Privacy and GDPR Flashcards
Define privacy
The right to be let alone
Control over what information about you is stored, revealed, used, processed, and to whom
Privacy rights are not absolute
Privacy is a function of culture
What does privacy need to balance?
Individual rights
Society’s need
What is invasion of privacy?
Private facts: Disclosure of non-public personal information
Intrusion: intrude into private affairs
Appropriation: Acquiring name or likeness
False light: Make look inappropriately bad to public
What are 3 core concepts in privacy laws around the world?
- Transparency
- Accountability
- User control
What is GDPR?
General Data Protection Regulation
When did GDPR come into force, and to whom?
2018, for all members of the EU and EEA
What challenges does GDPR tackle?
The challenges in the rapid evolving digital world causing privacy risks for data subjects.
Why is GDPR important?
It improves the protection of EU data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.
What are (EU?) companies that is processing user data required to do? (3)
ensure the lawfulness of processing
document processing, procedures, security measures
have data processing agreements in place
How large are the fines to companies who does not comply with GDPR?
As high as 20 million euros, or 4% of annual revenue, whichever is greater
What does the general provisions of GDPR apply to?
To the processing of personal data, regardless of wether the processing takes place in EU or not
What does GDPR rules relate to?
To the protection of natural persons in the processing of personal data.
To the free movement of personal data.
What does GDPR provisions protect?
Protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
What is a data subject?
An identified or identifiable natural person, an individual
Give examples of data subjects
customer, patient, employee, pedestrians
What is personal data?
Any onformation relted to an identified or identifiable natural person, name, birthdate, location, online identifier
What are behaviour patterns?
Where you are
What you shop for
What you read
Who your friends are
What you are communicating
Name som special categories of personal data (8)
Racial/ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data that can uniquely identify an individual
health data
Sex life, sexual orientation
Give 3 examples of individually non-sensitive data
Zip code
Gender
Date of birth
Give an example of individually sensitive data
Medical condition
How does GDPR define “Processing”?
Operation performed on personal data.
Can be by automated means, such as collection, structuring, storage, alteration, use, erasure or destruction.
How does GDPR define “consent”?
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes.
A statement or a clear affirmative action, signifies agreement to processing.
How does GDPR define “personal data breach”?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
What are the 7 GDPR principles?
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Describe the GDPR principle: Lawfulness, fairness and transparency
Lawfull processing, fairly and in a transparent manner in relation to the data subject
Describe the GDPR principle: Purpose limitation
Personal data collected for specified, explicit and legitimate purposes and not further processed.
Describe the GDPR principle: Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Describe the GDPR principle: Accuracy
Personal data shall be accurate and, where necessary, kept up to date; personal data that are inaccurate should be erased or fixed.
Describe the GDPR principle: Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Describe the GDPR principle: Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data
Describe the GDPR principle: Accountability
The controller shall be responsible for and be able to demonstrate compliance towards the regulation.
What is lawful processing? (5)
Consented
Processing is necessary for the performance of a contract, or prior to entering into a contract.
Processing comply with legal obligation to which the controller is subject.
Processing is necessary in order to protect the vital interests of the data subject.
Is necessary for the performance of a task
What are the 3 conditions of consent?
- Consent shall be presented clearly distinguishable and intelligible from the other matters and easily accessible form, using clear and plain language.
- Right to withdraw at any time, as easily as to give consent.
- For Children: The controller verify that consent is given by one with parental responsibility over the child
What is a privacy policy?
A statement or a legal document that discloses some or all the ways a party gathers, uses, discloses, and manages a customer or client’s data.
What does a privacy policy fulfill?
Legal requirements to protect a client’s privacy
Why is privacy policies not the same as protection
Few people read privacy policies, meaning companies can say almost anything.
Privacy policies are often not written to be readable by “real people”.
For what GDPR rule does the law specify some exceptions?
Rules in regards to processing of special categories of personal information
What are the rights of the data subject? (8)
Right to be informed
Right to object
Erasure - right to be forgotten
Data portability
Object to automated individual decision making
Restriction of processing
Transparency
Right to rectification
What is transparency in GDPR?
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used
What is a data controller?
a natural or legal person, public authority, or other which determines the purposes and means of processing of personal data
What does the data controller do?
implement appropriate measures to be able to demonstrate lawfull processing
What does data processors do?
Process data on behalf of controller
What is a recipient?
a natural or legal person, public authority, or other, to which the personal data are disclosed
Name 4 responsibilities of the controller
Data protection officer (DPO)
Data protection impact assessment
Notification of breach
Privacy by design and by default
What is a DPO?
Involved in all issues which relate to protection of personal data.
What are the 4 tasks of a DPO?
Inform and advice the controller/processor who carry out processing of their obligations.
Monitor compliance with the Regulations
Provide advice where requested as regards the data protection impact assessmen
To cooperate with the supervisory authority
What is DPIA?
Data protection impact assessment
Required any time you begin a new project that is likely to involve a “high risk” to personal data
Who notifies of a data breach?
The controller to the supervisory authority , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
What must a breach-notification do?
Describe the nature of the personal data breach, the categories and approximate number of data subjects and number of records concerned.
Describe the likely consequences
Describe the measures taken or proposed to be taken
The name and contact details of the data protection officer (DPO).
What should be done during the design process?
Design should reflect data protection- and security requirements
Take into account existence of threat actors
Reduce attack surface by analysing it.
Model and design SW to ensure a robust product
Use data- and process-oriented design requirements
What are the 5 data-oriented design requirements?
Minimise and limit (collection, processing and storage of data)
Hide and protect (data and personal interrelationships)
Separate (personal from other data)
Aggregate (process in an aggregated manner, without prejudice to the business value)
Data protection by default (privacy friendly default settings)
Name 4 process oriented design requirements
Inform (data subject)
Control (data subject control their own data)
Enforce (software must document how it enforces subject’s rights)
Demonstrate (The controller can demonstrate how the software complies with GDPR)
What does testers do?
Check that the requirements for data protection and information security have been implemented as planned
What is required by each member state, following GDPR?
Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation
What does the supervisory authority do?
Contribute to the consistent application of this Regulation throughout the Union
ONLINE QUIZ
https://blog.atinternet.com/en/15-questions-to-test-your-gdpr-knowledge/
