DATE February 20, 2020 10:13 am POSTED BY CATEGORY Uncategorized

The Data Protection Quiz

Have you checked out our Data Protection Quiz?

A few people asked for clarification on a few quiz questions.

The quiz was designed to be somewhat challenging and the language therefore is designed to be “tricky”.

Question 6 – When must you conduct a data protection impact assessment?

All processing probably presents some risk to data subjects but Article 35 of the GDPR says that a DPIA is necessary where processing is likely to result in a high risk to people.  The question is designed to dispel the misconception that processing with any form of risk requires a DPIA (answer 1).  Both the ICO and EDPB guidance says that a DPIA is necessary when combining data from different sources (answer 2).  This particular answer incorporated into the quiz because we find not many people know that this is a requirement and it is a very common practice to merge or combine data from different sources.

It would be good practice to undertake a risk assessment when processing personal data differs from the original purpose (answer 3) – but this is not a use case that is explicitly called out in the GDPR unless, of course, the new purpose of processing was likely to result in a high risk to people.  We find that a lot of folks believe the GDPR contains a large number of restrictions and conditions on the processing of personal data relating to children which is simply not the case.  You may wish as a matter of policy to undertake a DPIA in such circumstances but the GPDR and official guidance is silent on the matter (answer 4).  Answer 2 is correct.

Question 7 – Which of the following types of processing can an individual NOT object to?

Well of course anyone can object to anything but the GDPR gives them legal rights of objection to certain processing which include direct marketing (answer 1) (Article 21(2)), processing based on a legitimate interest (answer 3) (Article 21(1)), including profiling (Article 21(1)) etal.  But the GDPR does not provide a right to object to processing based on consent.  The right of withdrawal of consent (answer 4) is an absolute right whereas the right to object enables the controller to balance their interests and rights against those of the data subject and ultimately in some cases to continue the processing despite the objection.  Answer 4 is correct.

Question 8 – When should a company appoint a Data Protection Officer?

In early drafts of the GDPR it stated that organisations employing over 250 people needed to appoint a DPO (answer 2) and whilst this was not contained in the final version of the law, it is surprising how many people still believe it to be one of the conditions.  Similarly processing on a large scale (answer 1) is also not one of the conditions – the GDPR states that a DPO shall be designated when the core activities of a controller or processor consist of processing on a large scale special categories of personal data or personal data relating to criminal convictions and offences (Article 37(1(c)), when the processing is carried out by a public authority (Article 37(1)(a)) or when the core activities of a controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (Article 39(1)(b)).  I guess answer 3 or 4 might be correct but that would depend on whether those monitoring activities are core activities.

The implication in answer 3 is that the monitoring is incidental to the core purposes of a controller or processor.  If the core activities of a processor or controller was to provide web monitoring services, it may well fall within the scope of requiring a DPO, but answer 4 implies that operating CCTV systems in public places on a large scale are core activities and therefore falling within the conditions set out in Article 37(1).  Answer 4 is correct.

Question 15 – Information security…

Is clearly the 6th data-protection principle which rules out answer 2.  Articles 13 and 14 make no mention of a requirement to provide information about security ruling out answer 3.  Security is not one of the lawful grounds for processing personal data set out in Article 6, so, by a process of elimination the correct answer (answer 1) is arrived at.  Information security is everyone’s responsibility requiring a culture change in most organisations.  Answer 1 is correct.

Let us know if you have any more questions regarding the quiz, we would love to hear your thoughts.