Apply Data Privacy Principles And Regulations
Help Questions
CPA Information Systems and Controls (ISC) › Apply Data Privacy Principles And Regulations
Under GDPR, which of the following represents a lawful basis for processing personal data?
The data has already been publicly posted on social media by the individual.
The organization has a legitimate business interest in collecting as much data as possible.
The data subject has given explicit, informed consent to the processing for a specified purpose.
The organization's privacy policy states that data may be collected and used for any purpose.
Explanation
GDPR Article 6 requires a lawful basis for processing, one of which is explicit, informed consent from the data subject for a specific purpose. Answer A is correct. A vague 'business interest' without necessity and proportionality analysis (B) does not satisfy the legitimate interests basis. Public posting (C) does not constitute consent for further processing. A broad privacy policy (D) is not a lawful basis under GDPR.
HIPAA's Privacy Rule primarily applies to which types of organizations?
Covered entities such as healthcare providers, health plans, and healthcare clearinghouses, and their business associates.
Organizations with annual revenue exceeding $10 million that handle patient data.
State and local government health departments only.
All organizations that collect any personally identifiable information from individuals.
Explanation
HIPAA's Privacy Rule applies specifically to covered entities (healthcare providers, health plans, clearinghouses) and their business associates who handle protected health information (PHI). Answer D is correct. HIPAA does not apply to all PII collectors (A), all organizations above a revenue threshold (B), or only government entities (C).
Under GDPR, organizations must notify the relevant supervisory authority of a personal data breach within:
24 hours of the breach occurring.
30 days of the breach being discovered.
7 business days of confirming the breach through a formal investigation.
72 hours of becoming aware of the breach, where feasible.
Explanation
GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach, where feasible. This is one of the tightest breach notification requirements globally. Answer A is correct. 30 days (B), 24 hours (C), and 7 business days (D) are all incorrect timeframes.
Which of the following data elements is classified as 'special category data' under GDPR, requiring heightened protection?
An individual's email address and phone number.
An individual's employer name and job title.
An individual's shipping address and purchase history.
An individual's health information, biometric data, or racial/ethnic origin.
Explanation
GDPR Article 9 defines special categories of data requiring stricter processing conditions, including health data, biometric data, genetic data, racial or ethnic origin, and similar sensitive categories. Answer B is correct. Email and phone (A), employer information (C), and purchase history (D) are personal data but not special category data under GDPR.
A company's privacy notice fails to disclose the retention period for personal data collected from website visitors. Under GDPR, this most likely violates which requirement?
The data breach notification requirement.
The right to erasure, which requires organizations to delete data upon request.
The transparency and right to information requirements, which mandate clear disclosure of how personal data will be used and retained.
The requirement to appoint a Data Protection Officer.
Explanation
GDPR Articles 13 and 14 require organizations to provide data subjects with transparent information about data processing, including retention periods. Omitting this information violates transparency requirements. Answer D is correct. Right to erasure (A) is a separate right. Breach notification (B) is unrelated. DPO appointment (C) depends on organization type.
Which of the following best describes the concept of 'Privacy by Design'?
An approach in which privacy protections are embedded into the design and architecture of systems and processes from the outset.
A technical standard for encrypting personal data at rest and in transit.
A reactive approach where privacy controls are added to systems after they are deployed.
A privacy audit methodology conducted annually to assess compliance.
Explanation
Privacy by Design, codified in GDPR Article 25, requires that data protection is considered and built into systems and processes from the earliest design stages rather than added as an afterthought. Answer B is correct. A reactive post-deployment approach (A) is the opposite of Privacy by Design. Annual audits (C) and encryption standards (D) are components of privacy programs but not the definition of Privacy by Design.
Under GDPR, the 'right to erasure' (also known as the 'right to be forgotten') allows individuals to:
Access all personal data an organization holds about them.
Request deletion of their personal data when it is no longer necessary, consent is withdrawn, or other specified conditions are met.
Require organizations to correct inaccurate personal data about them.
Restrict the processing of their personal data while a complaint is being investigated.
Explanation
The right to erasure (GDPR Article 17) allows individuals to request deletion of their personal data under specific circumstances, including when the data is no longer needed or consent is withdrawn. Answer D is correct. Correcting inaccurate data (A) is the right to rectification. Accessing data (B) is the right of access. Restricting processing (C) is the right to restriction of processing.
An organization's employee accidentally emails a file containing 50,000 customer records including names, addresses, and credit card numbers to an external party. Under GDPR, this event is best classified as:
A breach requiring notification only if the data is subsequently misused.
A personal data breach requiring assessment for supervisory authority notification within 72 hours and potential notification to affected data subjects.
A security incident requiring only IT remediation with no regulatory reporting obligations.
A minor operational error that requires only internal documentation.
Explanation
Unauthorized disclosure of personal data to an external party is a personal data breach under GDPR. Given the sensitivity (financial data) and volume (50,000 records), notification to the supervisory authority within 72 hours and likely to affected individuals is required. Answer A is correct. The number of affected individuals and data sensitivity preclude treating it as minor (B) or purely an IT matter (C). GDPR requires assessment and likely notification regardless of known misuse (D).
Which of the following correctly describes the difference between 'data controller' and 'data processor' under GDPR?
A data controller processes data on behalf of a data processor's instructions.
A data processor determines the purposes and means of processing; a controller executes the processing.
Both terms refer to the same role under GDPR and may be used interchangeably.
A data controller determines the purposes and means of processing personal data; a data processor processes data on behalf of the controller.
Explanation
Under GDPR, the data controller decides why and how personal data is processed (the decision-maker). The data processor acts on the controller's behalf and instructions. Answer C is correct. Answers A and B reverse the roles. They are distinct roles with different responsibilities and liabilities (D).
A company's privacy impact assessment (PIA) identifies that a new customer analytics system will process sensitive financial data at a large scale. Under GDPR, which additional requirement is most likely triggered?
The system must use only on-premises infrastructure with no cloud components.
The company must register the system with its national tax authority.
A Data Protection Impact Assessment (DPIA) must be completed before the processing begins.
All data subjects must be individually notified before the system goes live.
Explanation
GDPR Article 35 requires a DPIA when processing is likely to result in high risk to individuals, such as large-scale processing of sensitive financial data. The DPIA must be completed before processing begins. Answer A is correct. Tax authority registration (B) is unrelated. Individual notification before go-live (C) is not a GDPR requirement. Infrastructure restrictions (D) are not prescribed by GDPR.