GDPR Flashcards

Question 1

Q

What is the GDPR?

Answer

A

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy.

Question 2

Q

Which previous data protection regimes does the GDPR build upon?

Answer

A

EU’s Data Protection Directive (DPD)
US’s Health Insurance Portability and Accountability Act (HIPAA)
Various other data protection regimes

Question 3

Q

How does the GDPR relate to Member State laws?

Answer

A

As an EU regulation, the GDPR operates above the level of other Member State laws.

Question 4

Q

What legislation incorporates the GDPR in the UK?

Answer

A

Data Protection Act 2018

Question 5

Q

What term is defined as any operation performed on personal data?

Answer

A

Processing

Question 6

Q

Who is referred to as the ‘Controller’ under the GDPR?

Answer

A

The natural or legal person that determines the purposes and means of processing personal data.

Question 7

Q

What is a ‘Processor’ in the context of the GDPR?

Answer

A

A natural or legal person that processes personal data on behalf of the controller.

Question 8

Q

Define ‘Personal data’.

Answer

A

Any information relating to an identified or identifiable natural person.

Question 9

Q

Does the GDPR extend rights to deceased persons?

Answer

A

No, the GDPR does not extend any rights to deceased persons.

Question 10

Q

Which organizations are subject to the GDPR?

Answer

A

Organizations within the EU processing personal data
Organizations outside the EU processing personal data of EU residents
Organizations outside the EU governed by EU law

Question 11

Q

What are some exemptions from the material scope of the GDPR?

Answer

A

National security of non-EU states
Processing by member states related to common foreign and security policy
Personal or household processing
Competent authorities related to crime and security

Question 12

Q

What is the responsibility of a data controller?

Answer

A

Ensuring that personal data is processed in accordance with the GDPR.

Question 13

Q

What must data controllers implement to protect personal data?

Answer

A

Appropriate technical and organizational measures.

Question 14

Q

What are the requirements for contracts between controllers and processors?

Answer

A

Contracts must meet specific requirements as stated in Article 28 of the GDPR.

Question 15

Q

What records must organizations retain to prove compliance?

Answer

A

Fair processing notices
Retention policies
Evidence of consent
Data Protection Impact Assessments (DPIAs)

Question 16

Q

What is a DSAR?

Answer

A

Data Subject Access Request, which allows individuals to request access to their personal data.

Question 17

Q

What rights do data subjects have under the GDPR?

Answer

A

Right to Fair Processing
Right to Access
Right to Rectification
Right to be Forgotten
Right to Data Portability
Right to Object

Question 18

Q

What does the ‘Right to be Forgotten’ entail?

Answer

A

Data subjects can request erasure of their personal data under certain conditions.

Question 19

Q

What is required for processing to be lawful under the GDPR?

Answer

A

At least one of the lawful bases must apply, such as consent or necessity for a contract.

Question 20

Q

What is meant by ‘Data Minimization’?

Answer

A

Limiting the collection and processing of personal data to what is necessary.

Question 21

Q

What principle requires organizations to ensure the accuracy of personal data?

Question 22

Q

What does the principle of ‘Storage Limitation’ require?

Answer

A

Personal data must not be kept longer than necessary for the purposes for which it is processed.

Question 23

Q

What is the principle of ‘Integrity and Confidentiality’?

Answer

A

Processing personal data in a manner that ensures appropriate security against unauthorized access.

Question 24

Q

What is the principle of ‘Accountability’ in the GDPR?

Answer

A

The data controller is responsible for ensuring compliance with all data processing principles.

Question 25

Q

What should organizations do to demonstrate compliance with the GDPR?

Answer

A

Submit to audits and adhere to approved codes of conduct or certification mechanisms.

Question 26

Q

What is required for consent to be valid under the GDPR?

Answer

A

Consent must be freely given, specific, informed, and unambiguous.

Question 27

Q

What must organizations provide in privacy notices?

Answer

A

Clear and accessible information about data processing activities and data subjects’ rights.

Question 28

Q

What does the ‘Right to Data Portability’ allow?

Answer

A

Data subjects can request their personal data in a structured, commonly used, and machine-readable format.

Question 29

Q

What should organizations do if they receive ‘excessive requests’?

Answer

A

They can refuse the request or charge a reasonable fee.

Question 30

Q

What is the significance of training and staff awareness in GDPR compliance?

Answer

A

To ensure all staff understand their responsibilities regarding privacy and data protection.

Question 31

Q

What is the Right to Object in data processing?

Answer

A

Data subjects can object to having their personal data processed, requiring processing to stop unless the controller demonstrates legitimate grounds for the processing.

Question 32

Q

Are organizations required to inform data subjects of their right to object?

Answer

A

Yes, organizations must inform data subjects of their right to object, clearly and separately from other information.

Question 33

Q

What do data subjects have the right to regarding automated decision-making?

Answer

A

Data subjects have the right not to be subject to decisions based solely on automated processing that significantly affects them.

Question 34

Q

Define a ‘compliance framework’.

Answer

A

A structured set of guidelines and practices that integrate regulatory compliance requirements with necessary business processes, policies, and controls.

Question 35

Q

What are the three key areas of a privacy compliance framework?

Answer

A

Governance, risk management, and compliance objectives
Data processing principles
Policies, procedures, controls, and records

Question 36

Q

What is the territorial scope of the GDPR?

Answer

A

The GDPR applies to all data subjects in the EU, regardless of their nationality or place of residence, if their data is processed by an EU controller or processor.

Question 37

Q

What role should boards play regarding privacy compliance frameworks?

Answer

A

Boards should ensure that privacy compliance frameworks ensure GDPR compliance and provide regular reports on the state of compliance.

Question 38

Q

What does the acronym SMART stand for in goal setting?

Answer

A

Specific, Measurable, Actionable, Realistic, and Time-bound.

Question 39

Q

List key objectives for information security controls.

Answer

A

Respond to subject access requests within one month
Identify and report data breaches within 72 hours
Define retention periods for personal data
Conduct staff awareness training

Question 40

Q

What are the steps in an Incident Management Process?

Answer

A

Realizing and reporting the incident
Understanding what has happened
Containing the event
Repairing the damage
Preventing recurrence
Reviewing the response

Question 41

Q

Fill in the blank: Confidentiality, integrity, and availability are known as the ______ of information security.

Question 42

Q

What is the primary focus of BS 10012:2017?

Answer

A

Privacy protection and personal information management systems.

Question 43

Q

What are the responsibilities of data controllers regarding subject access requests?

Answer

A

Provide explanations of rights to data subjects
Ensure transparency throughout the request process
Train staff to identify subject access requests
Respond within one month with reasons for any refusal

Question 44

Q

True or False: Consent is the easiest lawful basis for processing personal data.

Question 45

Q

What does GDPR Article 9 define as special categories of personal data?

Answer

A

Data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, and sexual orientation.

Question 46

Q

What does a Data Protection Officer (DPO) oversee?

Answer

A

Compliance with data protection laws and guidance on data processing activities.

Question 47

Q

What is a key requirement for appointing a DPO under GDPR?

Answer

A

DPO must be designated when processing involves large-scale monitoring of data subjects or processing of special categories of data.

Question 48

Q

What is a RACI chart used for?

Answer

A

To define who is Responsible, Accountable, Consulted, and Informed for each process.

Question 49

Q

What should an Information Security Policy include?

Answer

A

Signed by top management
Assert intentions towards information security
Describe objectives aligned with business
Define the policy scope
Establish responsibility and accountability
Communicate to all relevant parties

Question 50

Q

What are the conditions under which consent can be withdrawn according to GDPR?

Answer

A

The withdrawal of consent must be as easy as giving it and does not affect the lawfulness of processing before withdrawal.

Question 51

Q

What are the potential conflicts of interest for a Data Protection Officer?

Answer

A

DPOs cannot hold positions that determine the purposes and means of data processing to avoid conflicts of interest.

Question 52

Q

What is the role of the Data Protection Officer (DPO) according to GDPR?

Answer

A

To inform and advise the controller or processor and employees about their obligations under the GDPR and other data protection provisions.

The DPO should also oversee the privacy compliance framework and monitor data protection activities.

Question 53

Q

True or False: The DPO can hold a position that influences the purposes and means of data processing.

Answer

A

False

The DPO cannot determine the purposes and means of processing personal data.

Question 54

Q

List some responsibilities of the DPO.

