European Union data governance & protection regulation Flashcards
What is GDPR?
GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for
the collection and processing of personal information from individuals who live in the European Union (EU).
It was designed to give individuals greater control over their personal data and to simplify the regulatory
environment for international business by unifying data protection laws across all EU member states. GDPR
introduces strict rules for organizations that collect, process, or store personal data, with significant
penalties for non-compliance, including fines of up to 4% of global annual revenue or €20 million, whichever is higher.
When was GDPR enacted?
The GDPR was formally adopted on April 27, 2016, but its enforcement began on
May 25, 2018. Organizations were given a two-year transition period to prepare for compliance with the new
regulations. The adoption of GDPR marked a significant shift in data protection laws, replacing previous
regulations with more comprehensive and stringent requirements. It was designed to address modern challenges
in digital privacy and ensure the protection of personal data in an increasingly interconnected world.
What does GDPR replace?
GDPR replaced the 1995 Data Protection Directive (Directive 95/46/EC), which was
previously the main framework governing data protection in the EU. The 1995 Directive allowed each EU country to
implement its own data protection laws, leading to inconsistencies across member states. GDPR, on the other hand,
is a regulation rather than a directive, meaning it applies directly to all EU member states without the need
for national legislation. This harmonization of data protection laws ensures a unified standard for privacy and
security across the EU.
What is the main objective of GDPR?
The main objective of GDPR is to protect the personal data and privacy
rights of individuals in the European Union (EU) and the European Economic Area (EEA). It aims to give individuals
greater control over their personal data by providing rights such as access, correction, deletion, and data
portability. GDPR also seeks to ensure transparency in how personal data is collected, stored, and processed by
organizations. By enforcing strict compliance measures and imposing heavy fines for violations, GDPR encourages
businesses to adopt strong data protection practices, thereby enhancing consumer trust and safeguarding against
data breaches and misuse of personal information.
Who does GDPR apply to?
GDPR applies to any organization, regardless of location, that processes the personal
data of individuals residing in the EU or EEA. This includes businesses, governments, non-profits, and any other
entities that collect, store, or use personal information of EU citizens. The regulation applies not only to
organizations established within the EU but also to those outside the EU if they offer goods or services to, or
monitor the behavior of, EU data subjects. This extraterritorial scope ensures that companies worldwide must comply
with GDPR requirements if they engage with EU customers, making GDPR one of the most comprehensive and influential
data protection laws globally.
What is ‘personal data’ under GDPR?
Personal data refers to any information related to an identifiable person, such as name, email, IP address.
What is ‘processing’ in GDPR?
Processing includes collecting, storing, using, transferring, or deleting personal data.
What is ‘data subject’?
A data subject is an individual whose personal data is collected, held, or processed.
What is a ‘data controller’?
An entity that determines the purposes and means of processing personal data.
What is a ‘data processor’?
An entity that processes personal data on behalf of a data controller.
What is ‘consent’ under GDPR?
Consent must be freely given, specific, informed, and unambiguous.
What is the ‘right to access’?
Individuals can request access to their personal data held by an organization.
What is the ‘right to be forgotten’?
Individuals can request the deletion of their personal data under certain conditions.
What is the ‘right to data portability’?
Individuals can request their data in a structured format and transfer it to another provider.
What is the ‘right to object’?
Individuals can object to data processing based on legitimate interests or direct marketing.
What is the ‘right to rectification’?
Individuals can request correction of inaccurate or incomplete data.
What is the ‘right to restrict processing’?
Individuals can request limitation on processing of their data under certain conditions.
What is a ‘data protection impact assessment’ (DPIA)?
A process to identify and minimize data protection risks.
What is the role of a ‘Data Protection Officer’ (DPO)?
A DPO ensures GDPR compliance within an organization.
What are ‘special category data’?
Sensitive data like racial origin, health, biometrics, and political opinions.
What is ‘pseudonymization’?
