Chapter 11 (Accountability Requirements)

Question 1

What two articles of the GDPR codify the accountability principle?

Answer 1

1. Article 5(2): codifies that a data controller must be able to demonstrate its compliance with the GDPR
2. Article 24(1): requires data controllers to implement appropriate technical and organizational measures to comply with the GDPR

Question 2

Recital 75 of the GDPR lists what 8 examples of high-risk processing that require greater measures to protect against risk?

Answer 2

1. Discrimination
2. Identity theft, fraud, or financial loss
3. Damage to reputation
4. Loss of confidentiality of personal data protected by professional secrecy
5. Unauthorized reversal of pseudonymisation
6. Any other significant economic or social disadvantage
7. Processing which might deprive an individual of their rights and freedoms or prevent them from exercising control over their personal data
8. Processing special categories of personal data, the personal data of children, or personal data related to criminal convictions

Question 3

What 3 areas should a data controller consider when trying to establish appropriate data protection policies?

Answer 3

1. Internal policies
2. Internal allocation of responsibilities
3. Training

Question 4

What is at the core for data controller’s compliance with the GDPR?

Answer 4

An internal data protection policy which outlines the basic contours of the measures to take in the processing and handling of personal data.

Question 5

What are 6 key aspects to a data controller’s internal data protection policy?

Answer 5

1. Scope
2. Policy statement
3. Employee responsibilities
4. Management responsibilities
5. Reporting incidents
6. Policy compliance

Question 6

The scope of an internal protection policy should include what?

Answer 6

A brief statement that explains both to whom the internal policy applies and type of processing activities it covers.

Question 7

What 3 things should the policy statement of an internal protection policy include?

Answer 7

1. Set out the company’s commitment or position re the personal data it processes
2. A description of the purposes for collecting and processing personal data, as well as the legit business purposes for the collection and processing
3. The principles for processing personal data as stated in Article 5(1) of the GDPR.

Question 8

What 7 employee responsibilities should be listed in an internal data protection policy?

Answer 8

1. Address different areas where employees are directly responsible when processing personal data.
2. Specify limitations around the use of the collected personal data.
3. List steps that must be followed to ensure personal data are maintained accurately.
4. Employee security obligations and required steps to take to prevent unauthorized access or loss.
5. The security obligations outlined in the internal data protection policy should be appropriately cross referenced to the more detailed company information security policy (if applicable).
6. Outline relevant legitimate grounds for processing data and steps that must be taken before transferring personal data.
7. Outline steps for destruction or deletion of personal data.

Question 9

What are the 3 management responsibilities that should be included in a company’s internal data protection policy?

Answer 9

1. Specify clearly the senior management roles across the business that are responsible for assessing the business risk arising as a result of processing personal data.
2. Outline senior managers that must work with the business to develop procedures and controls to identify and address risks appropriately.
3. Clearly outline what individual organizational roles are responsible for complying with each GDPR requirement from determining safeguards to procedures for transferring data.

Question 10

What are the 4 reporting incident requirements that should be included in a company’s internal data protection policy?

Answer 10

1. Employees expressly required to report immediately all incidents that involve the suspected or actual loss, theft, unauthorized disclosure, or inappropriate use of personal data.
2. Outline steps employees must take if a company’s third-party service provider notifies the company of a data breach.
3. Outline the timing for data breach reporting (significant data breaches must be declared to the relevant DPA within 72 hours)
4. A reference to the company’s incident response teams, including who is responsible for investigating the incident and determining the company’s legal obligations.

Question 11

What 6 categories of info should be included in company’s internal data protection plan?

Answer 11

1. Scope of data protection policies and processing activities
2. Company’s policy statement
3. Employee responsibilities re data protection
4. Management’s responsibilities
5. Policies for reporting data breach incidents
6. Importance/ramifications of policy compliance

Question 12

A companies internal allocation of its data protection responsibilities should facilitate what 3 things?

Answer 12

1. Supervision by DPAs
2. Allow data subjects to exercise their rights
3. Enable data privacy policies, procedures, and processes to be updated on a regular basis.

Question 13

The concept of data privacy by design and default addresses what?

Answer 13

More broadly addresses the legal obligations set out by the GDPR and includes an ethical dimension.

Question 14

What is the main design objective of Article 25 of the GDPR?

Answer 14

The main design objective is the effective implementation of the privacy principles and protection of the rights of data subjects into the appropriate measures of the processing.

Question 15

What are 4 factors companies should take into account when implementing appropriate technical and organizational measures under Article 25 of the GDPR?

Answer 15

1. State of the art
2. The cost of implementation
3. The nature, scope, context, and purpose of processing
4. The risks of varying likelihood and severity for rights and freedoms of natural persons

Question 16

What are 3 types of technical measures that can be taken under Article 25 of the GDPR?

Answer 16

1. Minimizing the amount of personal data being processed
2. Pseudonymization
3. Allowing individuals greater control over their personal data and visibility over what is being processed

Question 17

To ensure compliance with Article 25 of the GDPR, companies should carefully review and asses their data processing systems to determine what 6 things?

Answer 17

1. Personal data are appropriately mapped, classified, labelled, stored, and accessible to allow for an easy search if a request is made by a data subject.
2. Systems are setup for automated deletion of personal data.
3. Paper-based forms and digital applications or other data collection forms are drafted appropriately to ensure excessive personal data aren’t collected.
4. Personal data can be pseudonymised, when possible
5. Personal data can be singled out (and deleted) if individuals object to receiving direct marketing messages
6. Personal data are structured in a commonly used, machine-readable, and interoperable format to satisfy data portability requirement

Question 18

Article 30 of the GDPR outlines the records that must be kept by whom?

Answer 18

1. Data controllers
2. Data processors

Question 19

Under Article 30 of the GDPR, data controllers are required to keep records of what 7 types of info?

Answer 19

1. The controller’s name & contact details (and when applicable) contact info of any joint controller, representative, or DPO
2. The purposes of the processing
3. A description of the categories of data subjects and personal data
4. Categories of recipients who receive or will receive personal data
5. Where applicable, transfers of personal data to third countries
6. Where possible, the retention periods for erasure/deletion of different categories of personal data
7. Where possible, a general description of the technical and organizational security measures

Question 20

Under Article 30 of the GDPR, data processors are required to keep records of what 5 types of info?

Answer 20

1. The processor(s) name & contact details (and when applicable) contact info of any representative or DPO
2. The name and contact details of each data controller for whom the processor acts, and where applicable, the name and contact details of reps and DPOs
3. The categories of processing carried out on behalf of each controller
4. Where applicable, details of the transfers of personal data to third countries
5. Where possible, a general description of the processor’s technical and organizational security measures

Question 21

The GDPR applies an exemption to its record keeping requirements if companies meet what 5 criteria?

Answer 21

1. Employ fewer than 250 people
2. Its processing isn’t likely to result in a risk to the rights and freedoms of data subjects
3. Its processing is occasional, not frequent
4. Its processing doesn’t involve special categories of data
5. Processing doesn’t relate to criminal convictions and offenses

Question 22

What is another name for data protection impact assessments (DPIAs)?

Answer 22

Privacy impact assessments (PIAs)

Question 23

What are DPIAs?

Answer 23

The process by which companies can systematically
1. Assess and identify the privacy and data protection impacts of any products they offer and services they provide, and
2. Take appropriate actions to prevent or at least minimize the risk of those impacts

Question 24

What 3 questions should a company ask when determining whether a DPIA is necessary and how it should be carried out?

Answer 24

1. Is the processing likely to be high risk?
2. What if the processing is high risk and, therefore, an assessment is required?
3. What if the processing is still high risk?

Question 25

Article 35(3) of the GDPR gives examples of what types of processing activities?

Answer 25

Risky processing activities that require a company to conduct a DPIA

Question 26

What are 3 activities that the GDPR considers risky?

Answer 26

1. Systemic and extensive profiling that produces legal effects or significantly affects individuals 2. Processing activities that use special categories of data on a large scale 3. Systemic monitoring of a publicly accessible area on a large scale, other video surveillance in public areas, and potentially the use of drones

Question 27

When a DPIA is required the company should seek the advice of whom?

Answer 27

A DPO (if one has been appointed)

Question 28

Under Article 35(7) of the GDPR, a DPIA must contain what 4 things?

