Module 10 - Accountability

Question 1

What is the difference between data-protection-by-design and data-protection-by-default?

Answer 1

BY DESIGN:
- Data protection built into product lifecycle.
- Safeguards include data minimisation and pseudonymisation.
- Risks are assessed and mitigated.

BY DEFAULT:
- Maximum data protective settings are applied as a default.
- User opt-in to settings implying greater risk.
- Limited accessibility to personal data.

Question 2

What does article 25, GDPR require in terms of development of technical and organisational measures?

Answer 2

Such measures must be developed and implemented both at the time of determination of the mean processing and on a continuing basis, through the processing lifecycle.

Question 3

What do articles 35-36, GDPR prescribe in terms of Data Processing Impact Assessments?

Answer 3

• CONTROLLERS must perform DPIAs (though processors should support these under article 28, GDPR).
• DPIAs help incorporate data protection considerations into organisational planning, supporting demonstration of compliance to DPAs.
• A DPIA is required if (article 35) there is high risk to DS rights and freedoms:
  1. Systemic, extensive evaluation of personal aspects based upon profiling.
  2. Large-scale processing of special category personal data.
  3. Monitoring public areas systemically and on a large scale.
  DPAs may define other areas of high risk processing.
• A DPIA should provide a description of processing, assessment of necessity, proportionality and risks to DS rights and freedoms, and risk control measures.
• Prior consultation with a DPA is required, if the DPIA indicates a high DS risk - DPA can advise controller or block processing, if processing deemed high risk or inadequately mitigated (article 36).

Question 4

When does article 24(2), GDPR require a data processing policy?

Answer 4

• Insofar as proportionate in relation to processing activities.
• Policy usage amongst other measures, as part of a larger data protection programme.
• No GDPR-prescribed contents.

Question 5

When is a record of processing activities (ROPA) required under article 30, GDPR?

Answer 5

A controller or processor requires a ROPA if they:
- Have 250 or more employees;
- Are processing personal data in a way that poses risk to DS rights and freedoms;
- Process personal data on a non-occasional basis; or
- Are processing special category data or personal data comprising criminal convictions.

Question 6

What is a controller required to document within a ROPA under article 30, GDPR?

Answer 6

• Purpose of processing.
• Name/contact details of controller, representatives and DPO.
• Data subject categories.
• Personal data categories.
• Recipients.
• International data transfers and appropriate safeguards.
• Time limits for erasure.
• Technical and organisational safety measures

Question 7

When is a processor required to document within a ROPA under article 30, GDPR?

Answer 7

• Name and contact details of processor, controller, representatives and DPO.
• Processing categories.
• International data transfers and appropriate safeguards.
• Technical and organisational security measures.

Question 8

What are the key characteristics of a data protection officer under article 37, GDPR?

Answer 8

• Must be a staff member of contractor appointed by controller or processor.
• Must be an expert in data protection law and services.
• Ensures compliance and evidence of compliance with data protection laws.

Question 9

When is a data protection officer legally required?

Answer 9

• Core activities of the controller or processor include processing activities (i) requiring REGULAR and SYSTEMATIC MONITORING of DS on a LARGE SCALE or (ii) processing SPECIAL CATEGORY DATA or CRIMINAL CONVICTION DATA on a LARGE SCALE.
• PUBLIC AUTHORITY PROCESSING (except courts acting in a judicial capacity).

Question 10

What are the main responsibilities of a data protection officer under articles 38-39, GDPR?

Answer 10

• Monitor compliance with GDPR and EU / MS data protection laws.
• Collect and identify processing activities, and analyse and check compliance of such activities.
• Manage internal data protection activities.
• Train staff.
• Perform internal audits.
• Provide advice in relation to DPIAs.
• Issue recommendations to the controller or processor (as applicable).
• Manage risk.
• Cooperate/communication with DS and DPAs.
• Exercise professional secrecy.

Question 11

When is an EU representative required under article 27, GDPR?

Answer 11

Insofar as activities are being undertaken outwith the EU but with targeting of EU DS and not occassional processing.