The UK’s data protection law is primarily regulated by:
A) GDPR
B) HIPAA
C) FOIA
D) DPA 2018
Answer: D) DPA 2018
GDPR stands for:
A) General Data Processing Regulation
B) General Data Privacy Rule
C) General Data Protection Regulation
D) General Data Privacy Regulation
Answer: C) General Data Protection Regulation
The Information Commissioner’s Office (ICO) is responsible for:
A) International trade agreements
B) Protecting personal data and upholding information rights
C) Telecommunications regulation
D) Immigration services
Answer: B) Protecting personal data and upholding information rights
The term “data subject” refers to:
A) A company collecting data
B) A government agency processing data
C) An individual to whom the data relates
D) A data protection officer
Answer: C) An individual to whom the data relates
Under GDPR, personal data includes:
A) Only sensitive information
B) Any information related to a living individual
C) Only financial information
D) Information related to government officials
Answer: B) Any information related to a living individual
Consent to process personal data must be:
A) Obtained through force
B) Explicit and freely given
C) Only verbal
D) Ignored for sensitive data
Answer: B) Explicit and freely given
Data controllers are responsible for:
A) Physical security only
B) Processing personal data on behalf of data subjects
C) Legal compliance with data protection laws
D) Ignoring data breaches
Answer: C) Legal compliance with data protection laws
Data processors handle personal data on behalf of:
A) Data subjects
B) Data controllers
C) Competitors
D) Regulatory agencies
Answer: B) Data controllers
The “right to be forgotten” allows data subjects to:
A) Request access to their data
B) Request deletion of their data under certain conditions
C) Request that their data be shared publicly
D) Request unlimited data storage
Answer: B) Request deletion of their data under certain conditions
Data portability allows individuals to:
A) Transfer their data to another company in any format
B) Only transfer data to government agencies
C) Request that their data be permanently deleted
D) Request a copy of their data in a machine-readable format
Answer: D) Request a copy of their data in a machine-readable format
Data protection impact assessments (DPIAs) are conducted to:
A) Share personal data with third parties
B) Assess potential risks and impacts of data processing activities
C) Exclude sensitive data from protection
D) Promote data collection without consent
Answer: B) Assess potential risks and impacts of data processing activities
In case of a personal data breach, data controllers are required to:
A) Ignore the breach if it’s minor
B) Notify the authorities within 72 hours if it’s likely to result in a risk to individuals’ rights and freedoms
C) Only inform the affected individuals
D) Take no action if the breach involves financial data
Answer: B) Notify the authorities within 72 hours if it’s likely to result in a risk to individuals’ rights and freedoms
Children’s personal data requires special protection. What is the age below which parental consent is needed to process children’s data under GDPR?
A) 12 years
B) 16 years
C) 18 years
D) 14 years
Answer: B) 16 years
One of the lawful bases for processing personal data under GDPR is:
A) Ignoring data protection laws
B) Legitimate interests of the data controller or a third party
C) Keeping data indefinitely
D) Selling data to third parties
Answer: B) Legitimate interests of the data controller or a third party
The Data Protection Officer (DPO) role is mandatory for:
A) All organizations regardless of size
B) Only large corporations
C) Government agencies
D) Organizations that don’t process personal data
Answer: A) All organizations regardless of size
A subject access request (SAR) allows individuals to:
A) Request that their data be permanently deleted
B) Request access to their personal data and information about its processing
C) Access any personal data without restrictions
D) Request data deletion without any reasons
Answer: B) Request access to their personal data and information about its processing
GDPR imposes strict requirements for transferring personal data outside the European Economic Area (EEA). What mechanisms are commonly used to ensure lawful transfers?
