data controller, data privacy, data processor, Data Protection, data protection act, data protection impact assessment, data protection officer, data protection training, data subjects, DPIA, DPO, GDPR, General Data Protection Regulation, Housing, housing associations, ico, ico guidance, international privacy day, privacy, data protection day, data privacy day
DATE January 28, 2019 9:19 am POSTED BY CATEGORY DPO

International Data Privacy Day Quiz!

Data Protection Chocolates…

The 28th January is International Privacy Day and therefore a great opportunity to do some internal awareness raising about data protection.  In the past the Outsourced DPO has had balloons printed to create balloon arches welcoming colleagues to work, he’s printed posters, run quizzes and competitions, and even resorted to dressing up as a pantomime horse!  Anything to create talking points and raise awareness of the business of data protection.

This year Data Protection People are celebrating by distributing Thorntons’ (link) chocolates with a “International Data Privacy Day 2019” message emblazoned across the box.  Of course there are lots of other dates in the calendar which can be piggy-backed for data protection training purposes for example:

2 February         Groundhog Day –hmm been here before I think…

14 February       Valentines Day – don’t we all just love data protection?

21. February      Global Information Governance Day – time to check out those policies

2 March             Employee Appreciation Day – thanks for all your data protection help team!

21. March          World Poetry Day – I am sure you can think up a little ditty or Limerick

7. April               World Health Day – focus on data relating to health

22. April             Administrative Professionals’ Day – really…?!

Source (https://en.wikipedia.org/wiki/List_of_minor_secular_observances)

Awarness Campaigns

In undertaking data protection compliance audits, recently the Outsourced DPO has seen lots of excellent examples of poster campaigns, mouse mats, coasters, screen savers and even mugs designed to raise awareness.  One of my favourites was at Beyond Housing in Redcar (link) whose creative geniuses came up with the phrase, “Bum off seat, CTRL ALT DELETE” and created badges, stickers, posters and desktop wallpaper to drive the message home and I have to say that not one unattended logged in computer was found in 2 days of auditing there.

All we need to do as data protection professionals is pick a few dates and think up a suitable message and ways of linking it to the theme for the day.  And while my cheesy March Limerick may not be nominated for any literary awards, provided it gets people talking about data protection, it’s mission accomplished as far as I am concerned.

There was a young woman called Mo,

Who was her company’s DPO.

She received a DSAR,

The most complex by far,

Which filled the rest of her month with woe!

So if you fancy a free box of chocolates and we have any stocks left, please drop me an email and we’ll help you to celebrate international data protection day!

Test your knowledge of the GDPR with our Data Protection Quiz! (Some questions have multiple answers!)

  1. What is the fee that data controllers can charge when an individual makes a Data Subject Access Request?

a) Nothing
b) £10
c) £50

2. When should a personal data breach be reported to the Supervisory Authority? (the ICO in the UK)

a) When you have time to do so
b) Within 72 hours of discovering the breach
c) Only when you have ALL the information about the breach and the investigation

3. In which scenarios should you conduct a Data Protection Impact Assessment (DPIA)?

a) matching data or combine datasets from different sources
b) profiling individuals on a large scale
c) processing someone’s name and address
d) where we will be processing their data in a way that may be perceived as intrusive
e) tracking individuals’ location or behaviour

4. Which of the following can an individual object to the processing of their personal data?

a) Direct marketing
b) Profiling
c) Processing for the fulfilment of contract

5. Mike will be acquiring a new HR system and is currently negotiating with a processor the capabilities and functionalities of the system. What should Mike do prior to onboarding the processors?

a) He should conduct the appropriate due diligence to ensure that the processor can demonstrate that they have the appropriate security controls
b) He doesn’t need to do anything as he has worked with them before
c) He should ensure that the contract with the processor contains comprehensive data protection clauses

6. Which of these statements about a personal data breaches are true?
a) The 72-hour breach reporting time starts from when the DPO is notified
b) If you send an excel file containing a list of your client’s name, addresses and DOB to the wrong person/organisation, this is considered to be a personal data breach
c) Where the risks or consequences of a data breach will have an adverse impact on those affected by a breach, we must inform them within 72-hour time frame

7. What is the name given by the GDPR for the deletion of all personal data?

a) The right to objection
b) The right to withdraw consent
c) The right to access
d) The right to be forgotten

8. Who has the overall accountability for compliance with the GDPR?

a) The data controller
b) The Supervisory Authority (ICO)
c) The data processor
d) The data subject

9. It’s the end of January and you’ve sacked off the new year diet. You decide to quit your gym membership and join a diner’s club. Must the original gym:

a) If you request it, give you an electronic copy of any personal data you shared with it in a form that can be entered into the diner’s club system
b) If requested, give you any data it holds on you, but in a proprietary file format that can only be used by its own systems in case you re-join later
c) Delete any data it holds on you but is under no obligation to give you a copy
d) Provide a single printed copy of the processed personal data it held on you within 28 days of receiving a request but no more

10. Race, political views and religion/ethnicity. What type of personal data is this?

a) Personal Data
b) Special Category Data

See answers here!

Phil Brining