Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Data Privacy > GDPR > Flashcards

GDPR Flashcards

(107 cards)

Start Studying
1
Q

What is the GDPR?

A

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which previous data protection regimes does the GDPR build upon?

A
  • EU’s Data Protection Directive (DPD)
  • US’s Health Insurance Portability and Accountability Act (HIPAA)
  • Various other data protection regimes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does the GDPR relate to Member State laws?

A

As an EU regulation, the GDPR operates above the level of other Member State laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What legislation incorporates the GDPR in the UK?

A

Data Protection Act 2018

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What term is defined as any operation performed on personal data?

A

Processing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is referred to as the ‘Controller’ under the GDPR?

A

The natural or legal person that determines the purposes and means of processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a ‘Processor’ in the context of the GDPR?

A

A natural or legal person that processes personal data on behalf of the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define ‘Personal data’.

A

Any information relating to an identified or identifiable natural person.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Does the GDPR extend rights to deceased persons?

A

No, the GDPR does not extend any rights to deceased persons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which organizations are subject to the GDPR?

A
  • Organizations within the EU processing personal data
  • Organizations outside the EU processing personal data of EU residents
  • Organizations outside the EU governed by EU law
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some exemptions from the material scope of the GDPR?

A
  • National security of non-EU states
  • Processing by member states related to common foreign and security policy
  • Personal or household processing
  • Competent authorities related to crime and security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the responsibility of a data controller?

A

Ensuring that personal data is processed in accordance with the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What must data controllers implement to protect personal data?

A

Appropriate technical and organizational measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the requirements for contracts between controllers and processors?

A

Contracts must meet specific requirements as stated in Article 28 of the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What records must organizations retain to prove compliance?

A
  • Fair processing notices
  • Retention policies
  • Evidence of consent
  • Data Protection Impact Assessments (DPIAs)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a DSAR?

A

Data Subject Access Request, which allows individuals to request access to their personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What rights do data subjects have under the GDPR?

A
  • Right to Fair Processing
  • Right to Access
  • Right to Rectification
  • Right to be Forgotten
  • Right to Data Portability
  • Right to Object
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the ‘Right to be Forgotten’ entail?

A

Data subjects can request erasure of their personal data under certain conditions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is required for processing to be lawful under the GDPR?

A

At least one of the lawful bases must apply, such as consent or necessity for a contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is meant by ‘Data Minimization’?

A

Limiting the collection and processing of personal data to what is necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What principle requires organizations to ensure the accuracy of personal data?

A

Accuracy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does the principle of ‘Storage Limitation’ require?

A

Personal data must not be kept longer than necessary for the purposes for which it is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the principle of ‘Integrity and Confidentiality’?

A

Processing personal data in a manner that ensures appropriate security against unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the principle of ‘Accountability’ in the GDPR?