Answer

A

Advise on DPIAs
Monitor compliance with GDPR
Provide training and awareness programs
Cooperate with supervisory authorities
Serve as a contact point for data subjects

These responsibilities ensure that the DPO effectively supports data protection within the organization.

Question 55

Q

What qualifications are typically required for a DPO?

Answer

A

Law degree with specialization in data privacy
Professional certifications in data protection
Experience in implementing data protection measures
Knowledge of information security management

Specific certifications may include ISO/IEC 17024-certificated EU GDPR Practitioner and Certified Data Protection Officer (C-DPO).

Question 56

Q

Fill in the blank: The GDPR requires that the DPO must be involved in all issues related to the _______.

Answer

A

[protection of personal data]

Question 57

Q

What are the four key elements essential to data mapping?

Answer

A

Data items
Formats
Transfer methods
Locations

These elements help organizations understand their data processing lifecycle and identify potential privacy issues.

Question 58

Q

What is a Data Protection Impact Assessment (DPIA)?

Answer

A

A process that helps organizations identify and minimize privacy risks before implementing new processes or projects.

DPIAs are particularly important when there is high-risk processing of personal data.

Question 59

Q

True or False: A DPIA is required by law for all data processing activities.

Answer

A

False

A DPIA is only required in certain circumstances, particularly when there is high risk to the rights and freedoms of data subjects.

Question 60

Q

What are the seven key principles of Data Protection by Design?

Answer

A

Proactive not reactive
Privacy as the default setting
Privacy embedded into design
Full functionality–positive-sum
End-to-end security
Visibility and transparency
Respect for user privacy

These principles guide organizations in implementing effective data protection measures.

Question 61

Q

According to ISO 31000, what is the definition of risk?

Answer

A

The effect of uncertainty on objectives, which can be positive, negative, or both.

This definition emphasizes that risks can create both opportunities and threats.

Question 62

Q

List the steps in the risk management process according to ISO 31000.

Answer

A

Ensure communication and consultation
Establish the context
Identify the risk
Analyze the risk
Evaluate the risk
Treat the risk

Each step is crucial for effectively managing risks within an organization.

Question 63

Q

What must organizations do to support the DPO according to GDPR?

Answer

A

Provide necessary resources, access to personal data, and maintain the DPO’s expert knowledge.

This support enables the DPO to effectively carry out their tasks and responsibilities.

Question 64

Q

Fill in the blank: The DPO should cooperate fully with the _______ authority.

Answer

A

[supervisory]

Answer 62

A

Description of processing and purposes
Assessment of necessity and proportionality
Risk assessment to rights and freedoms
Measures to address risks
Safeguards and security measures

These elements ensure comprehensive evaluation of data processing activities.

Answer 63

A

It helps organizations recognize who is involved in data processing and identify potential privacy issues.

Data mapping is essential for understanding the lifecycle of personal data.

Answer 64

A

False

DPOs should not be penalized for carrying out their responsibilities under GDPR.

Answer 65

A

Those involved in the organization’s objectives and the legal, regulatory, and contractual environment

Understanding stakeholders is crucial for effective risk management.

Answer 66

A

Identify the risk (Clause 6.4.2)

This involves recognizing potential risks that could affect the organization.

Answer 67

A

Analyze the risk

This step focuses on understanding the nature and characteristics of the risk.

Answer 68

A

Evaluate the risk against the risk criteria (Clause 6.4.4)

Risk criteria should reflect the organization’s values, objectives, and resources.

Answer 69

A

Applying controls to reduce the level of risk

This is one of the four responses to managing risk.

Answer 70

A

An informed decision to do nothing

This approach is sometimes chosen when the risk is deemed acceptable.

Answer 71

A

Sharing the risk with other parties

This could involve outsourcing or purchasing insurance.

Answer 72

A

Risks that prevent an organization from operating either permanently or temporarily

These risks can significantly impact an organization’s operations.

Answer 73

A

A process to identify and minimize data protection risks

DPIAs are required under GDPR for processing that may impact individual privacy.

Answer 74

A

Will the project involve the collection of new information about individuals?

This question helps determine the necessity of a DPIA.

