We all think we know how GDPR works, but do we really?
ParaDPO’s co-founder Clifford Barton explains how when running GDPR workshops and tutorials, arguably the best approach to initiating the uninitiated into new territory is to make it fun and ease them in, rather than confront them with a barrage of information. On the premise of trying not to make something intrinsically scholastic even more so, Barton has found multiple-choice quizzes to be a useful tool in the GDPR learning canon.
This article therefore tests your GDPR knowledge, with the answers at the end. Fuller and more comprehensive explanations for each can be found from our website (www.paradpo.co.uk).
Q1. According to the ICO, how many lawful bases for processing data are specified in the GDPR?
Q2. To comply with GDPR, companies must be able to present (following a mandatory request by the ICO) how they consume personal data in the context of application systems used in their organisation. What is the name of the artefact used for this function?
- Information authorisation record
- Information asset register
- Information access request
- Information availability roadmap
- Information acknowledgement receipt
Q3. Which of the following does not describe the function of a data protection impact assessment (DPIA)?
- A DPIA must be considered every time a new project initiative is engaged.
- A DPIA helps an organisation identify, assess and mitigate privacy risks that may come about due to their processing of data.
- A DPIA must be performed every time a new project initiative is engaged.
- Performing a DPIA shows due diligence and demonstrates personal data accountability.
- A DPIA must always be engaged if a new process or system involving personal data is introduced.
Q4. The ICO is assigned a number of responsibilities aimed at making sure data protection regulations are complied with. What is one of those responsibilities?
- Review of contracts and BCRs on compliance with the regulations.
- Assessing codes of conduct for specific sectors relating to the processing of personal data.
- Investigation of all data breaches of which they have been notified.
- Defining a minimum set of measures to be taken to protect personal data.
Q5. The GDPR distinguishes ‘sensitive personal data’ as a special category (SCD) of personal data; from the following, which are examples of SCD?
- Membership of a trade association.
- Subscription to a scientific journal for politics.
- An address for casting a vote at a general election.
- A bank account number.
- A clinical appointment in a hospital.
Q6. Which rights of the data subject are explicitly defined by the GDPR?
- Personal data must be always changed at the request of the data subject.
- A copy of personal data must be provided in the format requested by the data subject.
- Personal data must always be erased if a data subject so requests it.
- A data subject has the right to demand a data risk assessment from the organisation holding their data.
- Access to personal data without any cost for the data subject.
Q7. A security breach has occurred in a company information system holding personal data. What must the controller do first?
- Take a vote from the executive to see if they collectively agree to reporting the error.
- Assess whether personal data of a sensitive nature has or may have been unlawfully processed.
- Assess the likelihood of it affecting the rights and freedoms of individuals.
- Assess the risk of adverse effects to the data subjects using a privacy impact assessment (PIA).
- Report the breach immediately with the relevant data protection authority.
Q8. Some websites track visitor-activity and store their information for marketing purposes. Should the website notify the visitor that their information is being used for marketing purposes?
- Only when the visitor clicks the ‘more information’ link.
Q9. According to the GDPR, what is the definition of ‘processing’ of personal data?
- Collecting personal data as a legitimate interest.
- Only operations in which the data is being shared on social media or transferred by email or otherwise through the internet.
- Any operation that can be performed on personal data, except erasing and destroying.
- Only operations in which the personal data is used for the purposes for which it was collected.
- Any operation that can be performed on personal data following collection.
Q10. Which of the below best describes the principle of data minimisation?
- The organisation must collect as little data as possible to protect the privacy and interests of the data subjects.
- Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- To keep data manageable, it must be stored in such a manner that requires a minimal amount of storage.
- The number of items that is collected per data subject may not exceed the upper limit stated by the data protection authority (DPA).
- Data must conform to ICO data quality standards.
1d: There are six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Special category and criminal data have additional considerations.
2b: Information asset register – this should include the records of processing, data protection logs and associated information.
3c: As part of project lifecycle assessment process, a section must include a DPIA consideration. Typically, this is checklist question-set, the result of which would determine if a full DPIA is necessary.
4b: A DPO should provide general advice on how to comply with the regulation.
5e: A hospital appointment is considered as special category data because it concerns the state of health of an individual. Membership of a trade union is also special category data.
6e: The first subject access request is free, though if the data subject requests an excessive amount of information, a charge can be applied.
7c: Yes – data breaches must be reported to the ICO within 72 hours if the DPO identifies a “risk to the rights and freedoms of individuals”; if there is a high risk then the affected data subjects themselves need to be notified.
8d: Always – the website has an obligation to notify the visitor that their information is being used for marketing purposes which enables them to decide whether they wish to proceed. They also have the right to object to the processing of personal data concerning him or her for marketing purposes. But this is an area that will be affected by the EU E-Privacy directive.
9e: True – see GDPR Article 4(2).
10b: Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Note; there are more comprehensive answers available from www.paradpo.co.uk.
Clifford Barton is the co-founder of ParaDPO.