DPA & GDPR

Question 1

The Data Protection Act 2018 (DPA 2018) came into effect in May 2018, to coincide with the implementation of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) 2016/680/EC .

Answer 1

TRUE

Question 2

What is the aim of the coincide with the implementation?

Answer 2

To modernise data protection laws to

ensure they are effective in the years to come.

Question 3

The GDPR has direct effect across all EU Member States

Answer 3

True

Question 4

Also the organisations have to comply with the GDPR

Answer 4

True

Question 5

GDPR allows Member States limited opportunities to make provisions for how it applies in their country.

Answer 5

True

Question 6

In the UK, GDPR, have been included as part of the DPA 2018.

Answer 6

True

Question 7

It’s important the GDPR and the DPA 2018 are read side by side.

Answer 7

True

Question 8

The main elements of the DPA 2018 include the following:

Answer 8

General data processing:
Ensure that sensitive health, social care and education data can continue to be processed to ensure continued confidentiality in health and safeguarding situations can
be maintained.
Implement GDPR standards across all general data processing.
Provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes.
Provide clarity on the definitions used in the GDPR in the UK context.
Set the age from which parental consent is not needed to process data online at age 13, supported by a new age-appropriate design code enforced by the Information Commissioner.

Question 9

Set the age from which parental consent is not needed to process data online at age 13, supported by a new age-appropriate design code enforced by the Information Commissioner. what is this?

Answer 9

Main elements of the DPA 2018 of the General Data Processing

Question 10

Provide clarity on the definitions used in the GDPR in the UK context??

Answer 10

Main elements of the DPA 2018 of the General Data Processing

Question 11

Provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes. what is this?

Answer 11

Main elements of the DPA 2018 of the General Data Processing

Question 12

Ensure that sensitive health, social care and education data can continue to be processed to ensure continued confidentiality in health and safeguarding situations can be maintained. what is this??

Answer 12

Main elements of the DPA 2018 of the General Data Processing

Question 13

Implement GDPR standards across all general data processing?

Answer 13

Main elements of the DPA 2018 of the General Data Processing

Question 14

Ensuring that sensitive health, social care and education data can continue to be processed to To ensure continued confidentiality in health and safeguarding situations can be maintained.
, what is this process?? :

Answer 14

Main elements of the DPA 2018 of the General Data Processing

Question 15

What is this process relating to?

Answer 15

General Data Processing

Question 16

Implement GDPR standards across all general data processing.

Answer 16

True

Question 17

Provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification, including for national security purposes.

Answer 17

True

Question 18

What do National Security Purposes include for continuing processing?

Answer 18

The appropriate restrictions to rights to access and delete data to allow certain processing undertaken to continue when there is strong public policy justification.

Question 19

Provide clarity on the definitions used in the GDPR in the UK context.

Answer 19

True

Question 20

Setting the age from which parental consent is not needed to process data online at age 13, and supported by a new age-appropriate design code enforced by the?

Answer 20

:Information Commissioner.

Question 21

Regulation and enforcement

Answer 21

Enact additional powers for the Information Commissioner who will continue to regulate and enforce data protection laws.
• Allow the Commissioner to levy higher administrative fines on data controllers and processors for the most serious data breaches; being up to £17m (€20m) or 4% of global turnover.
• Empower the Commissioner to bring criminal proceedings for offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request.

Question 22

To levy higher administrative fines on data controllers and processors for the most serious data breaches; being up to £17m (€20m) or 4% of global turnover is the responsibility of:

Answer 22

The Commissioner in

Regulation and Enforcement

Question 23

Empowering the Commissioner to bring criminal proceedings for offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request.

Answer 23

True

Regulation and Enforcement

Question 24

Enact additional powers for the Information Commissioner who will continue to regulate and enforce data protection laws.

Answer 24

True

Regulation and Enforcement

Question 25

Who will continue to regulate and enforce data protection law and requires additional powers?

Answer 25

Information Commissioner

Question 26

Administrative fines, for most serious data breaches are on the?

Answer 26

Data controllers and processors.

Question 27

How much is the fine?

Answer 27

Up to £17m (€20m) or 4% of global turnover.