A) Ignoring transfer restrictions
B) Cookies
C) Standard Contractual Clauses, Binding Corporate Rules, and adequacy decisions
D) Only transferring data to non-EEA countries without data protection laws
Answer: C) Standard Contractual Clauses, Binding Corporate Rules, and adequacy decisions
Data protection laws empower individuals with the right to object to processing based on:
A) The controller’s interests
B) The processor’s interests
C) Marketing purposes
D) Ignoring data processing
Answer: A) The controller’s interests
The “one-stop shop” mechanism under GDPR allows organizations with multiple establishments in the EU to:
A) Ignore data protection laws
B) Choose any EU country’s data protection authority as their lead supervisory authority
C) Not appoint a Data Protection Officer
D) Transfer data freely outside the EU
Answer: B) Choose any EU country’s data protection authority as their lead supervisory authority
Data controllers and processors must maintain records of processing activities, including:
A) Processing data without consent
B) Processing sensitive data only
C) Only financial transactions
D) Categories of data subjects and purposes of processing
Answer: D) Categories of data subjects and purposes of processing
The term “data minimization” refers to:
A) Collecting as much data as possible
B) Processing data without consent
C) Collecting and using only the data necessary for the stated purpose
D) Sharing data with unauthorized parties
Answer: C) Collecting and using only the data necessary for the stated purpose
GDPR applies to:
A) Only data controllers
B) Only large corporations
C) Any organization that processes personal data of EU citizens, regardless of its location
D) Government agencies
Answer: C) Any organization that processes personal data of EU citizens, regardless of its location
Which of the following rights allows individuals to rectify inaccurate or incomplete personal data?
A) Right to be forgotten
B) Right to erasure
C) Right to rectification
D) Right to ignore data accuracy
Answer: C) Right to rectification
The “Accountability Principle” under GDPR requires organizations to:
A) Ignore data breaches
B) Demonstrate compliance with data protection principles
C) Only appoint a Data Protection Officer
D) Avoid data processing
Answer: B) Demonstrate compliance with data protection principles
An individual whose data is being processed has the right to lodge a complaint with:
A) Any government agency
B) The Information Commissioner’s Office (ICO) or a supervisory authority in their country
C) The data processor
D) Only data controllers
Answer: B) The Information Commissioner’s Office (ICO) or a supervisory authority in their country
“Special categories” of personal data, also known as sensitive data, include information related to:
A) Marketing activities
B) Criminal offenses
C) Professional certifications
D) Ignoring data protection
Answer: B) Criminal offenses
“Privacy by design” and “privacy by default” are principles that encourage organizations to:
A) Collect as much data as possible
B) Process data without consent
C) Consider data protection throughout the entire lifecycle of a project or system
D) Only protect sensitive data
Answer: C) Consider data protection throughout the entire lifecycle of a project or system
The term “data breach” refers to:
A) Any form of data processing
B) Only unintentional sharing of data with unauthorized parties
C) A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
D) Ignoring data protection laws
Answer: C) A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
Under GDPR, organizations may appoint a Data Protection Officer (DPO) if they:
A) Collect minimal data
B) Process personal data only for marketing purposes
C) Are a government agency
D) Conduct large-scale processing of personal data or process sensitive data
Answer: D) Conduct large-scale processing of personal data or process sensitive data
The “right to erasure” is also known as:
A) Right to access
B) Right to forget
C) Right to keep data indefinitely
D) Right to ignore data protection
Answer: B) Right to forget
A “data protection officer” (DPO) is responsible for:
A) Marketing activities
B) Data breaches
C) Ensuring an organization’s data protection compliance and advising on data protection matters
D) Ignoring data protection laws
Answer: C) Ensuring an organization’s data protection compliance and advising on data protection matters
GDPR mandates that organizations have a legal basis for processing personal data. Which of the following is NOT a valid legal basis?
A) Consent
B) Legitimate interests
C) Ignoring data protection principles
D) Performance of a contract
Answer: C) Ignoring data protection principles
The term “data controller” refers to:
A) An individual whose data is being processed
B) An organization or person that determines the purposes and means of processing personal data
C) Only government agencies
D) Data processors
Answer: B) An organization or person that determines the purposes and means of processing personal data
GDPR grants individuals the right to obtain human intervention and express their point of view in relation to automated decisions. Which term is used for this right?
