DPA & GDPR Flashcards
The Data Protection Act 2018 (DPA 2018) came into effect in May 2018, to coincide with the implementation of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) 2016/680/EC .
TRUE
What is the aim of the coincide with the implementation?
To modernise data protection laws to
ensure they are effective in the years to come.
The GDPR has direct effect across all EU Member States
True
Also the organisations have to comply with the GDPR
True
GDPR allows Member States limited opportunities to make provisions for how it applies in their country.
True
In the UK, GDPR, have been included as part of the DPA 2018.
True
It’s important the GDPR and the DPA 2018 are read side by side.
True
The main elements of the DPA 2018 include the following:
General data processing:
Ensure that sensitive health, social care and education data can continue to be processed to ensure continued confidentiality in health and safeguarding situations can
be maintained.
Implement GDPR standards across all general data processing.
Provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes.
Provide clarity on the definitions used in the GDPR in the UK context.
Set the age from which parental consent is not needed to process data online at age 13, supported by a new age-appropriate design code enforced by the Information Commissioner.
Set the age from which parental consent is not needed to process data online at age 13, supported by a new age-appropriate design code enforced by the Information Commissioner. what is this?
Main elements of the DPA 2018 of the General Data Processing
Provide clarity on the definitions used in the GDPR in the UK context??
Main elements of the DPA 2018 of the General Data Processing
Provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes. what is this?
Main elements of the DPA 2018 of the General Data Processing
Ensure that sensitive health, social care and education data can continue to be processed to ensure continued confidentiality in health and safeguarding situations can be maintained. what is this??
Main elements of the DPA 2018 of the General Data Processing
Implement GDPR standards across all general data processing?
Main elements of the DPA 2018 of the General Data Processing
Ensuring that sensitive health, social care and education data can continue to be processed to To ensure continued confidentiality in health and safeguarding situations can be maintained.
, what is this process?? :
Main elements of the DPA 2018 of the General Data Processing
What is this process relating to?
General Data Processing
Implement GDPR standards across all general data processing.
True
Provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes.
True
What do National Security Purposes include for continuing processing?
The appropriate restrictions to rights to access and delete data to allow certain processing undertaken to continue when there is strong public policy justification.
Provide clarity on the definitions used in the GDPR in the UK context.
True
Setting the age from which parental consent is not needed to process data online at age 13, and supported by a new age-appropriate design code enforced by the?
:Information Commissioner.
Regulation and enforcement
Enact additional powers for the Information Commissioner who will continue to regulate and enforce data protection laws.
• Allow the Commissioner to levy higher administrative fines on data controllers and processors for the most serious data breaches; being up to £17m (€20m) or 4% of global turnover.
• Empower the Commissioner to bring criminal proceedings for offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request.
To levy higher administrative fines on data controllers and processors for the most serious data breaches; being up to £17m (€20m) or 4% of global turnover is the responsibility of:
The Commissioner in
Regulation and Enforcement
Empowering the Commissioner to bring criminal proceedings for offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request.
True
Regulation and Enforcement
Enact additional powers for the Information Commissioner who will continue to regulate and enforce data protection laws.
True
Regulation and Enforcement
Who will continue to regulate and enforce data protection law and requires additional powers?
Information Commissioner
Administrative fines, for most serious data breaches are on the?
Data controllers and processors.
How much is the fine?
Up to £17m (€20m) or 4% of global turnover.
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’.
The definitions are broadly the same as under the now superseded:
Data Protection Act 1998 (DPA 1998) –
What’s the difference between the data controller and the data processor?
The controller says how and why personal data is processed and the processor acts on the controller’s behalf.
The GDPR places specific legal obligations on:
Processors
Firms are required to maintain records of personal data and processing activities.
True
A firm has significantly more legal liability if it is responsible for a breach.
True
These obligations for processors are a new requirement under the GDPR.
True
Controllers are not relieved of their obligations where a processor is involved
True
the GDPR places further obligations on controllers:
To ensure their contracts with processors comply with the GDPR.
What information does the GDPR apply to?
The GDPR applies to personal data.
The GDPR’s definition is more detailed, reflecting changes in:
technology and in the way in which information is collected.
It makes it clear that information such as an online identifier – e.g. an IP address – can be personal data.
True
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.
True
This is wider than the DPA 1998’s definition and could include chronologically ordered sets of manual records containing:
personal data.
Personal data that has been anonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
True
The GDPR refers to sensitive personal data as ‘special categories of personal data’. These categories include:
Biometrics Ethnic origin Genetics Health Politics Race Religion Sexual life Sexual Orientation Trade union membership
What is used for ID purposes in the GDPR personal data special categories.
Biometrics
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
True
They are similar to those in the DPA 1998 with added detail.
True
The most significant addition is an accountability principle: the GDPR requires firms to show how they comply with the principles.
