Module 10 - Accountability Flashcards

1
Q

What is the difference between data-protection-by-design and data-protection-by-default?

A

BY DESIGN:
- Data protection built into product lifecycle.
- Safeguards include data minimisation and pseudonymisation.
- Risks are assessed and mitigated.

BY DEFAULT:
- Maximum data protective settings are applied as a default.
- User opt-in to settings implying greater risk.
- Limited accessibility to personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does article 25, GDPR require in terms of development of technical and organisational measures?

A

Such measures must be developed and implemented both at the time of determination of the mean processing and on a continuing basis, through the processing lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do articles 35-36, GDPR prescribe in terms of Data Processing Impact Assessments?

A
  • CONTROLLERS must perform DPIAs (though processors should support these under article 28, GDPR).
  • DPIAs help incorporate data protection considerations into organisational planning, supporting demonstration of compliance to DPAs.
  • A DPIA is required if (article 35) there is high risk to DS rights and freedoms:
    1. Systemic, extensive evaluation of personal aspects based upon profiling.
    2. Large-scale processing of special category personal data.
    3. Monitoring public areas systemically and on a large scale.
    DPAs may define other areas of high risk processing.
  • A DPIA should provide a description of processing, assessment of necessity, proportionality and risks to DS rights and freedoms, and risk control measures.
  • Prior consultation with a DPA is required, if the DPIA indicates a high DS risk - DPA can advise controller or block processing, if processing deemed high risk or inadequately mitigated (article 36).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When does article 24(2), GDPR require a data processing policy?

A
  • Insofar as proportionate in relation to processing activities.
  • Policy usage amongst other measures, as part of a larger data protection programme.
  • No GDPR-prescribed contents.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When is a record of processing activities (ROPA) required under article 30, GDPR?

A

A controller or processor requires a ROPA if they:
- Have 250 or more employees;
- Are processing personal data in a way that poses risk to DS rights and freedoms;
- Process personal data on a non-occasional basis; or
- Are processing special category data or personal data comprising criminal convictions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a controller required to document within a ROPA under article 30, GDPR?

A
  • Purpose of processing.
  • Name/contact details of controller, representatives and DPO.
  • Data subject categories.
  • Personal data categories.
  • Recipients.
  • International data transfers and appropriate safeguards.
  • Time limits for erasure.
  • Technical and organisational safety measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When is a processor required to document within a ROPA under article 30, GDPR?

A
  • Name and contact details of processor, controller, representatives and DPO.
  • Processing categories.
  • International data transfers and appropriate safeguards.
  • Technical and organisational security measures.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the key characteristics of a data protection officer under article 37, GDPR?

A
  • Must be a staff member of contractor appointed by controller or processor.
  • Must be an expert in data protection law and services.
  • Ensures compliance and evidence of compliance with data protection laws.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When is a data protection officer legally required?

A
  • Core activities of the controller or processor include processing activities (i) requiring REGULAR and SYSTEMATIC MONITORING of DS on a LARGE SCALE or (ii) processing SPECIAL CATEGORY DATA or CRIMINAL CONVICTION DATA on a LARGE SCALE.
  • PUBLIC AUTHORITY PROCESSING (except courts acting in a judicial capacity).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the main responsibilities of a data protection officer under articles 38-39, GDPR?

A
  • Monitor compliance with GDPR and EU / MS data protection laws.
  • Collect and identify processing activities, and analyse and check compliance of such activities.
  • Manage internal data protection activities.
  • Train staff.
  • Perform internal audits.
  • Provide advice in relation to DPIAs.
  • Issue recommendations to the controller or processor (as applicable).
  • Manage risk.
  • Cooperate/communication with DS and DPAs.
  • Exercise professional secrecy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When is an EU representative required under article 27, GDPR?

A

Insofar as activities are being undertaken outwith the EU but with targeting of EU DS and not occassional processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly