Data Protection Law Flashcards
(20 cards)
What is the primary legislation governing data protection in the UK?
The Data Protection Act 2018 (DPA 2018), which implements the General Data Protection Regulation (GDPR) into UK law.
What is the General Data Protection Regulation (GDPR)?
The GDPR (EU Regulation 2016/679) is a regulation that governs the processing of personal data across the EU and aims to protect the rights of individuals with respect to their personal data.
What is the key principle of the GDPR?
The key principle of the GDPR is the protection of individuals’ personal data through strict conditions for its collection, storage, processing, and transfer.
What is personal data under the GDPR?
Personal data is any information that relates to an identified or identifiable natural person, such as name, identification number, location data, or online identifiers.
What are the rights of individuals under the GDPR?
Key rights include: Right to access (Article 15), Right to rectification (Article 16), Right to erasure (right to be forgotten) (Article 17), Right to restriction of processing (Article 18), Right to data portability (Article 20), Right to object (Article 21).
What is the concept of ‘processing’ under the GDPR?
Processing is any operation or set of operations performed on personal data, such as collection, storage, retrieval, alteration, disclosure, or destruction.
What are the lawful bases for processing personal data under the GDPR?
The lawful bases for processing personal data are: Consent (Article 6(1)(a)), Contractual necessity (Article 6(1)(b)), Legal obligation (Article 6(1)(c)), Vital interests (Article 6(1)(d)), Public task (Article 6(1)(e)), Legitimate interests (Article 6(1)(f)).
What is consent under the GDPR?
Consent is defined as the freely given, specific, informed, and unambiguous indication of a data subject’s wishes, typically given by a statement or clear affirmative action.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a process to help identify and minimize the data protection risks of a project or initiative. It is required when processing is likely to result in a high risk to the rights and freedoms of individuals (Article 35 GDPR).
What is the role of the Data Protection Officer (DPO)?
A DPO is responsible for overseeing data protection compliance, providing advice on DPIAs, training staff, and acting as a point of contact for data subjects and supervisory authorities.
What is the concept of ‘data minimization’ under the GDPR?
Data minimization requires that personal data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c) GDPR).
What are the key principles of data processing under the GDPR?
The key principles include: Lawfulness, fairness, and transparency, Purpose limitation, Data minimization, Accuracy, Storage limitation, Integrity and confidentiality, Accountability (Article 5 GDPR).
What is a ‘data breach’ under the GDPR?
A data breach is a security incident that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data (Article 4(12) GDPR).
What is the duty to report a data breach under the GDPR?
Data controllers must report a breach to the relevant supervisory authority within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of individuals (Article 33 GDPR).
What are the penalties for non-compliance with the GDPR?
The GDPR imposes significant penalties, including: Up to 20 million euros or 4% of global annual turnover (whichever is higher) for the most serious infringements. Up to 10 million euros or 2% of global annual turnover for less severe breaches.
What is the role of the Information Commissioner’s Office (ICO)?
The ICO is the UK’s independent regulator for data protection and privacy, responsible for enforcing the Data Protection Act 2018 and the GDPR, handling complaints, and investigating data protection violations.
What is the difference between a ‘data controller’ and a ‘data processor’?
Data Controller: Determines the purposes and means of processing personal data. Data Processor: Processes personal data on behalf of the data controller, typically under contract.
What is the right to erasure (right to be forgotten)?
The right to erasure allows individuals to request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, or if they withdraw consent (Article 17 GDPR).
What is the role of supervisory authorities under the GDPR?
Supervisory authorities are independent public authorities responsible for monitoring compliance with the GDPR. They have the power to investigate complaints, conduct audits, issue warnings, and impose penalties.
What is the principle of ‘accountability’ under the GDPR?
Accountability requires that organizations not only comply with data protection principles but also be able to demonstrate compliance with the GDPR through policies, procedures, and record-keeping.
