GDPR and International Privacy Issues Flashcards
List one reason that GDPR may garner the attention of management
Fines for violations of GDPR are based on a company’s worldwide revenues, and fines can be as much as 4% of worldwide revenues
Define “personal data” under GDPR
“Personal data” is broadly defined in the GDPR as any data that relates to “an identified or identifiable natural person”
Distinguish between “personal data” and “sensitive personal data”
“Sensitive Personal Data” is a special category of “Personal Data” that receives additional protections under GDPR
Examples includes:
- Race or ethnic origin
- Political opinions
- Religious/philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
Explain the term “data subject”
A data subject is defined as any natural person whose data is being collected, stored, or processed
Distinguish “controller” from “processor”
The term “controller” is defined as an individual or entity that “determines the purposes and the means of the processing of personal data” while the term “processor” means an individual or entity that “processes personal data on behalf of the controller”
Describe the requirements of consent
“Consent” must be freely given, specific, informed AND an unambiguous indication of the data subject’s wishes
Contrast the term DPA with the term DPO
The term DPA refers to an independent public authority that investigates and enforces data protection laws
- DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws
The term DPO refers to the primary point of contact on data protection issues within a business that is based in the EU
- The DPO facilitates and reviews the company’s GDPR compliance
List the seven key principles in the GDPR
- Lawfulness, fairness, and transparency
- Purpose Limitation
- Data Minimization
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
- Accountability
Describe how the principle of transparency impacts communications with data subjects
The principle of transparency requires that any communication (such as privacy notices) be easily accessible and that clear and plain language be used so that it is easy to understand
Discuss the restrictions that the purpose limitation principle places on further processing of data
The purpose limitation principle requires that personal data not be further processed in a manner that is incompatible with the original purpose for which it was collected
Further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes is not considered to be incompatible with the original purposes
Define the principle of data minimization
The principle of data minimization requires that the processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
Explain the steps that must be taken to comply with the accuracy principle
The accuracy principle requires that every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
Discuss the main step that should be taken to ensure compliance with the principle of storage limitation
To ensure compliance with the principle of storage limitation, the controller should establish time limits for erasure or for a periodic review
Explain numerous concerns that should be addressed regarding the principle of integrity and confidentiality
To comply with the principle of integrity and confidentiality, personal data must be processed in a manner that ensures appropriate security and confidentiality of the personal data, including:
- Protection against unauthorized or unlawful processing and against accidental loss
- Destruction or damage
- Using appropriate technical or organizational measures
Name the entity responsible for compliance with accountability
The controller is accountable for compliance with the principles of processing
List the eight rights that individuals have regarding the processing of their personal data
- Right to be informed
- Right of access
- Right to rectify
- Right to erase
- Right to restrictprocessing
- Right to data portability
- Right to object
- Right not to be subject to automated decision making
Discuss the types of information that the controller must provide to the data subject
The controller must provide:
- the purposes of processing
- the lawful basis of processing
- the recipients or the categories of recipients
- the details of transfers
Define the right of access
The right of access provides individuals with the right to obtain a copy of their personal data and more detailed information about the processing activities
Explain the right to rectify
According to the right to rectify, individuals have the right to have inaccurate personal data corrected
Provide an alternative name for the right to erase
The right to be forgotten
Explain the interaction between the right to restrict processing and the right to erase
The right to restrict processing allows an individual to limit the way their personal data is processed. This right is an alternative to the right to erase
Discuss the details of the right to data portability
Individuals have the right to port data to themselves or to another controller
The individuals may request data provided in a structured, commonly used and machine-readable format
Describe the similarity between the right to object and the right to restrict processing
Both the right to object and the right to restrict processing allow individuals to limit how their personal data is processed
Name the right that restricts profiling under the GDPR
The right not to be subject to automated decision-making
