Questions
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that regulates the collection, storage, and use of personal data of EU citizens. It came into effect on May 25, 2018, and applies to all companies that collect and process personal data of EU citizens.
What is the purpose of the GDPR?
The purpose of the GDPR is to ensure that the personal data of EU citizens is protected and to give them control over how their data is used. It also sets out rules for how companies should handle, process, and protect personal data.
Who does the GDPR apply to?
The GDPR applies to all companies that collect and process the personal data of EU citizens, regardless of where they are located.
What are the key principles of the GDPR?
The key principles of the GDPR are transparency, fairness, and accountability. Companies must be clear and transparent about how they are collecting and using personal data, they must handle it fairly and securely, and they must be accountable for their actions.
What are the rights of individuals under the GDPR?
Under the GDPR, individuals have the right to access, rectify, or erase their personal data, the right to object to the processing of their data, the right to restrict the processing of their data, and the right to data portability.
What are the penalties for non-compliance with the GDPR?
Companies that fail to comply with the GDPR can be subject to fines of up to 4% of their annual global turnover or €20 million, whichever is greater.
How long do companies have to comply with the GDPR?
Companies must be fully compliant with the GDPR by May 25, 2018.
What is the role of a Data Protection Officer (DPO)?
The role of a Data Protection Officer (DPO) is to ensure that a company is in compliance with the GDPR. The DPO is responsible for monitoring compliance, educating staff, and responding to inquiries from individuals about their personal data.
What are the requirements for data security under the GDPR?
Under the GDPR, companies must implement appropriate technical and organizational measures to ensure the security of personal data. This includes measures such as encryption, access control, and regular security assessments.
How should companies handle data breaches under the GDPR?
Companies must report any data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. They must also notify the individuals affected by the breach without undue delay.
What are the requirements for obtaining consent under the GDPR?
Companies must obtain clear and informed consent from individuals before collecting, processing, or using their personal data. Consent must be freely given, specific, and informed, and must be revocable at any time.
What is the right to be forgotten?
The right to be forgotten is the right of individuals to have their personal data erased, or to have their data rectified if it is inaccurate.
What is the Privacy by Design principle?
The Privacy by Design principle is the idea that privacy should be built into products and services from the beginning. Companies should consider privacy when designing, developing, and implementing new services and features.
What is the role of the Data Protection Authority (DPA)?
The Data Protection Authority (DPA) is responsible for enforcing the GDPR. The DPA has the power to investigate companies, issue fines, and order them to take corrective action.
What is a data processor?
A data processor is a third-party entity that processes personal data on behalf of a controller. They must ensure that they are compliant with the GDPR and must adhere to any instructions given by the controller.
What is the role of a data controller?
A data controller is the entity that determines the purpose and means of processing personal data. They must ensure that their data processing activities are compliant with the GDPR and must take appropriate security measures to protect personal data.
What is the purpose of a data processing agreement?
A data processing agreement is a contract between a controller and a processor that outlines their respective roles and responsibilities in processing personal data. It must include provisions on security, data retention, and data subject rights.
What is pseudonymisation?
Pseudonymisation is the process of replacing identifying data in a dataset with unique identifiers. It can help to reduce the risk of a data breach and makes it harder to identify individuals in a dataset.
What is the purpose of a data protection impact assessment (DPIA)?
A data protection impact assessment (DPIA) is an assessment of the potential risks associated with a data processing activity. It helps companies to identify and mitigate any risks to the rights and freedoms of individuals.
What are the requirements for transferring data outside the EU?
Companies must ensure that any data transferred outside of the EU is protected in a way that is equivalent to the protection provided by the GDPR. They must also take appropriate security measures and enter into a data processing agreement with the recipient.
What is the purpose of the GDPR’s accountability principle?
The accountability principle requires companies to demonstrate that they are complying with the GDPR. Companies must be able to show that they are taking appropriate measures to protect the privacy of individuals and that they are handling their data in a secure and responsible manner.
What is the role of a supervisory authority?
Supervisory authorities are responsible for ensuring that companies comply with the GDPR. They have the power to investigate companies, issue fines, and order them to take corrective action.
What is the ePrivacy Directive?
The ePrivacy Directive is a European law that regulates the use of electronic communications services, such as email and instant messaging. It complements the GDPR and applies to any company that provides electronic communication services.
What is a data protection audit?
A data protection audit is an assessment of a company’s compliance with the GDPR. It involves a review of a company’s data processing activities, security measures, and policies and procedures.
Last updated