A) Right to object
B) Right to access
C) Right to rectification
D) Right to ignore data processing
Answer: A) Right to object
The UK’s DPA 2018 supplements GDPR with provisions relating to:
A) Only sensitive data
B) National security
C) Taxation
D) Ignoring data breaches
Answer: B) National security
A “third country” under GDPR refers to:
A) Any country outside the EU and EEA
B) Only countries with data protection laws
C) Countries that don’t process personal data
D) Only countries with high GDP
Answer: A) Any country outside the EU and EEA
GDPR requires organizations to carry out regular reviews of their data protection practices. What is this process called?
A) Data protection audit
B) Data breach review
C) Data retention review
D) Data protection impact assessment
Answer: A) Data protection audit
In the context of GDPR, “pseudonymization” refers to:
A) Deleting all personal data
B) Encrypting personal data
C) Processing personal data without any security measures
D) Replacing personal identifiers with pseudonyms to prevent direct identification
Answer: D) Replacing personal identifiers with pseudonyms to prevent direct identification
The “right to restriction of processing” allows individuals to:
A) Restrict access to their personal data
B) Restrict processing of their personal data in certain circumstances
C) Request unlimited data processing
D) Ignore data processing limitations
Answer: B) Restrict processing of their personal data in certain circumstances
GDPR introduces stricter rules for obtaining consent. Consent must be:
A) Implicit and assumed
B) Only verbal
C) Unrelated to data processing
D) Clear, informed, and freely given
Answer: D) Clear, informed, and freely given
The “right to object” allows individuals to object to processing based on:
A) Consent
B) Legitimate interests
C) Data minimization
D) Only sensitive data
Answer: B) Legitimate interests
Organizations processing personal data must implement appropriate technical and organizational measures to ensure:
A) Data breaches
B) Ignoring data protection laws
C) A level of security appropriate to the risk
D) Data inaccuracies
Answer: C) A level of security appropriate to the risk
Data breaches that pose a risk to individuals’ rights and freedoms must be reported to the relevant supervisory authority within:
A) 24 hours
B) 48 hours
C) 72 hours
D) One week
Answer: C) 72 hours
The “right to access” allows individuals to:
A) Access any data without restrictions
B) Request that their data be permanently deleted
C) Obtain confirmation of whether or not their personal data is being processed
D) Only access government data
Answer: C) Obtain confirmation of whether or not their personal data is being processed
The term “cross-border processing” under GDPR refers to:
A) Processing data within a single country
B) Only transferring data to third parties
C) Transferring personal data to another country
D) Only processing sensitive data
Answer: C) Transferring personal data to another country
The “right to data portability” allows individuals to:
A) Request data deletion
B) Request data rectification
C) Receive their personal data in a structured, commonly used, and machine-readable format
D) Ignore data processing requests
Answer: C) Receive their personal data in a structured, commonly used, and machine-readable format
The principle of “lawfulness, fairness, and transparency” under GDPR requires that data processing be based on:
A) Ignoring data protection principles
B) Lawfulness and legitimate interests
C) Consent only
D) Only sensitive data
Answer: B) Lawfulness and legitimate interests
Organizations are required to maintain records of processing activities for:
A) 5 years
B) 10 years
C) 2 years
D) Indefinitely
Answer: C) 2 years
GDPR defines a “personal data breach” as:
A) Any data sharing activity
B) A breach of confidential data only
C) A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
D) Ignoring data protection regulations
Answer: C) A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
“Binding Corporate Rules” (BCRs) are a mechanism for:
A) Ignoring data protection laws
B) Transferring data to third countries without any restrictions
C) Data protection compliance within a corporate group for international data transfers
D) Only sharing data with affiliates
Answer: C) Data protection compliance within a corporate group for international data transfers
