Privacy and GDPR

Question 1

Define privacy

Answer 1

The right to be let alone

Control over what information about you is stored, revealed, used, processed, and to whom

Privacy rights are not absolute

Privacy is a function of culture

Question 2

What does privacy need to balance?

Answer 2

Individual rights

Society’s need

Question 3

What is invasion of privacy?

Answer 3

Private facts: Disclosure of non-public personal information

Intrusion: intrude into private affairs

Appropriation: Acquiring name or likeness

False light: Make look inappropriately bad to public

Question 4

What are 3 core concepts in privacy laws around the world?

Answer 4

1. Transparency
2. Accountability
3. User control

Question 5

What is GDPR?

Answer 5

General Data Protection Regulation

Question 6

When did GDPR come into force, and to whom?

Answer 6

2018, for all members of the EU and EEA

Question 7

What challenges does GDPR tackle?

Answer 7

The challenges in the rapid evolving digital world causing privacy risks for data subjects.

Question 8

Why is GDPR important?

Answer 8

It improves the protection of EU data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.

Question 9

What are (EU?) companies that is processing user data required to do? (3)

Answer 9

ensure the lawfulness of processing

document processing, procedures, security measures

have data processing agreements in place

Question 10

How large are the fines to companies who does not comply with GDPR?

Answer 10

As high as 20 million euros, or 4% of annual revenue, whichever is greater

Question 11

What does the general provisions of GDPR apply to?

Answer 11

To the processing of personal data, regardless of wether the processing takes place in EU or not

Question 12

What does GDPR rules relate to?

Answer 12

To the protection of natural persons in the processing of personal data.

To the free movement of personal data.

Question 13

What does GDPR provisions protect?

Answer 13

Protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Question 14

What is a data subject?

Answer 14

An identified or identifiable natural person, an individual

Question 15

Give examples of data subjects

Answer 15

customer, patient, employee, pedestrians

Question 16

What is personal data?

Answer 16

Any onformation relted to an identified or identifiable natural person, name, birthdate, location, online identifier

Question 17

What are behaviour patterns?

Answer 17

Where you are
What you shop for
What you read
Who your friends are
What you are communicating

Question 18

Name som special categories of personal data (8)

Answer 18

Racial/ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic data

Biometric data that can uniquely identify an individual

health data

Sex life, sexual orientation

Question 19

Give 3 examples of individually non-sensitive data

Answer 19

Zip code
Gender
Date of birth

Question 20

Give an example of individually sensitive data

Answer 20

Medical condition

Question 21

How does GDPR define “Processing”?

Answer 21

Operation performed on personal data.

Can be by automated means, such as collection, structuring, storage, alteration, use, erasure or destruction.

Question 22

How does GDPR define “consent”?

Answer 22

Any freely given, specific, informed and unambiguous indication of the data subject’s wishes.

A statement or a clear affirmative action, signifies agreement to processing.

Question 23

How does GDPR define “personal data breach”?

Answer 23

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Question 24

What are the 7 GDPR principles?

Answer 24

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Question 25

Describe the GDPR principle: Lawfulness, fairness and transparency

Answer 25

Lawfull processing, fairly and in a transparent manner in relation to the data subject

Question 26

Describe the GDPR principle: Purpose limitation

Answer 26

Personal data collected for specified, explicit and legitimate purposes and not further processed.

Question 27

Describe the GDPR principle: Data minimisation

Answer 27

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Question 28

Describe the GDPR principle: Accuracy

Answer 28

Personal data shall be accurate and, where necessary, kept up to date; personal data that are inaccurate should be erased or fixed.

Question 29

Describe the GDPR principle: Storage limitation

Answer 29

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Question 30

Describe the GDPR principle: Integrity and confidentiality

Answer 30

Personal data shall be processed in a manner that ensures appropriate security of the personal data

Question 31

Describe the GDPR principle: Accountability

Answer 31

The controller shall be responsible for and be able to demonstrate compliance towards the regulation.

Question 32

What is lawful processing? (5)

Answer 32

Consented

Processing is necessary for the performance of a contract, or prior to entering into a contract.

