GDPR Compliance and Principles Quiz

Questions and Answers

What is the primary purpose of the GDPR?

• To promote data collection methods
• To enhance data privacy and security (correct)
• To facilitate data sharing between companies
• To ease regulatory burdens on organizations

In which year did the GDPR come into effect?

• 2019
• 2017
• 2018 (correct)
• 2016

Which organizations must comply with the GDPR?

• All organizations targeting or collecting data from EU citizens (correct)
• Only government agencies within Europe
• Only large multinational corporations
• Only those located in the EU

What can be a consequence for organizations violating GDPR standards?

Fines amounting to millions of euros (C)

Why might GDPR compliance be especially challenging for SMEs?

They lack the financial and legal resources for compliance (D)

How is the GDPR characterized in terms of its legal structure?

Largely ambiguous and broad (D)

What does the GDPR underscore regarding data privacy at this time?

A strengthening commitment to data ethics (A)

What resource is offered to help SMEs with GDPR compliance?

Guidance on privacy tools and risk mitigation (D)

What is a data subject in the context of data processing?

The individual whose data is processed. (A)

Which of the following best describes the role of a data controller?

Decides why and how personal data will be processed. (B)

What does the principle of data minimization state?

Only necessary data should be collected and processed. (C)

Under GDPR, what is the primary focus of the accountability principle?

Demonstrating compliance with all data protection principles. (D)

Which principle emphasizes the need for transparency in data processing?

Lawfulness, fairness, and transparency. (C)

What should be done about personal data that is no longer needed for its specified purpose, according to GDPR principles?

It should be erased. (C)

Which of the following describes the role of a data processor?

A third party that processes personal data for a data controller. (D)

Which principle requires that personal data must be accurate and kept up to date?

Accuracy. (B)

What must data controllers be able to demonstrate according to the GDPR?

They are GDPR compliant. (B)

Which of the following is NOT a recommended method for demonstrating GDPR compliance?

Using data for any purpose deemed necessary. (A)

What does the term 'technical measures' include in the context of data security?

Two-factor authentication for accounts with personal data. (D)

How long do organizations have to notify data subjects in the event of a data breach?

72 hours (C)

What does 'data protection by design and by default' require organizations to do?

Only collect data that is absolutely necessary. (D)

Which option best describes what organizations need to implement for data security?

A combination of appropriate technical and organizational measures. (C)

Which action does NOT constitute a part of accountability as required by GDPR?

Ignoring the need for documentation and reporting. (A)

What is a common consequence if an organization fails to report a data breach within the required timeframe?

The organization may face penalties. (C)

What is one condition under which it is legal to process personal data?

The subject gave specific, unambiguous consent. (D)

Which of the following is an example of processing necessary for contractual purposes?

Conducting a background check for potential tenants. (B)

What must you do if you change the lawful basis for processing personal data?

Document the reason and notify the data subject. (A)

In which situation is it legal to process personal data for a public interest task?

When collecting data for a public health initiative. (B)

What kind of consent is required from a data subject to process their information?

Specific and unambiguous consent. (C)

Which of the following describes a legitimate interest in data processing?

Performing tasks that positively impact users. (B)

What is NOT a lawful basis for processing personal data?

Processing data for marketing purposes. (B)

When is it necessary to document the lawful basis for data processing?

Whenever processing personal data occurs. (B)

What are the requirements for consent under GDPR?

Freely given, specific, informed, and unambiguous. (C)

Which of the following is NOT a condition that requires appointing a Data Protection Officer?

You regularly monitor people on a small scale. (A)

What must requests for consent be like according to the regulations?

Clearly distinguishable from other matters and in clear language. (B)

Under GDPR, who can give consent for data processing when it involves children under 13?

The parent or guardian. (A)

Who is responsible for understanding GDPR and ensuring compliance within an organization?

The Data Protection Officer. (A)

Which of the following is NOT one of the tasks of a Data Protection Officer?

Managing the organization's financial budget. (B)

How should data subjects' privacy rights be regarded by organizations?

As legally binding requirements. (C)

What must an organization do with documentary evidence of consent?

Keep it for potential audits or reviews. (D)