- Email support@dumps4free.com
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?
A.
Notify the appropriate data protection authority.
B.
Perform a data protection impact assessment (DPIA).
C.
Create an information retention policy for those who operate the system.
D.
Ensure that safeguards are in place to prevent unauthorized access to the footage.
Create an information retention policy for those who operate the system.
Which of the following is NOT recognized as being a common characteristic of cloudcomputing services?
A.
The service’s infrastructure is shared among the supplier’s customers and can be
located in a number of countries.
B.
The supplier determines the location, security measures, and service standards
applicable to the processing.
C.
The supplier allows customer data to be transferred around the infrastructure according to capacity.
D.
The supplier assumes the vendor’s business risk associated with data processed by the
supplier.
The supplier assumes the vendor’s business risk associated with data processed by the
supplier.
Reference: https://www.softwaremajor.com/news-articles/64-gdpr-how-does-it-apply-to-thecloud
According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
A.
To create and maintain records of processing activities.
B.
To conduct Privacy Impact Assessments on behalf of the controller or processor.
C.
To monitor compliance with other local or European data protection provisions.
D.
To create procedures for notification of personal data breaches to competent
supervisory authorities.
To conduct Privacy Impact Assessments on behalf of the controller or processor.
Reference: https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-aboutnew-
role-required- gdpr-compliance
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection
Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
A.
The establishment of a list of legitimate data processing criteria
B.
The creation of legally binding data protection principles
C.
The synchronization of approaches to data protection
D.
The restriction of cross-border data flow
The restriction of cross-border data flow
Reference: https://ico.org.uk/media/about-the-ico/documents/1042349/review-of-eu-dpdirective.
pdf (99)
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data
protection, while Frank is a lecturer in the engineering department. The University
maintains a number of types of records:
Student records, including names, student numbers, home addresses, preuniversity
information, university attendance and performance records, details of
special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional
contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and
conferrals of degrees. These records are available to former students after
registering through Granchester’s Alumni portal. Department for Education
records, showing how certain demographic groups (such as first-generation
students) could be expected, on average, to progress. These records do not
contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records
in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students
perform in relational to Department for Education expectations. He has attended one of
Anna’s data protection training courses and knows that he should use no more personal
data than necessary to accomplish his goal. He creates a
program that will only export some student data: previous schools attended, grades
originally obtained, grades currently obtained and first time university attended. He wants to
keep the records at the individual student level. Mindful of Anna’s training, Frank runs the
student numbers through an algorithm to transform them into different reference numbers.
He uses the same algorithm on each occasion so that he can update each record over
time.
One of Anna’s tasks is to complete the record of processing activities, as required by the
GDPR. After receiving her email reminder, as required by the GDPR. After receiving her
email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check
that this new use
of existing data is permissible. She also suspects that, under the GDPR, a risk analysis
may have to be carried out before the data processing can take place. Anna arranges to
discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his
home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the
University he loses it on the train. Frank has to see Anna that day to discuss compatible
processing. He knows that he needs to report security incidents, so he decides to tell Anna
about his lost laptop at the same time.
Before Anna determines whether Frank’s performance database is permissible, what
additional information does she need?
A.
More information about Frank’s data protection training.
B.
More information about the extent of the information loss.
C.
More information about the algorithm Frank used to mask student numbers.
D.
More information about what students have been told and how the research will be used.
More information about what students have been told and how the research will be used.
| Page 2 out of 42 Pages |
| Previous |