collection limitation!

Answer 11

The collection of PII should be limited to what is strictly necessary for the purpose defined and should be within the limitations of applicable laws.

Question 12

Describe Data minimization!

Answer 12

Data minimization is related to collection limitation but goes further, looking at the processing after the initial collection of PII. It means that the processes and systems for processing PII must limit the number of stakeholders that have access to or the ability to process data

Question 13

Describe Use, retention, and disclosure limitation!

Answer 13

Data must not be retained forever. This principle is about retaining data for a defined purpose, but only for as long as it is required by the organization and by law. After that period, PII should be destroyed.

Question 14

Describe Accuracy and quality!

Answer 14

The PII process has to be accurate and completed to a degree that it can be adequately used for the purpose defined. If PII is collected from a source that is not the PII principal, the reliability must be ensured. The accuracy and quality of the data should be checked regularly.

Question 15

Describe Openness, transparency, and notice!

Answer 15

This principle means that information about the processing of PII and the purposes and means for doing so should be provided to the PII principals. In the interest of transparency, this notice should be easily readable, especially if a processing activity includes decision-making based on the PII.

Question 16

Describe Individual participation and access!

Answer 16

Individuals have many rights, including the right to access their data, change inaccurate data, delete or lock the data, and easily assert these rights. In some legislations (e.g., GDPR and CCPA), they also have the right to portability, making the data available in an electronic, standardized form. Often CSV, JSON, or XML formats are used.

Question 17

Describe Accountability!

Answer 17

There is a duty of due care stating that measures must be taken by an organization to ensure the protection of PII. Accountability means that an organization must be able to prove its compliance. Data privacy policies and processes are documented.

Question 18

Describe Information security!

Answer 18

PII must be protected, and the CIA (confidentiality, integrity, and availability) of information has to be assured by the controller.

Question 19

Describe Privacy compliance!

Answer 19

An organization must be able to demonstrate compliance by having independently verified internal controls in place. An adequate and documented risk management system is a way to show privacy compliance.

Question 20

What is the GDRP?

Answer 20

General Data Protection Regulation 616/679. As a regulation, the GDPR is directly applicable by law in the Member States and does not require a local law to be effective.

Question 21

What is the material and territorial scope of the GDPR?

Answer 21

Material: all personal and material relationships of an identified or identifiable natural person.

Territorial: all organizations established in the EU, and to organizations that track EU citizens and offer services or products within the EU.

Question 22

State the Special Categories of Data that are only allowed to be processed after consent from the individual or by a special legal requirement?

Answer 22

• race and ethnic origin,
• religious or philosophical beliefs,
• political opinions,
• trade union memberships,
• biometric data used to identify an individual,
• genetic data,
• health data, and
• data related to sexual preferences and/or sexual orientation.

Question 23

How does GDPR demonstrate accountability?

Answer 23

GDPR requires organizations to maintain a record of processing activities (ROP).

Question 24

Which criteria should be considered when carrying out the risk assessment according to GDPR Article 28?

Answer 24

• state of the art,
• costs of implementation,
• nature, scope, context and purposes of processing, and
• risk of varying likelihood and severity to the rights and freedoms of natural persons.

Question 25

When do we need DPIA?

Answer 25

We need Data Protection Impact Assessment when an activity that poses a high risk to the rights and the freedom of a person is planned.

Question 26

According to Article 6 GDPR, there are exactly six reasons that make the processing of PII lawful (PrivazyPlan, 2018a). What are they?

Answer 26

• The PII principal (data subject) has given consent.
• Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.

- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

- Processing is necessary for the purposes of the legitimate interests pursued by the controller.

Question 27

Describe is the job of Data Protection Officer?

Answer 27

They monitor and audit the compliance with GDPR. They also give advice and handle the complaints of the PII principals.

Question 28

How is Privacy Compliance controlled?

Answer 28

Compliance to the GDPR is both self-controlled and controlled by supervisory authorities.

Question 29

State the rights of the Data Subjects!

Answer 29

• transparency about the processing of data and the rights of the individual,
• information and access to personal data,
• rectification and erasure, and

- the right to object and automated individual decision-making.

