Unit 2 Topic 24 - Other regulation affecting the advice process Flashcards
Who does the General Data Protection Regulation apply to?
It applies to ‘personal data’, which is information relating to an individual who can be identified.
What is 1) of the six GDPR protection principles?
Processed lawfully, fairly and in a transparent manner in relation to individuals.
What is 2) of the six GDPR protection principles?
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
What is 3) of the six GDPR protection principles?
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
What is 4) of the six GDPR protection principles?
Kept accurate and up to date. Every reasonable step must be taken to ensure that personal data are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
What is 5) of the six GDPR protection principles?
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, although archiving is allowed in certain circumstances.
What is 6) of the six GDPR protection principles?
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How does GDPR define ‘Data subject’?
An individual (a natural person) whose personal data is processed.
How does GDPR define ‘Personal data’?
Information that can directly or indirectly identify a natural person. This information can be in any format.
How does GDPR define ‘Special categories of personal data’?
This data is more sensitive and so needs more protection. Generally (although there are exceptions) such data can only be processed if the individual has given explicit consent. Sensitive data includes information about an individual’s:
- race;
- religious beliefs
- political persuasion;
- trade union membership;
- sexual orientation;
- health;
- biometric data;
- genetic data;
How does GDPR define ‘Processing’?
This has a very broad meaning, covering all aspects of owning data, including:
- obtaining that data in the first place
- recording of the data
- organisation or alteration of the data
- erasure of the data, by whatever means.
How does GDPR define ‘Data controller’?
This is the ‘legal’ person who determines the purposes for which data are processed and the way in which this is done. The data controller is normally an organisation/employer, such as a company, partnership or sole trader. They have prime responsibility for ensuring the requirements of the Act are carried out.
How does GDPR define ‘Data processor’?
This is a person who processes personal data on behalf of the data controller.
What are the six criteria of which at least one must apply in order for an organisation to have a lawful basis for processing data?
1) Consent
2) Contract
3) Legal obligation
4) Vital interests
5) Public task
6) Legitimate interests
Who is responsible for enforcing GDPR?
The Information Commissioner is responsible for overseeing the application of the GDPR. Firms should report significant personal data breaches to the Information Commissioner.
What are the Information Commissioner’s powers to enforce GDPR?
- Serve information notices.
- Issue undertakings
- Serve enforcement notices, and ‘stop now’ orders where there has been a breach
- Conduct consensual assessments (audits)
- Serve assessment notices
- Issue monetary penalty notices
- Prosecute
- Issue a ban
What is the following classified as under GDPR and possible fines?
- For a data controller to fail to comply with an information or enforcement notice.
Criminal offence.
The maximum fine for this is the higher of EUR 20m or 4% of an organisation’s worldwide turnover.
What is the following classified as under GDPR and possible fines?
- Failure to make a proper notification to the Information Commissioner. ‘Notification’ is the way in which a data controller effectively registers with the Information Commissioner’s Office b acknowledging that personal data are being held and by specifying the purpose(s) for which the data re being held.
Criminal offence.
The maximum fine for this is the higher of EUR 20m or 4% of an organisation’s worldwide turnover.
What is the following classified as under GDPR and possible fines?
Processing of data without authorisation from the Commissioner.
Criminal offence.
The maximum fine for this is the higher of EUR 20m or 4% of an organisation’s worldwide turnover.
What is the following classified as under GDPR and possible fines?
Intentionally or recklessly re-identifying individuals from psedonymised or anonymised data
Criminal offence.
The maximum fine for this is the higher of EUR 20m or 4% of an organisation’s worldwide turnover.
Define Direct Pay Arrangement
A direct pay arrangement is one where the employer collects an employee’s pension contributions from their gross salary and pays them over to the pension provider.
What are the three categories ‘power of the pensions regulator’ fall under?
- Investigating schemes
- Putting things right
- Acting against avoidance