True
By documenting the decisions they take about a processing activity, this is an example of :
Accountability principle
What is the accountability principle :
Requirement from GDPR for firms to show how they comply with principles.
Data Protection Principles
All personal data should be:
accurate and, where necessary, kept up-to-date;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed..
True
(Data Protection Principles
All personal data should be)
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
True
(Data Protection Principles
All personal data should be)
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
True
(Data Protection Principles
All personal data should be)
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
True
(Data Protection Principles
All personal data should be)
processed lawfully, fairly and in a transparent manner in relation to individuals;
True
(Data Protection Principles
All personal data should be)
accurate and, where necessary, kept up-to-date; is a example of :
Data Protection Principles of personal data
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed..
True
(Data Protection Principles
All personal data should be)
collected for specified, explicit and legitimate purposes but further processed in a manner that is incompatible with those purposes;
False ,,,
(collected for specified, explicit and legitimate purposes and NOT further processed in a manner that is incompatible with those purposes;)
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
True
(Data Protection Principles
All personal data should be)
processed in a manner that ensures appropriate security of the personal data, including protection against :
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
processed lawfully, fairly and in a transparent manner in relation to individuals;
True
(Data Protection Principles
All personal data should be)
For processing to be lawful under the GDPR, firms need to identify a lawful basis before they can process personal data and document it.?
TRUE ,,,
Lawful processing
This is significant as lawful basis has an effect on an individual’s rights:
TRUE ,,,
Lawful processing
where a firm relies on someone’s consent, the individual generally has stronger rights,
TRUE ,,,
Lawful processing
for example to have their data deleted is an example of lawful processing.
TRUE ,,,
Lawful processing
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes.
TRUE,,,
CONSENT
Consent can be inferred from silence, pre-ticked boxes or inactivity,.
FALSE,,,
(consent CANNOT be inferred from silence, pre-ticked boxes or inactivity,. )
(CONSENT)
Firms need to make it simple for people to withdraw consent.
TRUE,,,
CONSENT
Consent must also be separate from other terms and conditions and be verifiable.
TRUE,,,
CONSENT
Consent must be some form of positive opt-in
TRUE,,,
CONSENT
Firms can rely on other lawful bases apart from consent –
TRUE,,,
CONSENT
Processing is necessary for the purposes of an organisation’s or a third party’s legitimate interests.
TRUE,,,
CONSENT
As firms were not required to automatically refresh all existing DPA consents in preparation for the GDPR, but if they rely on individuals’ consent to process their data, they must make sure it meets the GDPR standard.
TRUE,,,
CONSENT
If not, firms must either alter the consent mechanisms and seek fresh GDPR-compliant consent or find an alternative to consent.
TRUE,,,
CONSENT
Firms were always required to automatically refresh all existing DPA consents in preparation for the GDPR.
FALSE,,,
(Firms were NOT required to automatically refresh all existing DPA consents in preparation for the GDPR. )
(CONSENT)
The GDPR created new rights for individuals and strengthens some of those that existed under the DPA
TRUE,,,
RIGHTS
The Rights are:
The right of access The right to data portability The right to erasure The right to be informed. The right to object The right to rectification. The right to restrict processing and Rights in relation to automated decision making and profiling.
Under the GDPR, individuals have the right to access their personal data.
True ,,,
Data Subject access request) or (DSAR
When providing all the records the firm holds on a particular client such as notes summarising conversations, any recorded conversations and completed documentation are an example of a .
Financial services firm
Individuals can exercise this right by submitting a DSAR to the organisation concerned, which can be made verbally or in writing.
True ,,,
Data Subject access request) or (DSAR
The organisation generally has one month to respond to a DSAR, although it can take an:
additional two months in certain circumstances.
If the organisation fails to respond?
the individual must complain to the organisation in the first instance.
What If they remain dissatisfied after that?
they can make a complaint to the Information Commissioner’s Office.
The first copy of an individual’s personal data should be:
provided free,
although charges are permitted for additional copies :
if the organisation feels such a request is unfounded or excessive.
Where this is the case, they (the organisation) can ask for a reasonable fee:
to cover administrative costs.
Accountability and transparency are more significant under the GDPR.
TRUE,,,
Accountability and governance
Firms are expected to have in place comprehensive but proportionate governance measures?
TRUE,,,
Accountability and governance
Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
TRUE,,,
Accountability and governance
Practically, this is likely to have meant more policies and procedures for some organisations, although many will already have good governance measures in place.
TRUE,,,
Accountability and governance
What tools are are now legally required in certain circumstances under the DPPR in accountability and governance?
Good practice such as privacy impact assessment and privacy by design.
The GDPR places a duty on all organisations to report certain types of data breach to the :
Relevant supervisory authority, and in some cases to the individuals affected.
(Breach notification)
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
True,,,
Transfers of personal data to third countries or international organisations
