• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Housing Technology logo

Housing Technology

Housing | IT | Telecoms | Business | Ecology

  • Free Subscription
  • Search Archive
  • Home
  • Research
  • Magazine
  • Events
  • Recruitment
  • Blog
  • On Demand
  • Contact
Home / Free Subscriber Access / How well do you know GDPR?

How well do you know GDPR?

We all think we know how GDPR works, but do we really?

ParaDPO’s co-founder Clifford Barton explains how when running GDPR workshops and tutorials, arguably the best approach to initiating the uninitiated into new territory is to make it fun and ease them in, rather than confront them with a barrage of information. On the premise of trying not to make something intrinsically scholastic even more so, Barton has found multiple-choice quizzes to be a useful tool in the GDPR learning canon.

This article therefore tests your GDPR knowledge, with the answers at the end. Fuller and more comprehensive explanations for each can be found from our website (www.paradpo.co.uk).

Questions

Q1. According to the ICO, how many lawful bases for processing data are specified in the GDPR?

  • 2
  • 4
  • 6
  • 8
  • 10

Q2. To comply with GDPR, companies must be able to present (following a mandatory request by the ICO) how they consume personal data in the context of application systems used in their organisation. What is the name of the artefact used for this function?

  • Information authorisation record
  • Information asset register
  • Information access request
  • Information availability roadmap
  • Information acknowledgement receipt

Q3. Which of the following does not describe the function of a data protection impact assessment (DPIA)?

  • A DPIA must be considered every time a new project initiative is engaged.
  • A DPIA helps an organisation identify, assess and mitigate privacy risks that may come about due to their processing of data.
  • A DPIA must be performed every time a new project initiative is engaged.
  • Performing a DPIA shows due diligence and demonstrates personal data accountability.
  • A DPIA must always be engaged if a new process or system involving personal data is introduced.

Q4. The ICO is assigned a number of responsibilities aimed at making sure data protection regulations are complied with. What is one of those responsibilities?

  • Review of contracts and BCRs on compliance with the regulations.
  • Assessing codes of conduct for specific sectors relating to the processing of personal data.
  • Investigation of all data breaches of which they have been notified.
  • Defining a minimum set of measures to be taken to protect personal data.

Q5. The GDPR distinguishes ‘sensitive personal data’ as a special category (SCD) of personal data; from the following, which are examples of SCD?

  • Membership of a trade association.
  • Subscription to a scientific journal for politics.
  • An address for casting a vote at a general election.
  • A bank account number.
  • A clinical appointment in a hospital.

Q6. Which rights of the data subject are explicitly defined by the GDPR?

  • Personal data must be always changed at the request of the data subject.
  • A copy of personal data must be provided in the format requested by the data subject.
  • Personal data must always be erased if a data subject so requests it.
  • A data subject has the right to demand a data risk assessment from the organisation holding their data.
  • Access to personal data without any cost for the data subject.

Q7. A security breach has occurred in a company information system holding personal data. What must the controller do first?

  • Take a vote from the executive to see if they collectively agree to reporting the error.
  • Assess whether personal data of a sensitive nature has or may have been unlawfully processed.
  • Assess the likelihood of it affecting the rights and freedoms of individuals.
  • Assess the risk of adverse effects to the data subjects using a privacy impact assessment (PIA).
  • Report the breach immediately with the relevant data protection authority.

Q8. Some websites track visitor-activity and store their information for marketing purposes. Should the website notify the visitor that their information is being used for marketing purposes?

  • Only when the visitor clicks the ‘more information’ link.
  • Never
  • Sometimes
  • Always

Q9. According to the GDPR, what is the definition of ‘processing’ of personal data?

  • Collecting personal data as a legitimate interest.
  • Only operations in which the data is being shared on social media or transferred by email or otherwise through the internet.
  • Any operation that can be performed on personal data, except erasing and destroying.
  • Only operations in which the personal data is used for the purposes for which it was collected.
  • Any operation that can be performed on personal data following collection.

Q10. Which of the below best describes the principle of data minimisation?

