European Union data governance & protection regulation

Question 1

What is GDPR?

Answer 1

GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for
the collection and processing of personal information from individuals who live in the European Union (EU).
It was designed to give individuals greater control over their personal data and to simplify the regulatory
environment for international business by unifying data protection laws across all EU member states. GDPR
introduces strict rules for organizations that collect, process, or store personal data, with significant
penalties for non-compliance, including fines of up to 4% of global annual revenue or €20 million, whichever is higher.

Question 2

When was GDPR enacted?

Answer 2

The GDPR was formally adopted on April 27, 2016, but its enforcement began on
May 25, 2018. Organizations were given a two-year transition period to prepare for compliance with the new
regulations. The adoption of GDPR marked a significant shift in data protection laws, replacing previous
regulations with more comprehensive and stringent requirements. It was designed to address modern challenges
in digital privacy and ensure the protection of personal data in an increasingly interconnected world.

Question 3

What does GDPR replace?

Answer 3

GDPR replaced the 1995 Data Protection Directive (Directive 95/46/EC), which was
previously the main framework governing data protection in the EU. The 1995 Directive allowed each EU country to
implement its own data protection laws, leading to inconsistencies across member states. GDPR, on the other hand,
is a regulation rather than a directive, meaning it applies directly to all EU member states without the need
for national legislation. This harmonization of data protection laws ensures a unified standard for privacy and
security across the EU.

Question 4

What is the main objective of GDPR?

Answer 4

The main objective of GDPR is to protect the personal data and privacy
rights of individuals in the European Union (EU) and the European Economic Area (EEA). It aims to give individuals
greater control over their personal data by providing rights such as access, correction, deletion, and data
portability. GDPR also seeks to ensure transparency in how personal data is collected, stored, and processed by
organizations. By enforcing strict compliance measures and imposing heavy fines for violations, GDPR encourages
businesses to adopt strong data protection practices, thereby enhancing consumer trust and safeguarding against
data breaches and misuse of personal information.

Question 5

Who does GDPR apply to?

Answer 5

GDPR applies to any organization, regardless of location, that processes the personal
data of individuals residing in the EU or EEA. This includes businesses, governments, non-profits, and any other
entities that collect, store, or use personal information of EU citizens. The regulation applies not only to
organizations established within the EU but also to those outside the EU if they offer goods or services to, or
monitor the behavior of, EU data subjects. This extraterritorial scope ensures that companies worldwide must comply
with GDPR requirements if they engage with EU customers, making GDPR one of the most comprehensive and influential
data protection laws globally.

Question 6

What is ‘personal data’ under GDPR?

Answer 6

Personal data refers to any information related to an identifiable person, such as name, email, IP address.

Question 7

What is ‘processing’ in GDPR?

Answer 7

Processing includes collecting, storing, using, transferring, or deleting personal data.

Question 8

What is ‘data subject’?

Answer 8

A data subject is an individual whose personal data is collected, held, or processed.

Question 9

What is a ‘data controller’?

Answer 9

An entity that determines the purposes and means of processing personal data.

Question 10

What is a ‘data processor’?

Answer 10

An entity that processes personal data on behalf of a data controller.

Question 11

What is ‘consent’ under GDPR?

Answer 11

Consent must be freely given, specific, informed, and unambiguous.

Question 12

What is the ‘right to access’?

Answer 12

Individuals can request access to their personal data held by an organization.

Question 13

What is the ‘right to be forgotten’?

Answer 13

Individuals can request the deletion of their personal data under certain conditions.

Question 14

What is the ‘right to data portability’?

Answer 14

Individuals can request their data in a structured format and transfer it to another provider.

Question 15

What is the ‘right to object’?

Answer 15

Individuals can object to data processing based on legitimate interests or direct marketing.

Question 16

What is the ‘right to rectification’?

Answer 16

Individuals can request correction of inaccurate or incomplete data.

Question 17

What is the ‘right to restrict processing’?

Answer 17

Individuals can request limitation on processing of their data under certain conditions.

Question 18

What is a ‘data protection impact assessment’ (DPIA)?

Answer 18

A process to identify and minimize data protection risks.

Question 19

What is the role of a ‘Data Protection Officer’ (DPO)?

Answer 19

A DPO ensures GDPR compliance within an organization.

Question 20

What are ‘special category data’?

Answer 20

Sensitive data like racial origin, health, biometrics, and political opinions.

Question 21

What is ‘pseudonymization’?

Answer 21

Processing data in a way that it cannot be attributed to a specific person without additional information.

Question 22

What is ‘profiling’?

Answer 22

Automated processing of personal data to analyze or predict aspects of an individual.

Question 23

What is ‘automated decision-making’?

Answer 23

Decisions made by automated means without human involvement.

