GDPR Flashcards
What measures does the practice need to take to ensure data protection is being taken seriously?
- data protection audits
- policy reviews
- privacy impact assessments
When would you need to carry out a privacy impact assessment?
When planning a new initiative which involves high risk data processing activities e.g processing special categories of personal data
What is the idea behind a PIA?
Is to identify and minimise non-compliance risks
What is an audit?
Reviewing and documenting the personal data we hold, identify the source and who it is shared with
What is a benefit of an audit?
It can demonstrate and how well we comply with the data protection principles and highlight red flags which need attention
What is a DPO?
Data protection officer
Who needs a DPO?
All practices
What must the DPO have?
Specific knowledge in that sector, the employer must help maintain this knowledge with specific training
What are some of the DPOs tasks?
- advising colleagues and monitoring the practices compliance including staff training
- monitoring the documentation, notification and communication of data breaches
Who can be the DPO?
Either an employee or a hired contractor
What will new starters receive?
Data protection training before having access to personal date
Existing staff with will receive regular and refresher training
Record of who and what training employees have completed should be kept to ensure everyone gets sufficient training
When may personal data be processed?
- with consent
- where the processing is necessary for a contract
- where processing is necessary for compliance with a legal obligation
What is freely given consent?
The consent must be freely given and capable of being withdrawn at any time
What is specific consent?
Separate consents must be obtained for different processing operation
What is fully informed consent?
You should clearly explain to individual what they are consenting to and of their right to withdraw consent
What are the main legal rights under the GDPR?
To have information erased To have inaccuracies corrected To prevent direct marketing To prevent automated decision-making and profiling Data portability
What is subject access request? (SAR)
It allows individuals to ask to give them a copy of their personals data together with other information of how it’s being processed by the practice
Under the GDPR what are the main changes?
- right to withdraw info is now free (was £10) but not in all cases
- manifestly unfounded or excessive requests can now be charged for or refused
- to supply data retention periods and have the inaccurate data correct
- if the practice removes SAR you will need to have policies and procedures in place to demonstrate why refusal meets these criteria
When can children consent?
16 but can be lowered to 13 by a member state
Ultimately, u13 can never consent to the processing of their personal data