Question 30

Data transfers between controllers and processors, and between controllers and controllers, require a written contract. What does it called?

Answer 30

Data Processing Agreement (DPA).

Question 31

Article 28 GDPR (PrivazyPlan, 2018c) requires eight topics to be added to the DPA. State them!

Answer 31

1. The processor only agrees to process personal data if they have received the written instructions of the controller.
2. Everyone who comes into contact with the data is sworn to confidentiality.

3. All appropriate technical and organizational measures are used to protect the security of the data.

4. The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case, another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
5. The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
6. The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
7. The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
8. The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.

Question 32

What safeguards needs to be in place in case of processing of data outside the EU?

Answer 32

• Adequacy decisions: The EU Commission decides that the level of data protection in a third country is at a level that is acceptable to the EU. Current big economies that have obtained an adequacy decision are Argentina, Japan, Canada (private sector), and the United States (privacy shield).
• EU model clauses: The model clauses or standard contractual clauses issued by the EU. If a processor or controller outside the EU signs and obeys them, the data can be transferred. This is the most common way to safeguard data transfers to third countries.
• Binding corporate rules: An enterprise can obey binding corporate rules that have been approved by the national authorities of the country where its EU headquarters are based. If those are approved, data can flow inside this enterprise. Binding corporate rules have no impact on relationships outside of that enterprise.

Question 33

How a Data Breaches should be handled.

Answer 33

Whenever a data breach occurs, the organization has 72 hours from the time that the breach was discovered to inform the PII principals. If the risks to the rights and freedoms of the individuals is high, the authorities must also be informed about the breach.

Question 34

Give examples of privacy regulations in the United States!

Answer 34

• CCPA: Californian Consumer Privacy Act.

- HIPAA: Health Insurance Portability and Accountability Act.

Question 35

Who dos the CCPA protect?

Answer 35

Not only consumers but also all residents in California.

Question 36

How can a company be under the scope of the CCPA.

Answer 36

To be under the scope of the CCPA, an organization must meet at least one of the following criteria:

• Annual gross revenue of $25 million
• Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices
• At least 50 percent of annual revenue from selling consumers’ personal information (California Legislative Information, 2018)

Question 37

What are the rights of the consumers (PII) under the CCPA?

Answer 37

know what PII is being collected about them.

access their PII in a readily useable format.

know whether their personal information is being sold or shared, and if so, with whom.

opt out of the sale of their PII (opt in, in cases of minors).

equal service and price regardless of exercising individual rights.

deletion of their PII upon request.

Question 38

According to HIPAA, does the patients have the right to access their data?

Answer 38

Yes, Organizations can charge a reasonable amount to provide this information.

Question 39

Give examples of required administrative measures that HIPPA requires!

Answer 39

the implementation of risk management, or a data backup plan

Question 40

Give examples of required physical safeguards that HIPPA requires!

Answer 40

facility security plan or secure disposal of media

Question 41

Give examples of required technical safeguards that HIPPA requires!

Answer 41

authentication or emergency access procedures.

Question 42

How is Data Protection regulated in Singapore?

Answer 42

Through the Personal Data Protection Act (PDPA) from 2012. Several regulations were added in 2013 to govern the enforcement of the Act detailing special provisions regarding phone calls and exemptions therefore building a comprehensive privacy framework.

Question 43

What are the four exceptions to the scope of the PDPA?

Answer 43

1. Any individual acting on a personal or domestic basis

2. Any employee acting in the course of his or her employment with an organization

3. Any public agency or organization acting on behalf of a public agency in relation to the collection, use, or disclosure of the personal data
4. Business contact information

Question 44

Which Commission has the responsibility to administer the PDPA?

Answer 44

The Personal Data Protection Commission

Question 45

What are the obligation of the Date Protection Officer according to PDPA?

Answer 45

• ensure compliance of PDPA when developing and implementing policies and processes for handling personal data,
• foster a data protection culture among employees and communicate personal data protection policies to stakeholders,
• manage personal data protection related queries and complaints,
• alert management to any risks that might arise with regard to personal data.
• cooperate with the PDPC on data protection matters, if necessary.