  • The organisation must collect as little data as possible to protect the privacy and interests of the data subjects.
  • Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • To keep data manageable, it must be stored in such a manner that requires a minimal amount of storage.
  • The number of items that is collected per data subject may not exceed the upper limit stated by the data protection authority (DPA).
  • Data must conform to ICO data quality standards.

ANSWERS

1d: There are six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Special category and criminal data have additional considerations.

2b: Information asset register – this should include the records of processing, data protection logs and associated information.

3c: As part of project lifecycle assessment process, a section must include a DPIA consideration. Typically, this is checklist question-set, the result of which would determine if a full DPIA is necessary.

4b: A DPO should provide general advice on how to comply with the regulation.

5e: A hospital appointment is considered as special category data because it concerns the state of health of an individual. Membership of a trade union is also special category data.

6e: The first subject access request is free, though if the data subject requests an excessive amount of information, a charge can be applied.

7c: Yes – data breaches must be reported to the ICO within 72 hours if the DPO identifies a “risk to the rights and freedoms of individuals”; if there is a high risk then the affected data subjects themselves need to be notified.

8d: Always – the website has an obligation to notify the visitor that their information is being used for marketing purposes which enables them to decide whether they wish to proceed. They also have the right to object to the processing of personal data concerning him or her for marketing purposes. But this is an area that will be affected by the EU E-Privacy directive.

9e: True – see GDPR Article 4(2).

10b: Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Note; there are more comprehensive answers available from www.paradpo.co.uk.

Clifford Barton is the co-founder of ParaDPO.

See More On:

  • Vendor: ParaDPO
  • Topic: Finance Management, Housing Management
  • Publication Date: 066 - November 2018
  • Type: Contributed Articles

Primary Sidebar

Most Recent Articles

  • Free cyber-defence tools from NCSC
  • Learning from history
  • Grand Union Housing gets connected with Aico HomeLink
  • The silences in the system: Predicting and preventing damp and mould
  • Looking back and to the future: Cyberthreats in social housing
  • Hyde signs repairs contract with Totalmobile
  • Fuelling high performance automation
  • Morgan Sindall’s Carbon Zero decarbonisation tool
  • An ethical approach to arrears
  • Housing and the ever-evolving workplace
  • Supporting residents with home safety risks
  • Less innovation & more service design at RHP
  • Ateb Group outsources IT help desks to Central Networks
  • Capital Letters partners with Evo Digital to tackle homelessness
  • Calico appoints M247 for digital transformation
  • 24/7 care requires 24/7 technology
  • Govtech trends for 2023
  • Are you ready for business process automation?
  • Lincoln council moves to the cloud with Civica
  • Why do IT business improvement projects fail?
  • Flagship and Ebrik launch augmented reality app
  • Following the golden thread
  • Setting the standard for carbon-monoxide protection
  • The business case for data
  • Digital twins – When, not if…
  • Using data to build communities
  • The cyber-security jigsaw’s missing piece – Managed detection & response
  • Cyber-security challenges in housing
  • Digitalising retrofits with SHDF & HomeLink
  • Tips for improving care and support

Footer

Housing Technology
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube
  • Contact
  • Free Subscription
  • Book an event
  • Blog
  • Search All Articles
  • Research
  • Update Your Subscription
  • Privacy Policy

Welcome to the housing Technology – Trusted Information For Business Professionals in HOusing

Housing Technology is the leading technology information service for the UK housing sector and local governments. We have always believed in the fundamental importance of how the UK’s social housing providers use technology to improve their tenants’ lives.

Subscribe to Housing Technology to gain market-leading research, unsurpassed peer networking opportunities and a greater understanding of your role to transform your business.

Copyright © The Intelligent Business Company 2022 | Terms and Conditions | Privacy Policy
Housing Technology is published by the The Intelligent Business Company. A company with limited liability. Registered in England No. 4958057 | Vat Registion No. 833 0069 55.

Registered Business Address: Hoppingwood Farm, Robin Hood Way, London, SW20 0AB | Telephone: +44 (0) 20 8336 2293

htc23 pop banner