|
Ready for GDPR? Test Your Knowledge, Get the Facts
By Susan Brown Faghani
Manager, Marketing and Sales Communication, L-Soft
The European Union's General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. But now's the time for people who manage email lists and subscriber databases to prepare. The GDPR requires sweeping changes to both the way personal data is collected, maintained and deleted as well as how consent to receive communications is handled.
Take our five-question quiz to test your knowledge and learn more from the official resources included.
The correct responses will be shown as soon as you answer each question.
1. The GDPR's protection of EU citizens' data only applies to companies located in Europe.
Correct Answer: False
GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
Source: http://www.eugdpr.org/key-changes.html
2. The GDPR requires all businesses to designate a Data Protection Officer (DPO).
Correct Answer: False
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data (Art. 37). If your organization doesn't fall into one of these categories, then you do not need to appoint a DPO.
Source: http://www.eugdpr.org/gdpr-faqs.html
3. Under the GDPR, there are penalties for companies that do not comply with the requirements of the regulation.
Correct Answer: True
Organizations can be fined up to 4 percent of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements, e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines, e.g. a company can be fined 2 percent for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning 'clouds' will not be exempt from GDPR enforcement.
Source: http://www.eugdpr.org/key-changes.html
4. The GDPR does not include any changes to the provisions for consent from the previous 1995 Data Protection Directive, currently in effect.
Correct Answer: False
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Source: http://www.eugdpr.org/key-changes.html
5. Under the GDPR, EU citizens can have their data erased permanently and not shared.
Correct Answer: True
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Source: http://www.eugdpr.org/key-changes.html
Subscribe to LISTSERV at Work.
|