Processing data in a way that it cannot be attributed to a specific person without additional information.
What is ‘profiling’?
Automated processing of personal data to analyze or predict aspects of an individual.
What is ‘automated decision-making’?
Decisions made by automated means without human involvement.
What is a ‘data breach’?
A security incident leading to unauthorized access, disclosure, or loss of personal data.
What is the data breach notification requirement?
Organizations must report breaches to authorities within 72 hours if they pose risks to individuals.
What are the penalties for GDPR violations?
Fines up to €20 million or 4% of global annual turnover, whichever is higher.
What is the ‘one-stop-shop’ mechanism?
Organizations deal with one lead supervisory authority within the EU for cross-border processing.
What is ‘legitimate interest’?
A lawful basis for processing data when there is a justified reason that does not override individuals’ rights.
What is the ‘lawful basis’ for data processing?
Processing must be based on consent, contract, legal obligation, vital interest, public task, or legitimate interest.
What is the ‘accountability principle’?
Organizations must demonstrate compliance with GDPR principles.
What is ‘privacy by design’?
Organizations must implement data protection measures from the outset of system development.
What is ‘privacy by default’?
Organizations must ensure only necessary data is collected and processed.
What is a ‘supervisory authority’?
A national data protection authority responsible for monitoring GDPR compliance.
What is the ‘extraterritorial scope’ of GDPR?
Applies to non-EU companies processing data of EU residents.
What is a ‘binding corporate rule’ (BCR)?
A legal framework for multinational companies to transfer data outside the EU.
What are ‘standard contractual clauses’ (SCCs)?
Legal contracts ensuring data transfers outside the EU comply with GDPR.
What is the ‘EU-U.S. Data Privacy Framework’?
A mechanism for compliant data transfers between the EU and the U.S.
What is ‘explicit consent’?
Consent given in a clear and affirmative manner for processing special category data.
What is the ‘purpose limitation’ principle?
Data must only be collected for specified, explicit, and legitimate purposes.
What is the ‘data minimization’ principle?
Only necessary personal data should be collected and processed.
What is the ‘storage limitation’ principle?
Data should not be kept longer than necessary for the purposes collected.
What is the ‘integrity and confidentiality’ principle?
Personal data must be processed securely and protected from unauthorized access.
What are the ‘rights of children’ under GDPR?
Extra protection is required for children’s data, including parental consent for under 16s.
What is ‘direct marketing’ under GDPR?
Organizations must obtain consent before sending marketing messages.
What is the ‘data transfer safeguard’?
Measures to protect data transferred outside the EU, such as SCCs and BCRs.
What is the ‘legitimate interest assessment’?
Organizations must assess whether legitimate interests outweigh individuals’ rights.
What is ‘GDPR certification’?
Certifications like ISO 27701 help demonstrate GDPR compliance.
What is ‘anonymization’?
Irreversibly removing personal identifiers so data cannot be linked to an individual.
What is ‘data subject request’ (DSR)?
A request made by an individual to exercise GDPR rights.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a process to describe processing operations, assess necessity and proportionality, and manage risks to individuals’ rights and freedoms resulting from data processing.
When is a DPIA required under GDPR?
A DPIA is mandatory when processing is likely to result in a high risk to individuals’ rights and freedoms, such as systematic monitoring, large-scale processing of sensitive data, or automated decision-making.
Who is responsible for carrying out a DPIA?
The data controller is responsible for conducting the DPIA, with the involvement of the Data Protection Officer (DPO) and, if applicable, data processors.
What are the key elements of a DPIA under GDPR?
A DPIA must include a description of processing operations, an assessment of necessity and proportionality, an evaluation of risks, and measures to mitigate them.
What happens if a DPIA identifies high residual risks?
If high residual risks remain after mitigation measures, the data controller must consult the supervisory authority before proceeding with the processing.
What are examples of processing activities requiring a DPIA?