Question 28

Who does the GDPR apply to?

Answer 28

The GDPR applies to ‘controllers’ and ‘processors’.

Question 29

The definitions are broadly the same as under the now superseded:

Answer 29

Data Protection Act 1998 (DPA 1998) –

Question 30

What’s the difference between the data controller and the data processor?

Answer 30

The controller says how and why personal data is processed and the processor acts on the controller’s behalf.

Question 31

The GDPR places specific legal obligations on:

Answer 31

Processors

Question 32

Firms are required to maintain records of personal data and processing activities.

Answer 32

True

Question 33

A firm has significantly more legal liability if it is responsible for a breach.

Answer 33

True

Question 34

These obligations for processors are a new requirement under the GDPR.

Answer 34

True

Question 35

Controllers are not relieved of their obligations where a processor is involved

Answer 35

True

Question 36

the GDPR places further obligations on controllers:

Answer 36

To ensure their contracts with processors comply with the GDPR.

Question 37

What information does the GDPR apply to?

Answer 37

The GDPR applies to personal data.

Question 38

The GDPR’s definition is more detailed, reflecting changes in:

Answer 38

technology and in the way in which information is collected.

Question 39

It makes it clear that information such as an online identifier – e.g. an IP address – can be personal data.

Answer 39

True

Question 40

The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria.

Answer 40

True

Question 41

This is wider than the DPA 1998’s definition and could include chronologically ordered sets of manual records containing:

Answer 41

personal data.

Question 42

Personal data that has been anonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Answer 42

True

Question 43

The GDPR refers to sensitive personal data as ‘special categories of personal data’. These categories include:

Answer 43

Biometrics 
Ethnic origin 
Genetics 
Health 
Politics 
Race
Religion 
Sexual life 
Sexual Orientation 
Trade union membership

Question 44

What is used for ID purposes in the GDPR personal data special categories.

Answer 44

Biometrics

Question 45

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

Answer 45

True

Question 46

They are similar to those in the DPA 1998 with added detail.

Answer 46

True

Question 47

The most significant addition is an accountability principle: the GDPR requires firms to show how they comply with the principles.

Answer 47

True

Question 48

By documenting the decisions they take about a processing activity, this is an example of :

Answer 48

Accountability principle

Question 49

What is the accountability principle :

Answer 49

Requirement from GDPR for firms to show how they comply with principles.

Question 50

Data Protection Principles

Answer 50

All personal data should be:

accurate and, where necessary, kept up-to-date;

Question 51

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed..

Answer 51

True
(Data Protection Principles
All personal data should be)

Question 52

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

Answer 52

True
(Data Protection Principles
All personal data should be)

Question 53

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;

Answer 53

True
(Data Protection Principles
All personal data should be)

Question 54

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Answer 54

True
(Data Protection Principles
All personal data should be)

Question 55

processed lawfully, fairly and in a transparent manner in relation to individuals;

Answer 55

True
(Data Protection Principles
All personal data should be)

Question 56

accurate and, where necessary, kept up-to-date; is a example of :

Answer 56

Data Protection Principles of personal data

Question 57

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed..

Answer 57

True
(Data Protection Principles
All personal data should be)

Question 58

collected for specified, explicit and legitimate purposes but further processed in a manner that is incompatible with those purposes;

Answer 58

False ,,,
(collected for specified, explicit and legitimate purposes and NOT further processed in a manner that is incompatible with those purposes;)

Question 59

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;

Answer 59

True
(Data Protection Principles
All personal data should be)

Question 60

processed in a manner that ensures appropriate security of the personal data, including protection against :

Answer 60

unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Question 61

processed lawfully, fairly and in a transparent manner in relation to individuals;

Answer 61

True
(Data Protection Principles
All personal data should be)

Question 62

For processing to be lawful under the GDPR, firms need to identify a lawful basis before they can process personal data and document it.?

Answer 62

TRUE ,,,

Lawful processing

Question 63

This is significant as lawful basis has an effect on an individual’s rights:

Answer 63

TRUE ,,,

Lawful processing

Question 64

where a firm relies on someone’s consent, the individual generally has stronger rights,

Answer 64

TRUE ,,,

Lawful processing

Question 65

for example to have their data deleted is an example of lawful processing.