A

The data controller is responsible for ensuring compliance with all data processing principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What should organizations do to demonstrate compliance with the GDPR?
Submit to audits and adhere to approved codes of conduct or certification mechanisms.
26
What is required for consent to be valid under the GDPR?
Consent must be freely given, specific, informed, and unambiguous.
27
What must organizations provide in privacy notices?
Clear and accessible information about data processing activities and data subjects' rights.
28
What does the 'Right to Data Portability' allow?
Data subjects can request their personal data in a structured, commonly used, and machine-readable format.
29
What should organizations do if they receive 'excessive requests'?
They can refuse the request or charge a reasonable fee.
30
What is the significance of training and staff awareness in GDPR compliance?
To ensure all staff understand their responsibilities regarding privacy and data protection.
31
What is the Right to Object in data processing?
Data subjects can object to having their personal data processed, requiring processing to stop unless the controller demonstrates legitimate grounds for the processing.
32
Are organizations required to inform data subjects of their right to object?
Yes, organizations must inform data subjects of their right to object, clearly and separately from other information.
33
What do data subjects have the right to regarding automated decision-making?
Data subjects have the right not to be subject to decisions based solely on automated processing that significantly affects them.
34
Define a 'compliance framework'.
A structured set of guidelines and practices that integrate regulatory compliance requirements with necessary business processes, policies, and controls.
35
What are the three key areas of a privacy compliance framework?
* Governance, risk management, and compliance objectives * Data processing principles * Policies, procedures, controls, and records
36
What is the territorial scope of the GDPR?
The GDPR applies to all data subjects in the EU, regardless of their nationality or place of residence, if their data is processed by an EU controller or processor.
37
What role should boards play regarding privacy compliance frameworks?
Boards should ensure that privacy compliance frameworks ensure GDPR compliance and provide regular reports on the state of compliance.
38
What does the acronym SMART stand for in goal setting?
Specific, Measurable, Actionable, Realistic, and Time-bound.
39
List key objectives for information security controls.
* Respond to subject access requests within one month * Identify and report data breaches within 72 hours * Define retention periods for personal data * Conduct staff awareness training
40
What are the steps in an Incident Management Process?
* Realizing and reporting the incident * Understanding what has happened * Containing the event * Repairing the damage * Preventing recurrence * Reviewing the response
41
Fill in the blank: Confidentiality, integrity, and availability are known as the ______ of information security.
CIA
42
What is the primary focus of BS 10012:2017?
Privacy protection and personal information management systems.
43
What are the responsibilities of data controllers regarding subject access requests?
* Provide explanations of rights to data subjects * Ensure transparency throughout the request process * Train staff to identify subject access requests * Respond within one month with reasons for any refusal
44
True or False: Consent is the easiest lawful basis for processing personal data.
True
45
What does GDPR Article 9 define as special categories of personal data?
Data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, and sexual orientation.
46
What does a Data Protection Officer (DPO) oversee?
Compliance with data protection laws and guidance on data processing activities.
47
What is a key requirement for appointing a DPO under GDPR?
DPO must be designated when processing involves large-scale monitoring of data subjects or processing of special categories of data.
48
What is a RACI chart used for?
To define who is Responsible, Accountable, Consulted, and Informed for each process.
49
What should an Information Security Policy include?
* Signed by top management * Assert intentions towards information security * Describe objectives aligned with business * Define the policy scope * Establish responsibility and accountability * Communicate to all relevant parties
50
What are the conditions under which consent can be withdrawn according to GDPR?
The withdrawal of consent must be as easy as giving it and does not affect the lawfulness of processing before withdrawal.
51
What are the potential conflicts of interest for a Data Protection Officer?
DPOs cannot hold positions that determine the purposes and means of data processing to avoid conflicts of interest.
52
What is the role of the Data Protection Officer (DPO) according to GDPR?
To inform and advise the controller or processor and employees about their obligations under the GDPR and other data protection provisions. ## Footnote The DPO should also oversee the privacy compliance framework and monitor data protection activities.
53
True or False: The DPO can hold a position that influences the purposes and means of data processing.
False ## Footnote The DPO cannot determine the purposes and means of processing personal data.
54
List some responsibilities of the DPO.
* Advise on DPIAs * Monitor compliance with GDPR * Provide training and awareness programs * Cooperate with supervisory authorities * Serve as a contact point for data subjects ## Footnote These responsibilities ensure that the DPO effectively supports data protection within the organization.
55
What qualifications are typically required for a DPO?
* Law degree with specialization in data privacy * Professional certifications in data protection * Experience in implementing data protection measures * Knowledge of information security management ## Footnote Specific certifications may include ISO/IEC 17024-certificated EU GDPR Practitioner and Certified Data Protection Officer (C-DPO).
