Privacy and GDPR Flashcards

1
Q

Define privacy

A

The right to be let alone

Control over what information about you is stored, revealed, used, processed, and to whom

Privacy rights are not absolute

Privacy is a function of culture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does privacy need to balance?

A

Individual rights

Society’s need

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is invasion of privacy?

A

Private facts: Disclosure of non-public personal information

Intrusion: intrude into private affairs

Appropriation: Acquiring name or likeness

False light: Make look inappropriately bad to public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are 3 core concepts in privacy laws around the world?

A
  1. Transparency
  2. Accountability
  3. User control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is GDPR?

A

General Data Protection Regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When did GDPR come into force, and to whom?

A

2018, for all members of the EU and EEA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What challenges does GDPR tackle?

A

The challenges in the rapid evolving digital world causing privacy risks for data subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why is GDPR important?

A

It improves the protection of EU data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are (EU?) companies that is processing user data required to do? (3)

A

ensure the lawfulness of processing

document processing, procedures, security measures

have data processing agreements in place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How large are the fines to companies who does not comply with GDPR?

A

As high as 20 million euros, or 4% of annual revenue, whichever is greater

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the general provisions of GDPR apply to?

A

To the processing of personal data, regardless of wether the processing takes place in EU or not

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does GDPR rules relate to?

A

To the protection of natural persons in the processing of personal data.

To the free movement of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does GDPR provisions protect?

A

Protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a data subject?

A

An identified or identifiable natural person, an individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Give examples of data subjects

A

customer, patient, employee, pedestrians

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is personal data?

A

Any onformation relted to an identified or identifiable natural person, name, birthdate, location, online identifier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are behaviour patterns?

A

Where you are
What you shop for
What you read
Who your friends are
What you are communicating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name som special categories of personal data (8)

A

Racial/ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic data

Biometric data that can uniquely identify an individual

health data

Sex life, sexual orientation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Give 3 examples of individually non-sensitive data

A

Zip code
Gender
Date of birth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Give an example of individually sensitive data

A

Medical condition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How does GDPR define “Processing”?

A

Operation performed on personal data.

Can be by automated means, such as collection, structuring, storage, alteration, use, erasure or destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How does GDPR define “consent”?

A

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes.

A statement or a clear affirmative action, signifies agreement to processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How does GDPR define “personal data breach”?

A

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

24
Q

What are the 7 GDPR principles?

A
  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability
25
Describe the GDPR principle: Lawfulness, fairness and transparency
Lawfull processing, fairly and in a transparent manner in relation to the data subject
26
Describe the GDPR principle: Purpose limitation
Personal data collected for specified, explicit and legitimate purposes and not further processed.
27
Describe the GDPR principle: Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
28
Describe the GDPR principle: Accuracy
Personal data shall be accurate and, where necessary, kept up to date; personal data that are inaccurate should be erased or fixed.
29
Describe the GDPR principle: Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
30
Describe the GDPR principle: Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data
31
Describe the GDPR principle: Accountability
The controller shall be responsible for and be able to demonstrate compliance towards the regulation.
32
What is lawful processing? (5)
Consented Processing is necessary for the performance of a contract, or prior to entering into a contract. Processing comply with legal obligation to which the controller is subject. Processing is necessary in order to protect the vital interests of the data subject. Is necessary for the performance of a task
33
What are the 3 conditions of consent?
1. Consent shall be presented clearly distinguishable and intelligible from the other matters and easily accessible form, using clear and plain language. 2. Right to withdraw at any time, as easily as to give consent. 3. For Children: The controller verify that consent is given by one with parental responsibility over the child
34
What is a privacy policy?
A statement or a legal document that discloses some or all the ways a party gathers, uses, discloses, and manages a customer or client's data.
35
What does a privacy policy fulfill?
Legal requirements to protect a client's privacy
36
Why is privacy policies not the same as protection
Few people read privacy policies, meaning companies can say almost anything. Privacy policies are often not written to be readable by "real people".
37
For what GDPR rule does the law specify some exceptions?
Rules in regards to processing of special categories of personal information
38
What are the rights of the data subject? (8)
Right to be informed Right to object Erasure - right to be forgotten Data portability Object to automated individual decision making Restriction of processing Transparency Right to rectification
39
What is transparency in GDPR?
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used
40
What is a data controller?
a natural or legal person, public authority, or other which determines the purposes and means of processing of personal data
41
What does the data controller do?
implement appropriate measures to be able to demonstrate lawfull processing
42
What does data processors do?
Process data on behalf of controller
43
What is a recipient?
a natural or legal person, public authority, or other, to which the personal data are disclosed
44
Name 4 responsibilities of the controller
Data protection officer (DPO) Data protection impact assessment Notification of breach Privacy by design and by default
45
What is a DPO?
Involved in all issues which relate to protection of personal data.
46
What are the 4 tasks of a DPO?
Inform and advice the controller/processor who carry out processing of their obligations. Monitor compliance with the Regulations Provide advice where requested as regards the data protection impact assessmen To cooperate with the supervisory authority
47
What is DPIA?
Data protection impact assessment Required any time you begin a new project that is likely to involve a "high risk" to personal data
48
Who notifies of a data breach?
The controller to the supervisory authority , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
49
What must a breach-notification do?
Describe the nature of the personal data breach, the categories and approximate number of data subjects and number of records concerned. Describe the likely consequences Describe the measures taken or proposed to be taken The name and contact details of the data protection officer (DPO).
50
What should be done during the design process?
Design should reflect data protection- and security requirements Take into account existence of threat actors Reduce attack surface by analysing it. Model and design SW to ensure a robust product Use data- and process-oriented design requirements
51
What are the 5 data-oriented design requirements?
Minimise and limit (collection, processing and storage of data) Hide and protect (data and personal interrelationships) Separate (personal from other data) Aggregate (process in an aggregated manner, without prejudice to the business value) Data protection by default (privacy friendly default settings)
52
Name 4 process oriented design requirements
Inform (data subject) Control (data subject control their own data) Enforce (software must document how it enforces subject's rights) Demonstrate (The controller can demonstrate how the software complies with GDPR)
53
What does testers do?
Check that the requirements for data protection and information security have been implemented as planned
54
What is required by each member state, following GDPR?
Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation
55
What does the supervisory authority do?
Contribute to the consistent application of this Regulation throughout the Union
56
ONLINE QUIZ
https://blog.atinternet.com/en/15-questions-to-test-your-gdpr-knowledge/