GDPR (and Private Client) [15]

Question 1

GDPR (and Private Client)

What piece of UK legislation came into force which applied the General Data Protection Regulation (EU) 2016/679? [1]

Answer 1

The UK Data Protection Act 2018

Question 2

GDPR (and Private Client)

What is the maximum penalty for breach of the GDPR? [1]

Answer 2

Penalties for a failure to comply with the GDPR (and the Data Protection Act) can be a maximum of 20 million Euros, or 4% of global turnover of business, whichever is the greater.

Question 3

GDPR (and Private Client)

Explain what the GDPR applies to. [1]

Answer 3

The GDPR regulates the processing of ‘personal’ data’.

‘Personal data’ is data which can lead to the identification of an individual.

Question 4

GDPR (and Private Client)

Which organisations must document their compliance with the GDPR? [2]

Answer 4

Organisations with 250 or more employees must document all their processing activities.

Smaller organisations only need to document certain processing activities which are not, inter alia, occasional (more than just a one-off, or only occasional).

Question 5

GDPR (and Private Client)

Do data controllers or data processors have to comply with the GDPR? [1]

Answer 5

Data controllers have the primary responsibility to comply with the GDPR. Data processors are permitted to process the data as instructed by the data controller

Question 6

GDPR (and Private Client)

What three key principles does Article 5 GDPR set out? [3]

Answer 6

(i) Personal data must be collected only for a specified, explicit and legitimate purpose.
(ii) Personal data must be not be kept in a form which permits identification of data subjects for any longer than is necessary for the purposes for which the data is processed.
(iii) Personal data must be processed in a manner that ensures its appropriate security.

Question 7

GDPR (and Private Client)

Inter alia, name three key lawful permitted grounds for processing personal data? [3]

Answer 7

Lawful grounds for processing data include (inter alia): (i) Consent; (ii) Contractual obligation; and (iii) Legal obligation.

Question 8

GDPR (and Private Client)

What do Articles 13 and 14 GDPR require? [1]

Answer 8

Articles 13 and 14 require information to be provided to the data subjects, typically in the form of privacy notices which set out statue mandated information (e.g. data processing details, reason for processing, data stored, data subjects’ rights, etc)

Question 9

GDPR (and Private Client)

True or false: “PRs and trustees will be data controllers and have to comply with the GDPR (including in respect to privacy notices) where they store and process individuals’ personal data)”? [2]

Answer 9

True, unless data is only processed on a one-off or very occasional basis.