Processing comply with legal obligation to which the controller is subject.

Processing is necessary in order to protect the vital interests of the data subject.

Is necessary for the performance of a task

Question 33

What are the 3 conditions of consent?

Answer 33

1. Consent shall be presented clearly distinguishable and intelligible from the other matters and easily accessible form, using clear and plain language.
2. Right to withdraw at any time, as easily as to give consent.
3. For Children: The controller verify that consent is given by one with parental responsibility over the child

Question 34

What is a privacy policy?

Answer 34

A statement or a legal document that discloses some or all the ways a party gathers, uses, discloses, and manages a customer or client’s data.

Question 35

What does a privacy policy fulfill?

Answer 35

Legal requirements to protect a client’s privacy

Question 36

Why is privacy policies not the same as protection

Answer 36

Few people read privacy policies, meaning companies can say almost anything.

Privacy policies are often not written to be readable by “real people”.

Question 37

For what GDPR rule does the law specify some exceptions?

Answer 37

Rules in regards to processing of special categories of personal information

Question 38

What are the rights of the data subject? (8)

Answer 38

Right to be informed

Right to object

Erasure - right to be forgotten

Data portability

Object to automated individual decision making

Restriction of processing

Transparency

Right to rectification

Question 39

What is transparency in GDPR?

Answer 39

The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used

Question 40

What is a data controller?

Answer 40

a natural or legal person, public authority, or other which determines the purposes and means of processing of personal data

Question 41

What does the data controller do?

Answer 41

implement appropriate measures to be able to demonstrate lawfull processing

Question 42

What does data processors do?

Answer 42

Process data on behalf of controller

Question 43

What is a recipient?

Answer 43

a natural or legal person, public authority, or other, to which the personal data are disclosed

Question 44

Name 4 responsibilities of the controller

Answer 44

Data protection officer (DPO)

Data protection impact assessment

Notification of breach

Privacy by design and by default

Question 45

What is a DPO?

Answer 45

Involved in all issues which relate to protection of personal data.

Question 46

What are the 4 tasks of a DPO?

Answer 46

Inform and advice the controller/processor who carry out processing of their obligations.

Monitor compliance with the Regulations

Provide advice where requested as regards the data protection impact assessmen

To cooperate with the supervisory authority

Question 47

What is DPIA?

Answer 47

Data protection impact assessment

Required any time you begin a new project that is likely to involve a “high risk” to personal data

Question 48

Who notifies of a data breach?

Answer 48

The controller to the supervisory authority , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Question 49

What must a breach-notification do?

Answer 49

Describe the nature of the personal data breach, the categories and approximate number of data subjects and number of records concerned.

Describe the likely consequences

Describe the measures taken or proposed to be taken

The name and contact details of the data protection officer (DPO).

Question 50

What should be done during the design process?

Answer 50

Design should reflect data protection- and security requirements

Take into account existence of threat actors

Reduce attack surface by analysing it.

Model and design SW to ensure a robust product

Use data- and process-oriented design requirements

Question 51

What are the 5 data-oriented design requirements?

Answer 51

Minimise and limit (collection, processing and storage of data)

Hide and protect (data and personal interrelationships)

Separate (personal from other data)

Aggregate (process in an aggregated manner, without prejudice to the business value)

Data protection by default (privacy friendly default settings)

Question 52

Name 4 process oriented design requirements

Answer 52

Inform (data subject)

Control (data subject control their own data)

Enforce (software must document how it enforces subject’s rights)

Demonstrate (The controller can demonstrate how the software complies with GDPR)

Question 53

What does testers do?

Answer 53

Check that the requirements for data protection and information security have been implemented as planned

Question 54

What is required by each member state, following GDPR?

Answer 54

Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation

Question 55

What does the supervisory authority do?

Answer 55

Contribute to the consistent application of this Regulation throughout the Union

Question 56

ONLINE QUIZ

Answer 56

https://blog.atinternet.com/en/15-questions-to-test-your-gdpr-knowledge/