Question 24

What is a ‘data breach’?

Answer 24

A security incident leading to unauthorized access, disclosure, or loss of personal data.

Question 25

What is the data breach notification requirement?

Answer 25

Organizations must report breaches to authorities within 72 hours if they pose risks to individuals.

Question 26

What are the penalties for GDPR violations?

Answer 26

Fines up to €20 million or 4% of global annual turnover, whichever is higher.

Question 27

What is the 'one-stop-shop' mechanism?

Answer 27

Organizations deal with one lead supervisory authority within the EU for cross-border processing.

Question 28

What is 'legitimate interest'?

Answer 28

A lawful basis for processing data when there is a justified reason that does not override individuals' rights.

Question 29

What is the 'lawful basis' for data processing?

Answer 29

Processing must be based on consent, contract, legal obligation, vital interest, public task, or legitimate interest.

Question 30

What is the 'accountability principle'?

Answer 30

Organizations must demonstrate compliance with GDPR principles.

Question 31

What is 'privacy by design'?

Answer 31

Organizations must implement data protection measures from the outset of system development.

Question 32

What is 'privacy by default'?

Answer 32

Organizations must ensure only necessary data is collected and processed.

Question 33

What is a 'supervisory authority'?

Answer 33

A national data protection authority responsible for monitoring GDPR compliance.

Question 34

What is the 'extraterritorial scope' of GDPR?

Answer 34

Applies to non-EU companies processing data of EU residents.

Question 35

What is a 'binding corporate rule' (BCR)?

Answer 35

A legal framework for multinational companies to transfer data outside the EU.

Question 36

What are 'standard contractual clauses' (SCCs)?

Answer 36

Legal contracts ensuring data transfers outside the EU comply with GDPR.

Question 37

What is the 'EU-U.S. Data Privacy Framework'?

Answer 37

A mechanism for compliant data transfers between the EU and the U.S.

Question 38

What is 'explicit consent'?

Answer 38

Consent given in a clear and affirmative manner for processing special category data.

Question 39

What is the 'purpose limitation' principle?

Answer 39

Data must only be collected for specified, explicit, and legitimate purposes.

Question 40

What is the 'data minimization' principle?

Answer 40

Only necessary personal data should be collected and processed.

Question 41

What is the 'storage limitation' principle?

Answer 41

Data should not be kept longer than necessary for the purposes collected.

Question 42

What is the 'integrity and confidentiality' principle?

Answer 42

Personal data must be processed securely and protected from unauthorized access.

Question 43

What are the 'rights of children' under GDPR?

Answer 43

Extra protection is required for children’s data, including parental consent for under 16s.

Question 44

What is 'direct marketing' under GDPR?

Answer 44

Organizations must obtain consent before sending marketing messages.

Question 45

What is the 'data transfer safeguard'?

Answer 45

Measures to protect data transferred outside the EU, such as SCCs and BCRs.

Question 46

What is the 'legitimate interest assessment'?

Answer 46

Organizations must assess whether legitimate interests outweigh individuals' rights.

Question 47

What is 'GDPR certification'?

Answer 47

Certifications like ISO 27701 help demonstrate GDPR compliance.

Question 48

What is 'anonymization'?

Answer 48

Irreversibly removing personal identifiers so data cannot be linked to an individual.

Question 49

What is 'data subject request' (DSR)?

Answer 49

A request made by an individual to exercise GDPR rights.

Question 50

What is a Data Protection Impact Assessment (DPIA)?

Answer 50

A DPIA is a process to describe processing operations, assess necessity and proportionality, and manage risks to individuals' rights and freedoms resulting from data processing.

Question 51

When is a DPIA required under GDPR?

Answer 51

A DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms, such as systematic monitoring, large-scale processing of sensitive data, or automated decision-making.

Question 52

Who is responsible for carrying out a DPIA?

Answer 52

The data controller is responsible for conducting the DPIA, with the involvement of the Data Protection Officer (DPO) and, if applicable, data processors.

Question 53

What are the key elements of a DPIA under GDPR?

Answer 53

A DPIA must include a description of processing operations, an assessment of necessity and proportionality, an evaluation of risks, and measures to mitigate them.

Question 54

What happens if a DPIA identifies high residual risks?

Answer 54

If high residual risks remain after mitigation measures, the data controller must consult the supervisory authority before proceeding with the processing.

Question 55

What are examples of processing activities requiring a DPIA?

Answer 55

Examples include large-scale processing of health data, video surveillance in public places, profiling individuals for credit scoring, and systematic monitoring of employees.

Question 56

Can a single DPIA cover multiple processing operations?

Answer 56

Yes, if the operations are similar in nature, scope, and risks, a single DPIA can be conducted for efficiency.