56
Fill in the blank: The GDPR requires that the DPO must be involved in all issues related to the _______.
[protection of personal data]
57
What are the four key elements essential to data mapping?
* Data items * Formats * Transfer methods * Locations ## Footnote These elements help organizations understand their data processing lifecycle and identify potential privacy issues.
58
What is a Data Protection Impact Assessment (DPIA)?
A process that helps organizations identify and minimize privacy risks before implementing new processes or projects. ## Footnote DPIAs are particularly important when there is high-risk processing of personal data.
59
True or False: A DPIA is required by law for all data processing activities.
False ## Footnote A DPIA is only required in certain circumstances, particularly when there is high risk to the rights and freedoms of data subjects.
60
What are the seven key principles of Data Protection by Design?
* Proactive not reactive * Privacy as the default setting * Privacy embedded into design * Full functionality–positive-sum * End-to-end security * Visibility and transparency * Respect for user privacy ## Footnote These principles guide organizations in implementing effective data protection measures.
61
According to ISO 31000, what is the definition of risk?
The effect of uncertainty on objectives, which can be positive, negative, or both. ## Footnote This definition emphasizes that risks can create both opportunities and threats.
62
List the steps in the risk management process according to ISO 31000.
* Ensure communication and consultation * Establish the context * Identify the risk * Analyze the risk * Evaluate the risk * Treat the risk ## Footnote Each step is crucial for effectively managing risks within an organization.
63
What must organizations do to support the DPO according to GDPR?
Provide necessary resources, access to personal data, and maintain the DPO's expert knowledge. ## Footnote This support enables the DPO to effectively carry out their tasks and responsibilities.
64
Fill in the blank: The DPO should cooperate fully with the _______ authority.
[supervisory]
65
What should be included in the minimum contents of a DPIA?
* Description of processing and purposes * Assessment of necessity and proportionality * Risk assessment to rights and freedoms * Measures to address risks * Safeguards and security measures ## Footnote These elements ensure comprehensive evaluation of data processing activities.
66
What is the importance of data mapping in GDPR compliance?
It helps organizations recognize who is involved in data processing and identify potential privacy issues. ## Footnote Data mapping is essential for understanding the lifecycle of personal data.
67
True or False: DPOs can be dismissed for performing their tasks.
False ## Footnote DPOs should not be penalized for carrying out their responsibilities under GDPR.
68
What are the key stakeholders to consider in risk management?
Those involved in the organization's objectives and the legal, regulatory, and contractual environment ## Footnote Understanding stakeholders is crucial for effective risk management.
69
What is the first step in the risk management process according to ISO 31000?
Identify the risk (Clause 6.4.2) ## Footnote This involves recognizing potential risks that could affect the organization.
70
What does Clause 6.4.3 of ISO 31000 entail?
Analyze the risk ## Footnote This step focuses on understanding the nature and characteristics of the risk.
71
How should risks be evaluated according to ISO 31000?
Evaluate the risk against the risk criteria (Clause 6.4.4) ## Footnote Risk criteria should reflect the organization’s values, objectives, and resources.
72
What does 'Treating' a risk involve?
Applying controls to reduce the level of risk ## Footnote This is one of the four responses to managing risk.
73
What does 'Tolerating' a risk mean?
An informed decision to do nothing ## Footnote This approach is sometimes chosen when the risk is deemed acceptable.
74
What is meant by 'Transferring' a risk?
Sharing the risk with other parties ## Footnote This could involve outsourcing or purchasing insurance.
75
What are continuity risks?
Risks that prevent an organization from operating either permanently or temporarily ## Footnote These risks can significantly impact an organization's operations.
76
What is a Data Protection Impact Assessment (DPIA)?
A process to identify and minimize data protection risks ## Footnote DPIAs are required under GDPR for processing that may impact individual privacy.
77
What is a key requirement to initiate a DPIA?
Will the project involve the collection of new information about individuals? ## Footnote This question helps determine the necessity of a DPIA.
78
List the objectives and outcomes of a DPIA.
* Description of processing and its purposes * Legitimate interests pursued * Necessity and proportionality assessment * Risks to rights and freedoms * Measures to address risks * Safeguards and security measures * Timeframes for data erasure * Data protection by design and by default * Recipients of personal data * Compliance with codes of conduct * Consultation with data subjects ## Footnote These elements are critical for demonstrating compliance with data protection regulations.
79
What is the purpose of data mapping in privacy risk identification?
To describe how personal data is collected, stored, used, and deleted ## Footnote Data mapping helps visualize data flow and identify potential privacy risks.
80
What are some actual risks to personal data?
* Hacking * Viruses and malware * Intruders * Phishing scams * Inadequately trained staff * Unencrypted laptops * Poor access controls ## Footnote These risks can lead to data breaches and privacy violations.
81
What does GDPR require for transferring personal data outside the EU?
The destination must have an adequacy decision or appropriate safeguards ## Footnote This ensures that personal data is protected when transferred internationally.
82