Answer 65

TRUE ,,,

Lawful processing

Question 66

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes.

Answer 66

TRUE,,,

CONSENT

Question 67

Consent can be inferred from silence, pre-ticked boxes or inactivity,.

Answer 67

FALSE,,,
(consent CANNOT be inferred from silence, pre-ticked boxes or inactivity,. )
(CONSENT)

Question 68

Firms need to make it simple for people to withdraw consent.

Answer 68

TRUE,,,

CONSENT

Question 69

Consent must also be separate from other terms and conditions and be verifiable.

Answer 69

TRUE,,,

CONSENT

Question 70

Consent must be some form of positive opt-in

Answer 70

TRUE,,,

CONSENT

Question 71

Firms can rely on other lawful bases apart from consent –

Answer 71

TRUE,,,

CONSENT

Question 72

Processing is necessary for the purposes of an organisation’s or a third party’s legitimate interests.

Answer 72

TRUE,,,

CONSENT

Question 73

As firms were not required to automatically refresh all existing DPA consents in preparation for the GDPR, but if they rely on individuals’ consent to process their data, they must make sure it meets the GDPR standard.

Answer 73

TRUE,,,

CONSENT

Question 74

If not, firms must either alter the consent mechanisms and seek fresh GDPR-compliant consent or find an alternative to consent.

Answer 74

TRUE,,,

CONSENT

Question 75

Firms were always required to automatically refresh all existing DPA consents in preparation for the GDPR.

Answer 75

FALSE,,,
(Firms were NOT required to automatically refresh all existing DPA consents in preparation for the GDPR. )
(CONSENT)

Question 76

The GDPR created new rights for individuals and strengthens some of those that existed under the DPA

Answer 76

TRUE,,,

RIGHTS

Question 77

The Rights are:

Answer 77

The right of access
The right to data portability
The right to erasure
The right to be informed.
The right to object
The right to rectification.
The right to restrict processing
and Rights in relation to automated decision making and profiling.

Question 78

Under the GDPR, individuals have the right to access their personal data.

Answer 78

True ,,,

Data Subject access request) or (DSAR

Question 79

When providing all the records the firm holds on a particular client such as notes summarising conversations, any recorded conversations and completed documentation are an example of a .

Answer 79

Financial services firm

Question 80

Individuals can exercise this right by submitting a DSAR to the organisation concerned, which can be made verbally or in writing.

Answer 80

True ,,,

Data Subject access request) or (DSAR

Question 81

The organisation generally has one month to respond to a DSAR, although it can take an:

Answer 81

additional two months in certain circumstances.

Question 82

If the organisation fails to respond?

Answer 82

the individual must complain to the organisation in the first instance.

Question 83

What If they remain dissatisfied after that?

Answer 83

they can make a complaint to the Information Commissioner’s Office.

Question 84

The first copy of an individual’s personal data should be:

Answer 84

provided free,

Question 85

although charges are permitted for additional copies :

Answer 85

if the organisation feels such a request is unfounded or excessive.

Question 86

Where this is the case, they (the organisation) can ask for a reasonable fee:

Answer 86

to cover administrative costs.

Question 87

Accountability and transparency are more significant under the GDPR.

Answer 87

TRUE,,,

Accountability and governance

Question 88

Firms are expected to have in place comprehensive but proportionate governance measures?

Answer 88

TRUE,,,

Accountability and governance

Question 89

Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.

Answer 89

TRUE,,,

Accountability and governance

Question 90

Practically, this is likely to have meant more policies and procedures for some organisations, although many will already have good governance measures in place.

Answer 90

TRUE,,,

Accountability and governance

Question 91

What tools are are now legally required in certain circumstances under the DPPR in accountability and governance?

Answer 91

Good practice such as privacy impact assessment and privacy by design.

Question 92

The GDPR places a duty on all organisations to report certain types of data breach to the :

Answer 92

Relevant supervisory authority, and in some cases to the individuals affected.
(Breach notification)

Question 93

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Answer 93

True,,,

Transfers of personal data to third countries or international organisations