Privacy & Data Protection Essentials Courseware - English E-Book

Privacy & Data Protection Essentials Courseware – English

Colofon

Title:

Privacy & Data Protection Essentials Courseware – English

Authors:

Ing. Ruben Zeegers CISSP RSE; Ing. Theo Wanders

Publisher:

Van Haren Publishing, ‘s-Hertogenbosch

ISBN Hard Copy:

978 940 180 457 8

Edition:

First edition, first print April 15 2019

Design:

Van Haren Publishing, ‘s-Hertogenbosch

Copyright:

© Van Haren Publishing 2019

For further information about Van Haren Publishing please e-mail us at: [email protected] or visit our website: www.vanharen.net

All rights reserved. No part of this publication may be reproduced in any form by print, photo print, microfilm or any other means without written permission by the publisher.

Although this publication has been composed with much care, neither author, nor editor, nor publisher can accept any liability for damage caused by possible errors and/or incompleteness in this publication.

The certificate EXIN Privacy and Data Protection Essentials (PDPE) is part of the EXIN qualification program Privacy and Data Protection.

About the Courseware

The Courseware was created by experts from the industry who served as the author(s) for this publication. The input for the material was based on existing publications and the experience and expertise of the author(s). The material has been revised by trainers who also have experience working with the material. Close attention was also paid to the key learning points to ensure what needs to be mastered.

The objective of the courseware is to provide maximum support to the trainer and to the student, during his or her training. The material has a modular structure and according to the author(s) has the highest success rate should the student opt for examination. For this reason, the Courseware has also been accredited, wherever applicable.

In order to satisfy the requirements for accreditation the material must meet certain quality standards. The structure, the use of certain terms, diagrams and references are all part of this accreditation. Additionally, the material must be made available to each student in order to obtain full accreditation. To optimally support the trainer and the participant of the training assignments, practice exams and results have been provided with the material.

Direct reference to advised literature is also regularly covered in the sheets so that students can easily find additional information concerning a particular topic. The decision to separate note pages (handouts) from the Courseware was to encourage students to take notes throughout the material.

Although the courseware is complete, the possibility that the trainer may deviate from the structure of the sheets or chooses to not refer to all the sheets or commands does exist. The student always has the possibility to cover these topics and go through them on their own time. It is strongly recommended to follow the structure of the courseware and publications for maximum exam preparation.

The courseware and the recommended literature are the perfect combination to learn and understand the theory.

- Van Haren Publishing

Other publications by Van Haren Publishing

Van Haren Publishing (VHP) specializes in titles on Best Practices, methods and standards within four domains:

- IT and IT Management

- Architecture (Enterprise and IT)

- Business Management and

- Project Management

Van Haren Publishing is also publishing on behalf of leading organizations and companies: ASLBiSL Foundation, BRMI, CA, Centre Henri Tudor, Gaming Works, IACCM, IAOP, IFDC, Innovation Value Institute, IPMA-NL, ITSqc, NAF, KNVI, PMI-NL, PON, The Open Group, The SOX Institute.

Topics are (per domain):

IT and IT Management

ABC of ICT

ASL®

CATS CM®

CMMI®

COBIT®

e-CF

ISO/IEC 20000

ISO/IEC 27001/27002

ISPL

IT4IT®

IT-CMF™

IT Service CMM

ITIL®

MOF

MSF

SABSA

SAF

SIAM™

TRIM

VeriSM™

Enterprise Architecture

ArchiMate®

GEA®

Novius Architectuur

Methode

TOGAF®

Business Management

BABOK ® Guide

BiSL® and BiSL® Next

BRMBOK™

BTF

EFQM

eSCM

IACCM

ISA-95

ISO 9000/9001

OPBOK

SixSigma

SOX

SqEME®

Project Management

A4-Projectmanagement

DSDM/Atern

ICB / NCB

ISO 21500

MINCE®

M_o_R®

MSP®

P3O®

PMBOK ® Guide

Praxis®

PRINCE2®

For the latest information on VHP publications, visit our website: www.vanharen.net.

Table of content

Reflection

Agenda

Course

10

About this Courseware

3

PDPE exam specifications

10

Module 1: Privacy & data protection fundamentals & regulation

13

1.1 Concepts in a digital world

14

1.2 Personal data

26

1.3 Legitimate grounds and purpose limitation

33

1.4 Further requirements for legitimate processing of personal data

46

1.5 Rights of data subjects

49

1.6 Data breach and related procedures

56

Module 2: Organizing data protection

62

2.1 The importance of data protection for the organization

63

2.2 Supervisory authority

76

2.4 Binding Corporate rules and data protection in contracts

80

Module 3: Practice of data protection

88

3.1 Data protection by design and by default related to information security

89

3.2 Data protection impact assessment (DPIA)

94

3.3 Practice related applications of the use of data, marketing and social media.

104

Practice questions

Questions Module I

108

Questions Module 2

113

Questions Module 3

115

Assignment answers

Answer Module I

117

Answer Module 2

121

Answer Module 3

123

EXIN Preparation Guide

EXIN Sample Exam

        Questions

        Rational

        Answers

White paper Privacy and Data Protection Foundation

Self-Reflection of understanding Diagram

‘What you do not measure, you cannot control.’’ – Tom Peters

Fill in this diagram to self-evaluate your understanding of the material. This is an evaluation of how well you know the material and how well you understand it. In order to pass the exam successfully you should be aiming to reach the higher end of Level 3. If you really want to become a pro, then you should be aiming for Level 4. Your overall level of understanding will naturally follow the learning curve. So, it’s important to keep track of where you are at each point of the training and address any areas of difficulty.

Based on where you are within the Self-Reflection of Understanding diagram you can evaluate the progress of your own training.

Write down the problem areas that you are still having difficulty with so that you can consolidate them yourself, or with your trainer. After you have had a look at these, then you should evaluate to see if you now have a better understanding of where you actually are on the learning curve.

Troubleshooting

Timetable

Day 1

09:00 – 9:30

Introduction, About this course

09:30 – 12:00

Module 1: Privacy & data protection fundamentals & regulation

12:30 – 12:30

Lunch

12:30 – 14:00

Module 2: Organizing data protection

14:00 – 15:00

Module 3: Practice of data protection

15:00 – 15:30

Practice questions & Evaluate

15:30 – 16:30

Sample Exam questions and review

1. Overview

EXIN Privacy & Data Protection Essentials (PDPE.EN)

Scope

EXIN Privacy and Data Protection Essentials (PDPE) is a certification that validates a professional’s knowledge about organizing the protection of personal data, the EU rules and regulations regarding data protection.

Summary

Wherever personal data is collected, stored, used, and finally deleted or destroyed, privacy concerns arise. With the EU General Data Protection Regulation (GDPR) the Council of the European Union attempts to strengthen and unify data protection for all individuals within the European Union (EU). This regulation affects every organization that processes EU personal data. PDPF covers the main subjects related to the GDPR.

Context

The EXIN Privacy & Data Protection Essentials (PDPE) is part of the EXIN qualification program Privacy and Data Protection. The Essentials exam is a subset of the Foundation exam. It cannot be used to gain access to the Practitioner exam, but is meant for those that need a basic understanding of the GDPR.

Target group

Everyone that wants or needs to have a basic understanding of data protection and European legal requirements as defined in the GDPR. The Essentials exam is exceptionally suitable for everyone that needs to make informed decisions regarding the privacy and data protection of their own data.

Requirements for certification

• Successful completion of the EXIN Privacy & Data Protection Essentials exam.

Examination details

Examination type:

Multiple-choice questions

Number of questions:

20 questions

Pass mark:

65%

Open book/notes:

No

Electronic equipment/aides permitted:

No

Time allotted for examination:

30 minutes

The Rules and Regulations for EXIN’s examinations apply to this exam.

Bloom level

The EXIN Privacy & Data Protection Essentials certification tests candidates at Bloom Level 1 and Level 2 according to Bloom’s Revised Taxonomy:

• Bloom Level 1: Remembering – relies on recall of information. Candidates will need to absorb, remember, recognize and recall. This is the building block of learning before candidates can move on to higher levels.

Training

Contact hours

The recommended number of contact hours for this training course is 7. This includes group assignments, exam preparation and short breaks. This number of hours does not include homework, the exam session and lunch breaks.

Indication study effort

20 hours, depending on existing knowledge.

Training organization

You can find a list of our accredited training organizations at www.exin.com.

2. Exam requirements

The exam requirements are specified in the exam specifications. The following table lists the topics of the module (exam requirements) and the subtopics (exam specifications).

Exam requirement

Exam specification

Weight

1. Privacy and data protection fundamentals & regulation

50%

1.1 Definitions

10%

1.2 Personal data

15%

1.3 Legitimate grounds and purpose limitation

10%

1.4 Further requirements for legitimate processing of personal data

5%

1.5 Rights of data subjects

5%

1.6 Data breach and related procedures

5%

2. Organizing data protection

25%

2.1 Importance of data protection for the organization

10%

2.2 Supervisory authority1

5%

2.3 Personal data transfer to third countries2

--

2.4 Binding Corporate rules and data protection in contracts

10%

3. Practice of data protection

25%

3.1 Data protection by design and by default related to information security

5%

3.2 Data protection impact assessment (DPIA)

5%

3.3 Practice related applications of the use of data, marketing and social media

15%

Total

100%

Exam specifications

1. Privacy and Data Protection Fundamentals & Regulation

1.1 Definitions

The candidate can …

1.1.1 give valid definitions of privacy.

1.1.2 relate privacy, in specific personal data, to the concept of data protection.

1.2 Personal Data

The candidate can …

1.2.1 give a definition of personal data according to the GDPR.

1.2.3 describe the data subject’s rights regarding personal data.

1.2.5 list the roles, responsibilities and stakeholders.

1.3 Legitimate Grounds and Purpose Limitation

The candidate can …

1.3.1 list the six legitimate grounds for processing.

1.3.2 describe the concept of purpose limitation.

1.3.3 describe proportionality and subsidiarity.

1.4 Further Requirements for Legitimate Processing of Personal Data

The candidate can …

1.4.1 describe the requirements for data processing.

1.4.2 describe the purpose of personal data processing.

1.5 Rights of Data Subjects

The candidate can …

1.5.2 is aware of the right to be forgotten.

1.6 Data Breach and Related Procedures

The candidate can …

1.6.1 describe the concept of data breach.

2Organizing data protection

2.1 Importance of Data Protection for the Organization

The candidate can …

2.1.2 indicate what activities are required to comply with the GDPR.

2.1.3 give a definition of data protection by design and by default.

2.1.5 describe the data breach notification obligation as laid down in the GDPR.

2.2 Supervisory Authority

The candidate can …

2.2.1 describe the general responsibilities of a supervisory authority.

2.4 Binding corporate Rules and Data Protection in Contracts

The candidate can …

2.4.1 describe the concept of binding corporate rules (BCR).

2.4.2 describe how data protection is formalized in written contracts between the controller and the processor.

3Practice of Data Protection

3.1 Data Protection by Design and Data Protection by Default

The candidate can …

3.1.1 describe the benefits of the application of the principles of Data protection by design and by default.

3.2 Data Protection Impact Assessment (DPIA)

The candidate can …

3.2.1 outline what a DPIA comprises and when to apply a DPIA.

3.3 Practice Related Applications of the Use of Data, Marketing and Social Media

The candidate can …

3.3.1 describe the purpose of Data Life Cycle (DLC) management.

3.3.3 describe what a cookie is and what its purpose is.

3.3.4 describe, from a data protection perspective, how the wide spread use of internet has affected the field of marketing.

3. List of Basic Concepts

This chapter contains the terms and abbreviations with which candidates should be familiar.

Please note that knowledge of these terms alone does not suffice for the exam; the candidate must understand the concepts and be able to provide examples.

4. Literature

Exam literature

The knowledge required for the EXIN Privacy & Data Protection Essentials exam is covered in the following literature:

A.

A. Calder

EU GDPR, A pocket guide

IT Governance Publishing

ISBN 978-1-84928-855-2

(or ISBN 978-1-84928-857-6 for e-book)

B.

L. Besemer

White Paper – EXIN Privacy and Data Protection Foundation

Free download on www.exin.com

C.

European Commision

General Data Protection Regulation (GDPR) Regulation (EU) 2016/679) Regulation of the European Parliament and the Council of the European Union. Brussels, 6 April 2016, available at:

http://eur-lex.europa.eu

PDF:

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN

HTML:

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN

Comment

The exam requirements are based on the exam literature. Literature C is no primary exam literature, because the other exam literature provides sufficient content about the GDPR. Candidates should be familiar with literature C to the extent of the references made in the other literature.

Literature matrix

_____________

1 Before the GDPR was introduced the data protection authority was the national authority in charge with the enforcement of regulation on data protection. In the GDPR it is now called the supervisory authority.

2 Exam specification 2.3 is only tested in the EXIN Privacy and Data Protection Foundation exam

Introduction

This is the sample exam EXIN Privacy & Data Protection Essentials (PDPE.EN). The Rules and Regulations for EXIN’s examinations apply to this exam.

This exam consists of 20 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is the correct answer.

The maximum number of points that can be obtained for this exam is 20. Each correct answer is worth one point. If you obtain 13 points or more you will pass.

The time allowed for this exam is 30 minutes.

Good luck!

Sample Exam

1 / 20The illegal collection, storage, modification, disclosure or dissemination of personal data is an offence by European law.

What kind of offence is this?

A) a content related offence

B) an economic offence

C) an intellectual property offence

D) a privacy offence

2 / 20How are privacy and data protection related to each other?

A) Data protection is a subset of privacy.

B) Privacy is a subset of data protection.

C) They are the same thing.

D) You cannot have privacy without data protection.

3 / 20The word 'privacy' is not mentioned in the GDPR.

How is 'privacy' related to 'data protection'?

A) Data protection is a set of rules and regulations on processing personal data. Privacy is the result of data protection.

B) Privacy is the right to be protected from interference in personal matters. Data protection is the means to implement that protection.

C) Privacy is the right to keep personal matters secret. Data protection is the right to keep personal data secret.

D) The terms 'privacy' and 'data protection' are interchangeable. There is no real difference in meaning.

4 / 20The GDPR is related to personal data protection.

What is the definition of personal data?

A) any information relating to an identified or identifiable natural person

B) any information that the European citizens would like to protect

C) data that directly or indirectly reveal someone's racial or ethnic background, religious views, and data related to health or sexual habits

D) preservation of confidentiality, integrity and availability of information

5 / 20Which information is regarded as personal data according to the GDPR?

A) Information about a person, which might harm the privacy of that person, even when untrue

B) Any information regarding an identifiable natural person

C) Information, regarding an identifiable natural person, which is digitalized

6 / 20Which right of data subjects is explicitly defined by the GDPR?

A)