Question 57

What is the role of supervisory authorities in DPIAs?

Answer 57

Supervisory authorities provide guidelines, review DPIAs in certain cases, and must be consulted if high risks remain.

Question 58

Are DPIAs required for existing processing operations?

Answer 58

Yes, if there is a change in risks, such as new technology or changes in data usage, an updated DPIA may be required.

Question 59

Is publishing a DPIA mandatory?

Answer 59

No, but publishing a summary can foster trust and transparency. Full DPIAs must be provided to supervisory authorities if required.

Question 60

What is a personal data breach according to GDPR?

Answer 60

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

Question 61

What are the three types of data breaches identified in GDPR?

Answer 61

1. Confidentiality breach (unauthorized disclosure or access), 2. Integrity breach (unauthorized alteration), 3. Availability breach (loss of access or destruction).

Question 62

What is the first step a data controller should take when a breach occurs?

Answer 62

Recognize and document the breach, assess risks, and determine whether notification is required.

Question 63

When must a data breach be reported to the supervisory authority?

Answer 63

When the breach is likely to result in a risk to the rights and freedoms of natural persons, within 72 hours of becoming aware.

Question 64

What are some common causes of data breaches?

Answer 64

Ransomware attacks, data exfiltration, human error, lost/stolen devices, and mispostal incidents.

Question 65

What is ransomware and how does it impact data security?

Answer 65

Ransomware is a type of malware that encrypts data, often demanding a ransom for decryption, impacting availability and sometimes confidentiality.

Question 66

How can organizations mitigate the impact of ransomware attacks?

Answer 66

Regular backups, patch management, anti-malware software, employee security training, and strong authentication.

Question 67

What is data exfiltration and why is it dangerous?

Answer 67

Data exfiltration is the unauthorized copying or transmission of data, leading to confidentiality breaches and potential misuse.

Question 68

What are internal human risk sources for data breaches?

Answer 68

Employee negligence, insider threats, improper handling of sensitive data, and unauthorized access.

Question 69

What should be done if a breach affects sensitive personal data (e.g., health data)?

Answer 69

Notify the supervisory authority and affected individuals immediately, as the risk to rights and freedoms is high.

Question 70

How should lost or stolen devices containing personal data be secured?

Answer 70

Use encryption, password protection, remote wipe capabilities, and avoid storing sensitive data on portable devices.

Question 71

What are best practices to prevent human errors leading to data breaches?

Answer 71

Regular employee training, strict access controls, monitoring, and ensuring proper data handling procedures.

Question 72

What is mispostal and how can it be prevented?

Answer 72

Mispostal is the accidental transmission of data to the wrong recipient. Prevention includes automated mailing systems and double-checking procedures.

Question 73

What are the penalties for failing to report a data breach under GDPR?

Answer 73

Fines up to €10 million or 2% of global annual turnover, depending on severity and compliance failures.

Question 74

What are the four key characteristics of data and cyberspace?

Answer 74

1. The amount of data that can be gathered using technology. 2. The speed at which data can be transmitted. 3. The duration for which information can be retained. 4. The kind of information that can be processed.

Question 75

What are the three theories of privacy under GDPR?

Answer 75

1. Accessibility Privacy – Freedom from physical intrusion. 2. Decisional Privacy – Freedom from interference in choices and decisions. 3. Informational Privacy – Control over personal data flow.

Question 76

What is personal data under GDPR?

Answer 76

Any information relating to an identified or identifiable natural person, including name, identification number, location data, online identifiers, etc.

Question 77

What are the key principles of GDPR?

Answer 77

1. Lawfulness, fairness, and transparency 2. Purpose limitation 3. Data minimization 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality 7. Accountability

Question 78

What is a data controller?

Answer 78

A natural or legal person, public authority, agency, or other body which determines the purposes and means of processing personal data.

Question 79

What is a data processor?

Answer 79

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Question 80

What are the penalties for GDPR violations?

Answer 80

1. Up to €20 million or 4% of global turnover for data subject rights infringements. 2. Up to €10 million or 2% of global turnover for general non-compliance.

Question 81

What are the rights of data subjects under GDPR?

Answer 81

1. Right to be informed 2. Right of access 3. Right to rectification 4. Right to erasure 5. Right to restrict processing 6. Right to data portability 7. Right to object 8. Rights related to automated decision-making and profiling.

Question 82

What is the territorial scope of GDPR?

Answer 82

1. Applies to organizations established in the EU, regardless of processing location. 2. Applies to non-EU organizations processing data related to EU residents' goods, services, or behavior monitoring.

Question 83

What must be done in case of a data breach under GDPR?

Answer 83

1. Notify supervisory authority without undue delay if risk exists. 2. Inform affected data subjects if high risk is present. 3. Maintain records of breaches.