Privacy & Data Protection Foundation Courseware - English E-Book

Privacy & Data Protection Foundation Courseware – English

Colofon

Title:

Privacy & Data Protection Foundation Courseware - English

Authors:

Ing. Ruben Zeegers CISSP RSE

Publisher:

Van Haren Publishing, ‘s-Hertogenbosch

ISBN Hard Copy:

978 94 018 035 95

Edition:

First edition, first print October 2018

Design:

Van Haren Publishing, ‘s-Hertogenbosch

Copyright:

© Van Haren Publishing 2018

For further information about Van Haren Publishing please e-mail us at: [email protected] or visit our website:www.vanharen.net

All rights reserved. No part of this publication may be reproduced in any form by print, photo print, microfilm or any other means without written permission by the publisher.

Although this publication has been composed with much care, neither author, nor editor, nor publisher can accept any liability for damage caused by possible errors and/or incompleteness in this publication.

The certificate EXIN Privacy and Data Protection Foundation (PDPF) is part of the EXIN qualification program Privacy and Data Protection.

About the Courseware

The Courseware was created by experts from the industry who served as the author(s) for this publication. The input for the material was based on existing publications and the experience and expertise of the author(s). The material has been revised by trainers who also have experience working with the material. Close attention was also paid to the key learning points to ensure what needs to be mastered.

The objective of the courseware is to provide maximum support to the trainer and to the student, during his or her training. The material has a modular structure and according to the author(s) has the highest success rate should the student opt for examination. For this reason, the Courseware has also been accredited, wherever applicable.

In order to satisfy the requirements for accreditation the material must meet certain quality standards. The structure, the use of certain terms, diagrams and references are all part of this accreditation. Additionally, the material must be made available to each student in order to obtain full accreditation. To optimally support the trainer and the participant of the training assignments, practice exams and results have been provided with the material.

Direct reference to advised literature is also regularly covered in the sheets so that students can easily find additional information concerning a particular topic. The decision to separate note pages (handouts) from the Courseware was to encourage students to take notes throughout the material.

Although the courseware is complete, the possibility that the trainer may deviate from the structure of the sheets or chooses to not refer to all the sheets or commands does exist. The student always has the possibility to cover these topics and go through them on their own time. It is strongly recommended to follow the structure of the courseware and publications for maximum exam preparation.

The courseware and the recommended literature are the perfect combination to learn and understand the theory.

-Van Haren Publishing

Table of content

Reflection

Agenda

Course

About this Courseware

ISFS exam specifications

Module 1: Privacy & data protection fundamentals & regulation

1.1 Concepts in a digital world

1.2 Personal data

1.3 Legitimate grounds and purpose limitation

1.4 Further requirements for legitimate processing of personal data

1.5 Rights of data subjects

1.6 Data breach and related procedures

Module 2: Organizing data protection

2.1 The importance of data protection for the organization

2.2 Supervisory authority

2.3 Transfer of personal data to third countries

2.4 Binding Corporate rules and data protection in contracts

Module 3: Practice of data protection

3.1 Data protection by design and by default related to information security

3.2 Data protection impact assessment (DPIA)

3.3 Practice related applications of the use of data, marketing and social media.

Practice questions

Questions Module 1

Questions Module 2

Questions Module 3

Assignment answers

Answer Module 1

Answer Module 2

Answer Module 3

EXIN Sample Exam

Rationale

Awnsers

Evaluation

EXIN Preparation Guide

White paper Privacy and Data Protection Foundation

Self-Reflection of understanding Diagram

“What you do not measure, you cannot control.” – Tom Peters

Fill in this diagram to self-evaluate your understanding of the material. This is an evaluation of how well you know the material and how well you understand it. In order to pass the exam successfully you should be aiming to reach the higher end of Level 3. If you really want to become a pro, then you should be aiming for Level 4. Your overall level of understanding will naturally follow the learning curve. So, it's important to keep track of where you are at each point of the training and address any areas of difficulty.

Based on where you are within the Self-Reflection of Understanding diagram you can evaluate the progress of your own training.

Write down the problem areas that you are still having difficulty with so that you can consolidate them yourself, or with your trainer. After you have had a look at these, then you should evaluate to see if you now have a better understanding of where you actually are on the learning curve.

Troubleshooting

Timetable

Day 1

09:00 - 9:30

Introduction, About this course

09:30 - 12:00

Module 1: Privacy & data protection fundamentals & regulation

12:30 - 12:30

lunch

12:30 - 17:00

Module 2: Organizing data protection

Day 2

09:00 - 12:00

Module 3: Practice of data protection

12:00 - 12:30

lunch

12:30 - 14:00

Practice questions & Evaluate

14:00 - 17:00

Sample Exam questions

Introduction

This is the sample exam EXIN Privacy and Data Protection Foundation (PDPF.EN). The Rules and Regulations for EXIN’s examinations apply to this exam.

This exam consists of 40 multiple-choice questions. Each multiple-choice question has a number of possible answers, of which only one is the correct answer.

The maximum number of points that can be obtained for this exam is 40. Each correct answer is worth one point. If you obtain 26 points or more you will pass.

The time allowed for this exam is 60 minutes.

Good luck!

Sample exam

1 / 40

The illegal collection, storage, modification, disclosure or dissemination of personal data is an offence by European law.

What kind of offence is this?

A)    a content related offence

B)    an economic offence

C)    an intellectual property offence

D)    a privacy offence

2 / 40

How are privacy and data protection related to each other?

A)    Data protection is a subset of privacy.

B)    Privacy is a subset of data protection.

C)    They are the same thing.

D)    You cannot have privacy without data protection.

3 / 40

What is the GDPR mainly intended for?

A)    To be a common ground upon which the member states can build their own laws.

B)    To make non-EU countries respect the right to privacy of individuals within the EU.

C)    To secure privacy as a fundamental human right for everyone.

D)    To strengthen and unify data protection for individuals within the EU.

4 / 40

The GDPR is related to personal data protection.

What is the definition of personal data?

A)    any information relating to an identified or identifiable natural person

B)    any information that the European citizens would like to protect

C)    data that directly or indirectly reveal someone’s racial or ethnic background, religious views, and data related to health or sexual habits

D)    preservation of confidentiality, integrity and availability of information

5 / 40

According to the GDPR, which personal data category is regarded as sensitive data?

A)    credit card details

B)    trade union membership

C)    passport number

D)    social security number

6 / 40

According to the GDPR, what is the definition of ‘processing’ of personal data?

A)    Any operation that can be performed on personal data

B)    Any operation that can be performed on personal data, except erasing and destroying

C)    Only operations in which the data is being shared on social media or transferred by email or otherwise through the Internet

D)    Only operations in which the personal data is used for the purposes for which it was collected

7 / 40

“An independent public authority which is established by a Member State pursuant to Article 51.”

Which role in data protection is defined?

A)    Controller

B)    Processor

C)    Supervisory authority

D)    Third party

8 / 40

‘Informed consent’ is a lawful basis to process personal data under the GDPR. The purpose of the processing for which consent is given should be documented.

At what time in the process should the data subject’s consent be obtained?

A)    After the purpose specification is presented and before personal data is collected.

B)    Before the purpose specification is conceived and presented.

C)    Before the personal data is processed.

D)    Before the personal data is published or disseminated.

9 / 40

The GDPR is based on the principles of proportionality and subsidiarity.

What is the meaning of ‘proportionality’ in this context?

A)    Personal data can only be processed in accordance with the purpose specification.

B)    Personal data cannot be re-used without explicit and informed consent.

C)    Personal data may only be processed in case there are no other means to achieve the purposes.

D)    Personal data must be adequate, relevant and not excessive in relation to the purposes.

10 / 40

The processing of personal data has to meet certain quality requirements.

What is one of these quality requirements defined by the GDPR?

A)    The data processed must be archived.

B)    The data processed must be encrypted.

C)    The data processed must be indexed.

D)    The data processed must be relevant.

11 / 40

Every time personal data is processed proportionality and subsidiarity must be checked.

What is the requirement for the personal data being processed?

A)    It must be limited always to what is necessary to achieve the defined goals and must be limited to the least “intrusive” data.

B)    It must be handled by the smallest number of employees possible and they must work for the Controller or an affiliate.

C)    It must be limited to a predefined storage size and the system used must be financed by the Controller.

D)    It must be used for the smallest number of purposes possible and this may not be done outside the premises of the Processor.

12 / 40

“The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed.”

Which term in the GDPR is defined?

A)    Compliance

B)    Data protection by default

C)    Privacy by design

D)    Embedded protection

13 / 40

What is the term used in the GDPR for unauthorized disclosure of, or access to, personal data?

A)    Confidentiality violation

B)    Data breach

C)    Incident

D)    Security incident

14 / 40

It has been ascertained that a data breach of sensitive personal data occurred.

To whom must this ultimately be reported according to the GDPR?

A)    the supervisory authority

B)    the Data Protection Officer (DPO)

C)    the manager of the department

D)    the police

15 / 40

While performing a backup, a data server disk crashes. Both the data and the backup are lost. The disk contained personal data but no sensitive data.

What kind of incident is this?

A)    data breach

B)    security breach

C)    security incident

16 / 40

Someone working for a trade union took a draft newsletter for the members home to finish it there. The USB stick containing the draft and the mailing list, was lost.

To whom, among others, should this data breach be reported?

A)    all members on the mailing list

B)    the board of the trade union

C)    the police

17 / 40

A social services organization plans to design a new database to administrate its clients and the care they need.

In order to request permission with the supervisory authority, what is one of the first important steps to be taken?

A)    Collect data about the clients and the amount and kind of care needed and provided.

B)    Conduct a data protection impact assessment (DPIA) to assess the risks of the intended processing.

C)    Obtain consent of the clients for the intended processing of their personal data.

18 / 40

In which case should the data subjects always be notified of a data breach?

A)    The personal data was processed at a facility of the Processor that is not located within the borders of the EU.

B)    The personal data was processed by a party that agreed to the draft processing contract the Controller sent, but did not yet sign it.

C)    The system on which the personal data was processed was attacked causing damage to its storage devices.

D)    There is a significant probability that the breach will lead to detrimental consequences for the privacy of the data subjects.

19 / 40

A Dutch controller has contracted the processing of sensitive personal data out to a processor in a North African country, without consulting the supervisory authority. Is was discovered and he was penalized by the supervisory authority. Six months later the authority finds out that the controller is guilty of the same transgression again for another processing operation.

What is the maximum penalty the supervisory authority can impose in this case?

A)    € 750,000

B)    €1,230,000

C)    € 10,000,000 or 2% of the company’s worldwide turnover, whichever is higher

D)    € 20,000,000 or 4% of the company’s worldwide turnover with a minimum of € 20,000,000 whichever is higher

20 / 40

Supervisory Authorities are assigned a number of responsibilities aimed at making sure data protection regulations are complied with.

What is one of those responsibilities?

A)    Assessing codes of conduct for specific sectors relating to the processing of personal data.

B)    Defining a minimum set of measures to be taken to protect personal data.

C)    Investigation of all data breaches of which they have been notified.

D)    Review of contracts and BCRs on compliance with the regulations.

21 / 40

A religious association wants to share personal data with their religious authority in a non-European country in order to comply with a legal request from the government concerned.

Which regulation in the GDPR applies in this case?

A)    As an exception, processing of sensitive data revealing religious beliefs is permitted to a religious association.

B)    It is not lawful to transfer personal data out of the EEA in response to a legal requirement from a third country.

C)    Processing is lawful provided specific and unambiguous consent of the data subject has been acquired.

D)    Processing personal data outside the EEA is permitted using the model contract clauses designed by the EU Commission.

22 / 40

On July 12, 2016 the European Commission implemented a ruling regarding transfer of personal data with the USA (EU-US Privacy Shield).

In terms of the GDPR, what kind of a ruling is this?

A)    An adequacy decision

B)    An exception decree

C)    A standard binding contract

D)    A treaty superseding the GDPR

23 / 40

Binding corporate rules are a means for organizations to ease their administrative burden when complying with the GDPR.

How do these rules help them?

A)    They allow them to have underpinning contracts with all parties involved abroad.

B)    They allow them to let third parties outside the European Economic Area process personal data.

C)    They avoid the need to approach each supervisory authority in the EU separately.

D)    They prevent them from having to ask a supervisory authority for permission for the processing of the data once their BCR are accepted.

24 / 40

In case a contractor contracts out the processing of personal data, the parties will enter into a written contract. This contract sets out subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.

What other aspect must be governed by this written contract?

A)    the accountability of the processor

B)    the data breach notification obligation

C)    the obligation that processors must co-operate with the supervisory authority

D)    the obligations and rights of the controller

25 / 40

What should be done so that a Controller is able to outsource the processing of personal data to a Processor?

A)    The Controller must ask the supervisory authority for permission to outsource the processing of the data.

B)    The Controller must ask the supervisory authority if the agreed upon written contract is compliant with the regulations.

C)    The Controller and Processor must draft and sign a written contract guaranteeing the confidentiality of the data.

D)    The Processor must show the Controller all demands agreed upon in the Service Level Agreement (SLA) are met.

26 / 40

Data protection by design, as described in GDPR article 25, is based on seven basic principles. One of these is usually called ‘Functionality - Positive-Sum, not Zero-Sum’.

What is the essence of this principle?

A)    Applied security standards must assure the confidentiality, integrity and availability of personal data throughout its lifecycle.

B)    If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives.

C)    When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired.

D)    Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks.

27 / 40

Often staff that works with personal data consider privacy and information security as separate issues.

Why is this wrong?

A)    Privacy can’t be guaranteed without identifying, implementing, and monitoring proper information security measures.

B)    The supervisory authority expects the roles of data protection officer and Information security officer to be integrated.

C)    The regulations identify specific information security measures that must be taken before handling personal data is allowed.

28 / 40

One of the objectives of a data protection impact assessment (DPIA) is to ‘strengthen the confidence of customers or citizens in the way personal data is processed and privacy is respected’.

How can a DPIA ‘strengthen the confidence’?

A)    The organization minimizes the risk of costly adjustments in processes or redesign of systems in a later stage.

B)    The organization prevents non-compliance to the GDPR and minimizes the risk of fines.

C)    The organization proves that it takes privacy seriously and aims for compliance to the GDPR.

29 / 40

What is the purpose of a data protection audit by the supervisory authority?

A)    To fulfill the obligation of the GDPR to implement appropriate technical and organizational measures for data protection.

B)    To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR.

C)    To advice the controller on the mitigation of privacy risks in order to protect the controller from liability claims for non-compliance to the GDPR.

30 / 40

What best describes the principle of data minimization?

A)    Care must be taken to collect as little data as possible in order to protect the privacy and interests of the data subjects.

B)    Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

C)    In order to keep data manageable, it must be stored in such a manner that it requires a minimal amount of storage.

D)    The number of items that is collected per data subject may not exceed the upper limit stated by the supervisory authority.

31 / 40

Session cookies are one of the most common types of cookie.

What best describes a session cookie?

A)    It contains information on what you are doing, for instance the products you select in a web shop before you actually order.

B)    It reveals your browse history, so other websites can find out which websites you have visited before you arrived there.

C)    It stores your browse history, so you can trace where you have been on the net and revisit those site(s) if you want.

D)