Legal Aspects + DPIA

Questions and Answers

What is the purpose of the Data Protection Impact Assessment?

To identify potential risks in data processing

To ensure compliance with the UK GDPR

To analyse the data protection risks of a project (correct)

To appoint a Data Protection Officer

Which legislation modifies the UK DPA 1998 for public bodies and authorities?

UK FOIA 2020

UK FOIA (correct)

UK IPA 2016

UK PECR 2003

What is the role of the Information Commissioner's Office?

To provide general advice on privacy and data protection (correct)

To issue fines for non-compliance with the UK GDPR

To regulate the use of web cookies

To enforce the EU Cookie Law

What is the purpose of the EU Cookie Law?

To require websites to obtain explicit consent from visitors

What legislation covers data protection in the UK?

UK GDPR + UK DPA 2018

What is the relationship between the UK FOIA and data protection?

The UK FOIA has implications on the protection of personal data

What is the main goal of implementing pseudonymisation in data processing?

To reduce the risks of re-identification

Under which circumstances can a data controller be exempt from providing data subjects with certain rights?

If the data cannot be re-identified anymore

What is the purpose of the 'Privacy by Design' principle?

To ensure data protection by default

What is the main difference between pseudonymisation and anonymisation?

Anonymisation is irreversible, while pseudonymisation is reversible

Why is a UK GDPR necessary?

Because the EU GDPR is no longer valid after Brexit

What is the purpose of data breach notifications to the authority and data subject?

To notify the authority of a confirmed data breach

What is the primary purpose of a Supervisory Authority?

To ensure compliance with data protection rules

What is the definition of personal data?

Any information relating to an identified or identifiable natural person

What is the role of a Data Processor?

To process personal data on behalf of the controller

What is the term for personal data that consists of information about a person's race, ethnicity, or health?

Sensitive Personal Data

What is the right of a data subject to request that incorrect information be rectified, blocked, erased, or destroyed?

Right to rectification

What is the purpose of a Subject Access Request (SAR)?

To request access to personal data collected about oneself

What is the term for the person or organization that determines the purposes and means of personal data processing?

Data Controller

What is a condition for processing personal data?

The data must be processed fairly and lawfully

What is the term for the processing of personal data that is necessary to protect the vital interests of the data subject?

Vital interest

What is the time period within which organizations must respond to a Subject Access Request (SAR)?

One month

Match the following data protection principles with their descriptions:

Data protection by design and by default = An application of the Privacy by Design (PbD) principles, which include privacy by default Pseudonymisation = processing of personal data … that the data can no longer be attributed to a specific data subject without the use of additional information Data breach notifications = notifications to the authority and data subject Privacy by Design = data protection mechanism that ensures privacy is considered throughout the entire processing lifecycle

Match the following data privacy rights with their exemptions:

Right to access = data controllers are exempt if the data cannot be re-identified any more Right to rectification = data controllers are exempt if the data cannot be re-identified any more Right to erasure = data controllers are exempt if the data cannot be re-identified any more Right to data portability = data controllers are exempt if the data cannot be re-identified any more

Match the following GDPR compliance requirements with their purposes:

Data protection by design and by default = to ensure privacy is considered throughout the entire processing lifecycle Pseudonymisation = to reduce the risks of re-identification Data breach notifications = to inform the authority and data subject of a breach UK GDPR = to adapt the EU GDPR to the UK context after Brexit

Match the following data breach responses with their recipients:

Data breach notifications = authority and data subject Data breach reports = data protection authority Data breach alerts = data subjects Data breach disclosures = public

Match the following data processing concepts with their descriptions:

Pseudonymisation = processing of personal data that can be re-identified with additional information Anonymisation = processing of personal data that cannot be re-identified Data protection by design = an application of the Privacy by Design (PbD) principles Data minimisation = processing of personal data that is limited to what is necessary

Match the following GDPR provisions with their purposes:

Article 25 = to ensure data protection by design and by default Article 33 = to notify data breaches to the authority Article 34 = to notify data breaches to the data subject UK GDPR = to adapt the EU GDPR to the UK context after Brexit

Match the following data protection principles with their descriptions:

Fairly and lawfully = Processed only for specified and lawful purposes Adequate, relevant and not excessive = Limited to what is necessary ('data minimisation') Accurate (and up to date where necessary) = Not kept for longer than is necessary in an id-able form ('storage limitation') Integrity and confidentiality (security) = Measures against unauthorised / unlawful processing and against accidental data loss / destruction / damage

Match the following data privacy rights with their descriptions:

The right to be informed = The right to know how their data will be used The right to rectification = The right to request that incorrect information be rectified, blocked, erased, or destroyed The right to erasure = The right to be forgotten The right to restrict processing = The right to limit how their data is used

Match the following GDPR compliance requirements with their descriptions:

Consent = Explicitly, unambiguously and freely given Contract = Necessary for the performance of a contract Legal obligation = Required by law or regulation Legitimate interests = Necessary for the purposes of the legitimate interests pursued by the controller

Match the following data breach responses with their consequences:

Penalty max £500k = Offences processing without registration notification The higher maximum: max(€20m or £17.5m, 4% of global annual revenue) = Failure to comply with any data protection principles, any rights an individual may have or in relation to any transfers of data to third countries The standard maximum: max(€10m or £8.7m, 2% of global annual revenue) = Any other infringements such as administrative failures Prosecution and penalties = Offences processing without registration notification

Match the following data protection terms with their definitions:

Personal data = Information about a living individual Data controller = The person or organization that determines the purposes and means of personal data processing Data processor = The person or organization that processes personal data on behalf of the controller Vital interests = The processing of personal data that is necessary to protect the vital interests of the data subject

Match the following data protection principles with their descriptions:

Data minimisation = Limited to what is necessary Storage limitation = Not kept for longer than is necessary in an id-able form Integrity and confidentiality (security) = Measures against unauthorised / unlawful processing and against accidental data loss / destruction / damage Accountability = The controller must be able to demonstrate compliance with the data protection principles

Match the following terms with their definitions in the context of data protection:

Data Subject = A living individual who can be identified from personal data Data Controller = A natural or legal person who processes personal data on behalf of the controller Data Processor = A natural or legal person who determines the purposes and means of processing personal data Sensitive Personal Data = Personal data consisting of information about a person's race, ethnicity, or health

Match the following data protection principles with their descriptions:

Transparency = Processing personal data in a way that is open and honest Legitimate Purpose = Having a lawful reason for processing personal data Proportionality = Only processing personal data that is necessary for a specific purpose Supervisory Authority = An independent authority that controls compliance with data protection rules

Match the following data protection rights with their descriptions:

Right of Access = The right to obtain a copy of personal data held by a data controller Right to Rectification = The right to correct inaccurate or incomplete personal data Right to Erasure = The right to request that personal data be deleted or removed Right to Object = The right to object to the processing of personal data for direct marketing

Match the following data breach responses with their descriptions:

Notification to Authority = Notifying the supervisory authority of a data breach Notification to Data Subject = Notifying the individual whose personal data has been breached Data Breach Assessment = Assessing the risk of a data breach to determine the response Data Breach Containment = Taking steps to contain and mitigate the effects of a data breach

Match the following data protection terms with their descriptions:

Personal Data = Any information relating to an identified or identifiable natural person Processing = Any operation performed on personal data, such as collection or storage Data Protection Officer = A person responsible for ensuring an organization's compliance with data protection rules Anonymisation = Removing identifiable information from personal data

Match the following GDPR compliance requirements with their descriptions:

Data Protection by Design = Implementing data protection measures from the start of a project Data Protection by Default = Making data protection the default setting for processing personal data Privacy by Design = Incorporating privacy considerations into the design of products and services Adequacy Decision = A decision that a third country has an adequate level of data protection

Match the following data privacy rights with their descriptions:

Right to Rectify = The right to correct inaccurate or incomplete personal data Right to Erase = The right to request that personal data be deleted or removed Right to Restrict = The right to restrict the processing of personal data under certain circumstances Right to Object = The right to object to the processing of personal data for direct marketing

Match the following data protection principles with their descriptions:

Fairness = Processing personal data in a way that is transparent and honest Lawfulness = Processing personal data only for specified and lawful purposes Transparency = Providing clear and transparent information about personal data processing Security = Implementing appropriate measures to ensure the security of personal data

Match the following data protection terms with their descriptions:

Data Minimisation = Collecting and processing only the personal data necessary for a specific purpose Purpose Limitation = Processing personal data only for specified and lawful purposes Storage Limitation = Not keeping personal data for longer than necessary Data Accuracy = Ensuring that personal data is accurate and up-to-date

Match the following data protection authorities with their descriptions:

Information Commissioner's Office (ICO) = The UK's independent data protection authority European Data Protection Board (EDPB) = The EU's independent data protection authority Data Protection Authority (DPA) = A national authority responsible for enforcing data protection rules Supervisory Authority = An independent authority that controls compliance with data protection rules