Answer 28

1. A systematic description of the envisioned processing operations and the purposes of the processing, including any legit interests pursued by the controllers 2. An assessment of the necessity and proportionality of the processing operations in relation to the purposes 3. An assessment of the risks to the rights and freedoms of individuals 4. The measures adopted to address the risks, including safeguards, security measure, and mechanisms to ensure the protection of personal data

Question 29

After carrying out a DPIA and determining that there are no sufficient measures capable of mitigating the processing’s risk, what must a company do?

Answer 29

Consult the relevant DPA before commencing processing

Question 30

Under the GDPR, how long does a DPA have to consider a referral from a data controller?

Answer 30

Up to 8 weeks

Question 31

Under the GDPR, when must a controller or processor designate a DPO?

Answer 31

1. Where processing is carried out by a public authority 2. If the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale 3. If the core activities consist of processing special categories of personal data on a large scale

Question 32

How does the WP29 define **core activities**?

Answer 32

They are key operations necessary to achieve the controller’s or processor’s goals.

Question 33

What are the 4 factors the WP29 says a company must consider in assessing whether their activities are large-scale for purposes of the DPO requirement?

Answer 33

1. The number of data subjects concerned- either as a specific number or proportion of the relevant population 2. The volume of data or range of different data items being processed 3. The duration or permanence of the data processing activities 4. The geographical extent of the processing activities

Question 34

The term **regular and systematic monitoring of data subjects’** includes what 2 things, and isn’t restricted to what?

Answer 34

Includes all forms of: 1. Internet-based tracking 2. Profiling It isn’t restricted to the online environment and online tracking.

Question 35

The WP29 interprets **regular** as meaning one or more of the following 3 things?

Answer 35

1. Ongoing or occurring at particular intervals for a particular period 2. Recurring or repeated at fixed times 3. Constantly or periodically taking place

Question 36

The WP29 interprets **systematic** as meaning one or more of the following what 4 things?

Answer 36

1. Occurring according to a system 2. Prearranged, organized, or methodical 3. Taking place as part of a general plan for data collection 4. Carried out as part of a strategy

Question 37

Can member states’ law require a company to appoint a DPO, even where the GDPR doesn’t require such an appointment?

Answer 37

Yes.

Question 38

Can a group of undertakings appoint a single DPO?

Answer 38

Yes, on the condition that the DPO is easily accessible to each undertaking.

Question 39

Under the GDPR, companies must ensure DPOs are involved in what?

Answer 39

All issues related to the protection of personal data.

Question 40

Under the GDPR do DPOs act independently?

Answer 40

Yes.

Question 41

Can a DPO have other roles within a company?

Answer 41

Yes, provided any additional or other roles don’t give rise to a conflict of interest.

Question 42

Under the GDPR is there a limitation to a DPO’s length of tenure?

Answer 42

No, but a company can set one.

Question 43

Under the GDPR, DPOs must have a direct reporting line to whom?

Answer 43

The highest management level.

Question 44

Does the GDPR specify qualifications or credentials DPOs must or should have?

Answer 44

No.

Question 45

In order to fulfill the role of DPO a person must have knowledge of data protection law and practices and the ability to do what 5 things?

Answer 45

1. Inform and advise the company and employees of their obligations under the GDPR 2. Monitor compliance with the GDPR and company policies in relation to the protection of personal data 3. Provide advice, where requested, concerning the DPIA and monitor its performance 4. Cooperate with the supervisory authority 5. Act as the point of contact for the supervisory authority on issues relating to processing and with regard to any other matter

Question 46

What can be described as a privacy framework or code implemented by companies to support their accountability framework?

Answer 46

Binding corporate rules (BCRs)

Question 47

What are the 2 things BCRs do?

Answer 47

1. Allow personal data to move freely between various entities of a corporate group worldwide 2. Ensure all members of a group comply with the same high level of protection of personal data

Question 48

What 6 things must a company’s privacy compliance framework show?

Answer 48

1. A privacy policy is in place 2. Employees are aware of the privacy policy and have been trained appropriately 3. A person who is responsible for compliance has been appointed 4. Audits are undertaken 5. A system for handling complaints has been setup 6. The org is being transparent about the transfer of data