Answer 75

A

Description of processing and its purposes
Legitimate interests pursued
Necessity and proportionality assessment
Risks to rights and freedoms
Measures to address risks
Safeguards and security measures
Timeframes for data erasure
Data protection by design and by default
Recipients of personal data
Compliance with codes of conduct
Consultation with data subjects

These elements are critical for demonstrating compliance with data protection regulations.

Answer 76

A

To describe how personal data is collected, stored, used, and deleted

Data mapping helps visualize data flow and identify potential privacy risks.

Answer 77

A

Hacking
Viruses and malware
Intruders
Phishing scams
Inadequately trained staff
Unencrypted laptops
Poor access controls

These risks can lead to data breaches and privacy violations.

Answer 78

A

The destination must have an adequacy decision or appropriate safeguards

This ensures that personal data is protected when transferred internationally.

Answer 79

A

Decisions that a country or organization is an acceptable destination for data transfer

These decisions are based on criteria such as human rights and rule of law.

Answer 80

A

To allow large organizations to transfer data internationally while minimizing bureaucratic interference

BCRs ensure compliance with GDPR for multinational companies.

Answer 81

A

A breach of security leading to unauthorized access, loss, or alteration of personal data

Organizations must have measures in place to respond to such breaches.

Answer 82

A

Nature of the breach
Name and contact of the DPO
Likely consequences
Measures taken to address the breach

Timely notification is crucial for compliance with GDPR.

Answer 83

A

An event indicates a possible breach, while an incident indicates a probable breach

This distinction is important for effective incident management.

Answer 84

A

Prepare
Respond
Follow up

These phases provide a structured approach to managing cyber incidents.

Answer 85

A

ISO 22301

This standard guides organizations in maintaining continuity during incidents.

Answer 86

A

To investigate events, report to senior management, and manage the organization’s notification process.

This individual should have the authority to ensure effective incident management.

Answer 87

A

Methods for reporting events and performing triage to determine which reports require the incident response process.

Triage helps prioritize incidents based on their severity.

Answer 88

A

To analyze the causes of problems using methods like Failure Mode and Effects Analysis (FMEA) and Current Reality Tree (CRT).

These methods help identify potential failures before they occur.

Answer 89

A

The five-whys approach
Why-because analysis (WBA)
Cause-and-effect (fishbone) diagrams

These methods help in understanding the underlying issues of incidents.

Answer 90

A

A thorough post-incident review.

This review is important for learning and improving future incident responses.

Answer 91

A

Performing a trend analysis of incidents across the market and sector.

This helps in updating and amending controls and responses.

Answer 92

A

European Data Protection Board, a central body composed of representatives from each member State’s supervisory authority.

It plays a crucial role in ensuring GDPR compliance across the EU.

Answer 93

A

The European Commission.

The Commission oversees the implementation and enforcement of GDPR.

Answer 94

A

Monitor and enforce compliance
Promote public awareness and understanding of data protection rights

This includes educating both the public and organizations about GDPR.

Answer 95

A

Investigative
Corrective
Authorization and advisory

These powers enable supervisory authorities to enforce compliance effectively.

Answer 96

A

To ensure the Regulation is applied consistently across the EU.

This consistency is vital for effective data protection.

Answer 97

A

The right to lodge a complaint with a supervisory authority if they believe their data is being processed unlawfully.

This right is essential for protecting personal data rights.

Answer 98

A

Data subjects can seek judicial remedy if their rights have been infringed due to non-compliance with the Regulation.

This ensures accountability for data processors and controllers.

Answer 99

A

compensation

This right extends beyond just the data subject to anyone affected by the infringement.

Answer 100

A

Willingness to abide by the Regulation
Negligence or intent to breach requirements

These conditions help determine the severity of fines.

Answer 101

A

Internal policies and measures that meet the principles of data protection by design and by default.

This proactive approach helps ensure compliance.

Answer 102

A

Information that should be provided to data subjects when collecting personal data.

Transparency is a key principle of data protection.

Answer 103

A

Capable of being implemented
Enforceable
Concise and easy to understand
Balances protection with productivity

Good policies support effective compliance and operational efficiency.

Answer 104

A

Implementing approved codes of conduct and participating in approved certification mechanisms.

These methods provide evidence of adherence to the Regulation.

Brainscape's Knowledge GenomeTM

GDPR Flashcards

Brainscape's Knowledge Genome^TM