Examples include large-scale processing of health data, video surveillance in public places, profiling individuals for credit scoring, and systematic monitoring of employees.
Can a single DPIA cover multiple processing operations?
Yes, if the operations are similar in nature, scope, and risks, a single DPIA can be conducted for efficiency.
What is the role of supervisory authorities in DPIAs?
Supervisory authorities provide guidelines, review DPIAs in certain cases, and must be consulted if high risks remain.
Are DPIAs required for existing processing operations?
Yes, if there is a change in risks, such as new technology or changes in data usage, an updated DPIA may be required.
Is publishing a DPIA mandatory?
No, but publishing a summary can foster trust and transparency. Full DPIAs must be provided to supervisory authorities if required.
What is a personal data breach according to GDPR?
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
What are the three types of data breaches identified in GDPR?
- Confidentiality breach (unauthorized disclosure or access), 2. Integrity breach (unauthorized alteration), 3. Availability breach (loss of access or destruction).
What is the first step a data controller should take when a breach occurs?
Recognize and document the breach, assess risks, and determine whether notification is required.
When must a data breach be reported to the supervisory authority?
When the breach is likely to result in a risk to the rights and freedoms of natural persons, within 72 hours of becoming aware.
What are some common causes of data breaches?
Ransomware attacks, data exfiltration, human error, lost/stolen devices, and mispostal incidents.
What is ransomware and how does it impact data security?
Ransomware is a type of malware that encrypts data, often demanding a ransom for decryption, impacting availability and sometimes confidentiality.
How can organizations mitigate the impact of ransomware attacks?
Regular backups, patch management, anti-malware software, employee security training, and strong authentication.
What is data exfiltration and why is it dangerous?
Data exfiltration is the unauthorized copying or transmission of data, leading to confidentiality breaches and potential misuse.
What are internal human risk sources for data breaches?
Employee negligence, insider threats, improper handling of sensitive data, and unauthorized access.
What should be done if a breach affects sensitive personal data (e.g., health data)?
Notify the supervisory authority and affected individuals immediately, as the risk to rights and freedoms is high.
How should lost or stolen devices containing personal data be secured?
Use encryption, password protection, remote wipe capabilities, and avoid storing sensitive data on portable devices.
What are best practices to prevent human errors leading to data breaches?
Regular employee training, strict access controls, monitoring, and ensuring proper data handling procedures.
What is mispostal and how can it be prevented?
Mispostal is the accidental transmission of data to the wrong recipient. Prevention includes automated mailing systems and double-checking procedures.
What are the penalties for failing to report a data breach under GDPR?
Fines up to €10 million or 2% of global annual turnover, depending on severity and compliance failures.
What are the four key characteristics of data and cyberspace?
- The amount of data that can be gathered using technology.
- The speed at which data can be transmitted.
- The duration for which information can be retained.
- The kind of information that can be processed.
What are the three theories of privacy under GDPR?
- Accessibility Privacy – Freedom from physical intrusion.
- Decisional Privacy – Freedom from interference in choices and decisions.
- Informational Privacy – Control over personal data flow.
What is personal data under GDPR?
Any information relating to an identified or identifiable natural person, including name, identification number, location data, online identifiers, etc.
What are the key principles of GDPR?
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What is a data controller?
A natural or legal person, public authority, agency, or other body which determines the purposes and means of processing personal data.
What is a data processor?
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
What are the penalties for GDPR violations?
- Up to €20 million or 4% of global turnover for data subject rights infringements.
- Up to €10 million or 2% of global turnover for general non-compliance.
What are the rights of data subjects under GDPR?
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling.
What is the territorial scope of GDPR?
- Applies to organizations established in the EU, regardless of processing location.
- Applies to non-EU organizations processing data related to EU residents’ goods, services, or behavior monitoring.
What must be done in case of a data breach under GDPR?
- Notify supervisory authority without undue delay if risk exists.
- Inform affected data subjects if high risk is present.
- Maintain records of breaches.
