GDPR

Question 1

What measures does the practice need to take to ensure data protection is being taken seriously?

Answer 1

• data protection audits
• policy reviews
• privacy impact assessments

Question 2

When would you need to carry out a privacy impact assessment?

Answer 2

When planning a new initiative which involves high risk data processing activities e.g processing special categories of personal data

Question 3

What is the idea behind a PIA?

Answer 3

Is to identify and minimise non-compliance risks

Question 4

What is an audit?

Answer 4

Reviewing and documenting the personal data we hold, identify the source and who it is shared with

Question 5

What is a benefit of an audit?

Answer 5

It can demonstrate and how well we comply with the data protection principles and highlight red flags which need attention

Question 6

What is a DPO?

Answer 6

Data protection officer

Question 7

Who needs a DPO?

Answer 7

All practices

Question 8

What must the DPO have?

Answer 8

Specific knowledge in that sector, the employer must help maintain this knowledge with specific training

Question 9

What are some of the DPOs tasks?

Answer 9

• advising colleagues and monitoring the practices compliance including staff training
• monitoring the documentation, notification and communication of data breaches

Question 10

Who can be the DPO?

Answer 10

Either an employee or a hired contractor

Question 11

What will new starters receive?

Answer 11

Data protection training before having access to personal date

Existing staff with will receive regular and refresher training

Record of who and what training employees have completed should be kept to ensure everyone gets sufficient training

Question 12

When may personal data be processed?

Answer 12

• with consent
• where the processing is necessary for a contract
• where processing is necessary for compliance with a legal obligation

Question 13

What is freely given consent?

Answer 13

The consent must be freely given and capable of being withdrawn at any time

Question 14

What is specific consent?

Answer 14

Separate consents must be obtained for different processing operation

Question 15

What is fully informed consent?

Answer 15

You should clearly explain to individual what they are consenting to and of their right to withdraw consent

Question 16

What are the main legal rights under the GDPR?

Answer 16

To have information erased 
To have inaccuracies corrected 
To prevent direct marketing 
To prevent automated decision-making and profiling 
Data portability

Question 17

What is subject access request? (SAR)

Answer 17

It allows individuals to ask to give them a copy of their personals data together with other information of how it’s being processed by the practice

Question 18

Under the GDPR what are the main changes?

Answer 18

• right to withdraw info is now free (was £10) but not in all cases
• manifestly unfounded or excessive requests can now be charged for or refused
• to supply data retention periods and have the inaccurate data correct
• if the practice removes SAR you will need to have policies and procedures in place to demonstrate why refusal meets these criteria

Question 19

When can children consent?

Answer 19

16 but can be lowered to 13 by a member state

Ultimately, u13 can never consent to the processing of their personal data