Other Regulatory Bodies - GDPR

Question 1

Briefly explain what the GDPR is.

Answer 1

1. Came into force in May 2018.
2. Aims to protect the privacy and rights of the individual.
3. It is based on the premise that consumers and data subjects should have knowledge of what data is held about them and how it is held.
4. GDPR replaced the Data Protection Act (1998).
5. A new Data Protection Act 2018 was introduced to cover data protection areas outside the scope of the GDPR.
6. GDPR governs the data protection responsibilities for financial firms.
7. The ICO monitors the implementation and compliance with the GDPR.
8. Firms established outside of the EU but targeting customers inside the EU will still have to meet the GDPR standards.

Question 2

The GDPR requires anyone who handles personal information to comply with seven principles

What are these principles?

Page 96/97 of training manual

Answer 2

1. Personal data should be processed lawfully, fairly and in a transparent manner
2. Ensure that the data is collected for specified, explicit and legitimate purposes.
3. Data collected should be adequate, relevant and limited to what is necessary in relation to the purpose for what they are being processed for.
4. Data should be accurate and, where necessary, kept up-to-date
5. Data should be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which it is being processed.
6. Data should be processed in a manner that ensures appropriate security of the personal data and protection against unauthorised processing, loss or destruction.
7. Data should be handled by those that are accountable and can take responsibility for what they do with the data.

Question 3

With regards to the GDPR, what are data controllers and data processors?

Answer 3

1. Data controllers - determines the purpose purposes and means for processing personal data.
2. Data processor - responsible for processing personal data on behalf of a controller.

Question 4

What are some responsibilities of data controllers under the GDPR?

Answer 4

1. Notify the relevant national authority before carrying out any data processing.
2. Comply with European data protection principles.
3. Provide certain information to individuals about whom they hold personal data and what they plan to do with it
4. Implement technical and organisational measures to protect personal data against loss, destruction, unauthorised access or unlawful processing
5. Enter Puritan agreements to ensure data processors only act on the data controller’s instructions.
6. Large data controllers will have to appoint a data protection officer from monitoring compliance with the GDPR.

Question 5

What are some responsibilities of data processors under the GDPR?

Answer 5

1. Implement technical and organisational security measures.
2. Protect personal data.
3. Keep a register of data processing activities.
4. Comply with the rules relating to the transfer of personal data outside of the EU.
5. Comply to restrictions on their ability to engage sub-processors

Question 6

What are some of the other important changes introduced by the GDPR?

Answer 6

1. Consent.
2. Fair processing notices.
3. Data subject rights.
4. Personal data breach.
5. Export of personal data.

Question 7

Under the GDPR, what does “consent” mean?

Answer 7

1. Demands some form of clear affirmative action from the data subject in order for organisations to hold their personal data.
2. Consent, once obtained, will only be valid for the stated purpose for which it was collected.
3. Data subject has the right to withdraw their consent at any time.

Question 8

Under the GDPR, what does “fair processing notices” mean?

Answer 8

1. A document provided by organisations that tells data subjects:
   A. how their personal data is collected
   B. Justification on data usage/ processing
   C. Data storing - how long will be stored for?
   D. Data sharing
2. The notice should also highlight:
   A. existence of the data subject’s rights
   B. right to lodge a complaint within the data protection regulator
   C. And that their consent maybe withdrawn.

Question 9

Under the GDPR, what does “data subject rights” mean?

Answer 9

1. These are the rights that the data subjects have in respect of their personal data.
2. Rights are:
   A. Right to Access – Ask what data a company has about you and how it’s being processed.
   B. Right to Rectification – Correct inaccurate/ incomplete data.
   C. Right to Erasure – Request deletion of your data in some cases.
   D. Right to Restrict Processing – Limit how your data is used.
   E. Right to Data Portability – Get your data in a transferable format.
   F. Right to Object – Say no to certain uses, like marketing.
   G. Rights in Automated Decision-Making – Challenge fully automated decisions about you.
3. The data subject can submit a subject access request to get more information about the data controller’s processing.
4. Organisations MUST respond to request from data subjects within one month and generally cannot charge a fee.

Question 10

Under the GDPR, what does “personal data breach” mean?

Answer 10

1. Organisations must notify the ICO within 72 hours of the breach.
2. In high-risk circumstances, they must contact the individuals to whom the personal data relates to without undue delay
3. All organisations must also maintain a personal data breach register.

Question 11

Under the GDPR, what does “export of personal data” mean?

Answer 11

You can’t send personal data outside the EEA (European Economic Area) unless:

1. The country receiving the data is approved by the European Commission as having strong data protection laws.
2. There’s a legal safeguard in place, like special contracts or agreements, to protect the data.

Question 12

What are some of the consequences of not following or obeying with the GDPR?

Answer 12

1. Fines for breaches for certain important provisions can be up to €20 million OR 4% of global annual turnover (whichever is greater)
2. Fines for breaches of other provisions can be up to €10 million OR 2% of global annual turnover (whichever is greater)

Question 13

After Brexit, UK is now a “third country”. What does this mean with regards to the EU GDPR?

Answer 13

1. The UK is no longer part of the EU and is now a separate country.
2. As of now, the EU Commission has decided that the UK’s data protection laws are strong enough, allowing personal data to flow freely between the UK and the EU.
3. This decision lasts for 4 years. In 2025, the UK must prove it still protects data properly, or the agreement may not be renewed.

Question 14

What are the responsibilities of data controllers under the GDPR?

Answer 14

1. Notify relevant national authorities before carrying out any data processing.
2. Comply with European data protection principles.
3. Provide certain information to individuals about whom they hold personal data.
4. Data controllers must disclose their identity, details of the data they hold and what they plan to do with it
5. Implement technical and organisational methods to protect personal data against loss, destruction, unauthorised access or unlawful processing
6. Enter into written agreements to ensure that the data processor only acts on the data controller’s instructions.

Note: large data controllers will have to appoint a data protection officer from monitoring compliance with the GDPR.

Question 15

What are the responsibilities of data processors under the GDPR?

Answer 15

1. Implement technical and organisational security measures.
2. Protect personal data.
3. Keep a register of data processing activities.
4. Comply with the rules relating to the transfer of personal data outside the EU.
5. Comply to restrictions on their ability to engage sub-processors