What are adequacy decisions?
Decisions that a country or organization is an acceptable destination for data transfer ## Footnote These decisions are based on criteria such as human rights and rule of law.
83
What is the role of Binding Corporate Rules (BCRs)?
To allow large organizations to transfer data internationally while minimizing bureaucratic interference ## Footnote BCRs ensure compliance with GDPR for multinational companies.
84
What is the definition of a personal data breach?
A breach of security leading to unauthorized access, loss, or alteration of personal data ## Footnote Organizations must have measures in place to respond to such breaches.
85
What should be included in a notification to the supervisory authority after a personal data breach?
* Nature of the breach * Name and contact of the DPO * Likely consequences * Measures taken to address the breach ## Footnote Timely notification is crucial for compliance with GDPR.
86
What distinguishes an event from an incident in information security?
An event indicates a possible breach, while an incident indicates a probable breach ## Footnote This distinction is important for effective incident management.
87
What are the three phases of the CREST cyber incident management process?
* Prepare * Respond * Follow up ## Footnote These phases provide a structured approach to managing cyber incidents.
88
What is the international standard for best practice in business continuity management systems?
ISO 22301 ## Footnote This standard guides organizations in maintaining continuity during incidents.
89
What is the primary responsibility of an individual assigned to the incident management process?
To investigate events, report to senior management, and manage the organization’s notification process. ## Footnote This individual should have the authority to ensure effective incident management.
90
What methods should be in place for reporting events and suspected incidents?
Methods for reporting events and performing triage to determine which reports require the incident response process. ## Footnote Triage helps prioritize incidents based on their severity.
91
What is the purpose of problem cause analysis in incident management?
To analyze the causes of problems using methods like Failure Mode and Effects Analysis (FMEA) and Current Reality Tree (CRT). ## Footnote These methods help identify potential failures before they occur.
92
List three methods for root cause identification.
* The five-whys approach * Why-because analysis (WBA) * Cause-and-effect (fishbone) diagrams ## Footnote These methods help in understanding the underlying issues of incidents.
93
What should be conducted after an incident?
A thorough post-incident review. ## Footnote This review is important for learning and improving future incident responses.
94
What is a key conclusion of following up on an incident?
Performing a trend analysis of incidents across the market and sector. ## Footnote This helps in updating and amending controls and responses.
95
What is the EDPB?
European Data Protection Board, a central body composed of representatives from each member State’s supervisory authority. ## Footnote It plays a crucial role in ensuring GDPR compliance across the EU.
96
Who holds the highest authority under the GDPR?
The European Commission. ## Footnote The Commission oversees the implementation and enforcement of GDPR.
97
List two duties of supervisory authorities under the GDPR.
* Monitor and enforce compliance * Promote public awareness and understanding of data protection rights ## Footnote This includes educating both the public and organizations about GDPR.
98
What are the three powers of supervisory authorities?
* Investigative * Corrective * Authorization and advisory ## Footnote These powers enable supervisory authorities to enforce compliance effectively.
99
What is one responsibility of the European Data Protection Board (EDPB)?
To ensure the Regulation is applied consistently across the EU. ## Footnote This consistency is vital for effective data protection.
100
What right do data subjects have regarding complaints?
The right to lodge a complaint with a supervisory authority if they believe their data is being processed unlawfully. ## Footnote This right is essential for protecting personal data rights.
101
What is the right to effective judicial remedy against a controller or processor?
Data subjects can seek judicial remedy if their rights have been infringed due to non-compliance with the Regulation. ## Footnote This ensures accountability for data processors and controllers.
102
Fill in the blank: Anyone who has suffered damage as a result of an infringement of the Regulation has the right to seek _______ from the controller or processor.
compensation ## Footnote This right extends beyond just the data subject to anyone affected by the infringement.
103
What are the two categories of conditions for imposing administrative fines?
* Willingness to abide by the Regulation * Negligence or intent to breach requirements ## Footnote These conditions help determine the severity of fines.
104
What should a controller adopt to demonstrate compliance with the GDPR?
Internal policies and measures that meet the principles of data protection by design and by default. ## Footnote This proactive approach helps ensure compliance.
105
What must a privacy policy include according to Article 13 of the Regulation?
Information that should be provided to data subjects when collecting personal data. ## Footnote Transparency is a key principle of data protection.
106
List four characteristics of good policies.
* Capable of being implemented * Enforceable * Concise and easy to understand * Balances protection with productivity ## Footnote Good policies support effective compliance and operational efficiency.
107
What is a prominent method for demonstrating compliance with the GDPR?
Implementing approved codes of conduct and participating in approved certification mechanisms. ## Footnote These methods provide evidence of adherence to the Regulation.

Data Privacy (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions