Wednesday, 25 October 2017

10 GDPR Exam Questions - Test and Practice Your Knowledge

GDPR Exam Questions

Up to 67% of IT professionals in UK businesses are unprepared for General Data Protection Regulation (GDPR) coming into effect on 25th May 2018, revealed Spiceworks’ “IT data Snapshot” survey.

What is GDPR?


GDPR builds on the current Data Protection Act (DPA), extending the right of the individual and forcing organisations to adhere to clear policies and procedures that protect EU citizens’ data.

The new regulations will affect all aspects of your business – this includes how IT security teams safely store this data and effectively re-engineer breech detection. Plus, a lack of compliance with the GDPR can lead to severe fines.


How will it affect my business?


Any business that stores EU citizens’ data, regardless of whether or not they’re in the EU, will be affected by GDPR.

Read this blog post on the 6 things you need to know about GDPR to understand how your business is affected by GDPR and how to plan for it.

To help you prepare for your GDPR Practitioner exam and to give you an idea of the complexities of the new GDPR regulations, we’ve included 10 official exam sample questions that could be included on our official GDPR Practitioner course:


1. Which of the following controller/processing scenarios in principle CAN use the Public Interest legal basis?

A. A vehicle licensing agency selling owner names and contact details to the private sector in exchange for money

B. A company director credit checking agency republishing the contents of a Mandatory Public Register of directors which is already in the public domain publishing the names and addresses of directors on the internet

C. A registered and regulated charity receiving information from any public sector body as part of a lawful Data Sharing Agreement

D. None of the above


2. Where the data subject is a child, what steps must controllers take in respect of consent, within the constraints of available technology?

A. Controllers must make best efforts to verify the consent

B. Controllers must make reasonable efforts to verify the consent

C. Controllers must make best efforts to request the consent in clear and plain language, in the context of the age of the child

D. Controllers must make reasonable efforts to request the consent in clear and plain language, in the context of the age of the child


3. "While implementing certain data subject rights the controller is NOT obliged by Article 19 to inform each third party recipient of the personal data" For which of the following rights is that statement TRUE?

A. "Non-profiling" under Article 22

B. B. Rectification under Article 16

C. Erasure / "right to be forgotten" under Article 17

D. Restriction under Article 18


4. For purposes of a data protection impact assessment, when must the controller seek the views of data subjects or their representatives on the intended processing?

A. Always

B. Never

C. When appropriate

D. When the supervisory authority requests it


5. Regarding data subjects protected by the GDPR, which of the following statements is true? 

A. The GDPR protects only people who are physically located in the EU 

B. The GDPR protects only EU citizens
 
C. The GDPR protects only EU residents 

D. The GDPR protects only EU domiciliaries


6. In respect of non-profit representation of data subjects, which of the following statements is FALSE?

A. For a not-for-profit body, organisation to execute a mandate on behalf of a data subject, it must have been properly constituted in accordance with the law of a Member State. 

B. Member State laws may provide that not-for-profit bodies may bring complaints under Articles 77, 78, and 79 in the absence of mandates from affected data subjects. 

C. Any data subject has the right to mandate any not-for-profit body, organisation or association to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf. 

D. Unless a Member State's laws facilitate it, a not-for-profit body cannot exercise the right to receive compensation referred to in Article 82 on a data subject's behalf.

How did you do?

Highlight the text to see the answers:

1. D

2. B

3. A

4. C

5. A

6. C


Update - More GPDR exam questions


PECB, a leading certification body for accrediting GDPR and data protection skills, has also provided practice exam questions.

These exam questions relate to the GDPR Foundation certification and are great examples of what you might expect on an entry-level GDPR exam.


Question 1 (5 points): Please list at least five GDPR implementation advantages.

Possible answer

Some of the advantages that organisations gain due to GDPR implementation include:

  1. More confidence in transactions between the data subjects and data processors 
  2. Following a single regulation 
  3. Setting a framework that provides reasonable assurance of privacy 
  4. Establishment of a trustworthy reputation in the global market 
  5. Maximising the possibilities to provide safe data processing services 


Question 2 (5 points): Considering that the aim of General Data Protection Regulation is to ensure a consistent level of protection for natural persons throughout the European Union and to prevent divergences hampering the free movement of personal data, please list at least five changes that an organisation can face due to its implementation. 

Possible answer

Some of the changes that an organization can face due to GDPR implementation include:

  1. Appointment of a data protection officer 
  2. Drafting and establishing new policies regarding the international data transfers 
  3. Drafting and establishing new policies regarding the notification of a data breach 
  4. Drafting and establishing new policies that require compliance with the principles of data processing activities 
  5. Drafting and establishing new policies that require compliance to data subject rights 



Question 3 (5 points): Organisations wanting to comply with the General Data Protection Regulation shall respect the data subject rights. Please provide at least one concrete action that would support an organisation in complying with the following rights. 

Right to data portability (Article 18)

Possible answer:


  • Documented policy that enables the data subject to request restriction of processing his/her personal data if such processing is unlawful 

Right to object (Article 21)

Possible answer:


    • Establishment of a policy that enables the data subject to object at any time processing of his/her personal data for marketing purposes 


    Question 4 (5 points): Please define what measures an organisation can implement to demonstrate compliance with the following:

    Security of processing 

    Possible answer:
    1. Establish a procedure that defines what technical and organisational measures shall be implemented to demonstrate compliance with the GDPR 
    2. Establish a system that assesses the appropriate level of security when processing activities are carried out


    How to learn GDPR fast


    Whether or not you got the answers right, upskill your team and prepare your business in time with Firebrand’s accelerated 3-day GDPR Practitioner Certification - built by a former Data Manager and Solicitor of the Supreme Courts of England and Wales.