10 eksamensspørsmål til Data Protection Officer (DPO)

Derfor er det mange som leter etter DPO-kurs og sertifiseringer, som kan gi kunnskapen som trengs. Men det finnes ingen offisiell akkreditering fra EU, og derfor har det oppstått et stort marked med mer eller mindre seriøse DPO kurs.

Vil du ha et kurs med offisiell akkreditering, kan du for eksempel se efter ISO- eller PECB-sertifisering. Husk alltid å spørre om hvem som utsteder DPO-sertifiseringen – det kan gi en pekepinn på kvalitetsnivået.

Et av de mest målrettede kursene er Readynez's CDPO-kurs, som er utviklet i samarbeid med det internasjonale PECB, som utsteder sertifiseringen og er anerkjent verden over. 

På Readynez's CDPO-kurs lærer du å støtte implementeringen av GDPR med en modell for databeskyttelse, og hos Readynez tar det bare 3 dager, inkludert sertifisering.

Er du nysgjerrig på hva eksamen inneholder, kan du ta en titt på de 10 testspørsmålene fra CDPO-eksamen fra PECB.

Question 1 (10 points)
Considering that the aim of General Data Protection Regulation is to ensure a consistent level of protection for natural persons throughout the European Union and to prevent divergences hampering the free movement of personal data, please list at least five changes that an organisation can face due to its implementation and at least five GDPR implementation advantages.

Possible answer

Some of the changes that an organisation can face due to GDPR implementation include:

1. Appointment of a data protection officer
2. Drafting and establishing new policies regarding the international data transfers
3. Drafting and establishing new policies regarding the notification of a data breach
4. Drafting and establishing new policies that require compliance with the principles of data processing activities
5. Drafting and establishing new policies that require compliance to data subject rights

Some of the advantages that organisations gain due to GDPR implementation include:

1. More confidence in transactions between the data subjects and data processors
2. Following a single regulation
3. Setting a framework that provides reasonable assurance of privacy
4. Establishment of a trustworthy reputation in the global market
5. Maximizing the possibilities to provide safe data processing services

Question 2 (5 points)
Organisations wanting to comply with the General Data Protection Regulation shall follow the data protection principles. Please provide at least two concrete actions that would support an organisation in complying with the following principles: Lawfulness of processing (Article 6) and Conditions for consent (Article 7).

Possible answer

Lawfulness of processing (Article 6) 

• Establishment of a policy that points out when processing of personal data may be lawful 
• Establishment of a policy that enables the data subject to understand the necessity of processing his or her personal data 

 Conditions for consent (Article 7)

• Establishment of a policy that requires the organisation to demonstrate whether the data subject has consented to processing of his or her personal data 
• Establishment of procedures that give the data subject the right to withdraw his or her consent at any time

Question 3 (5 points)
As a data protection officer in the ABC organization, one of your tasks is to monitor compliance with the GDPR and with the policies of the controller or processor in relation to the protection of personal data. Additionally, your role includes the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.

As such, you have noticed that the ABC organisation does not comply with GDPR requirements regarding the right to rectification and right to erasure.

To ensure the effectiveness of the implemented data privacy framework and GDPR compliance, please provide at least two concrete actions that the ABC organization can take to ensure compliance with the following Right to rectification (Article 16) and Right to erasure (right to be forgotten) (Article 17).

Possible answer

Right to rectification (Article 16) 

• Establish a system that enables the data subject to modify data concerning him or her
• Establish a policy that enables the data subject to complete his or her incomplete data

 Right to erasure (right to be forgotten) (Article 17)

• Establish a system that deletes personal data that are no longer necessary in relation to the purposes for which they were collected or processed
• Establish a policy that prohibits processing of personal data in unlawful manners

Question 4 (5 points)
Considering that an organisation should conduct a gap analysis to determine its current state and identify actions needed to ensure compliance with the GDPR; please identify at least five areas of concern that organisations should consider when conducting the gap analysis.

Possible answer

The organisation should determine whether the technical and organisational measures already in place can achieve the GDPR objectives. Therefore, conducting a gap analysis is essential because it enables the organisation to determine its current situation, targets and the steps to be taken to move from the current to a desired future state.

Some concerns that organisations can have when conducting a gap analysis include:

1. Principles of processing personal data
2. Rights of the data subject
3. Security of processing
4. Data protection impact assessment
5. Notification of a data breach
6. Transfers of personal data to third countries

Question 5 (5 points)
The General Data Protection Regulation implies that “The controller and the processor shall designate a data protection officer in any case where:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 

2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale”

 Please list at least five tasks that shall be given to the Data Protection Officer in order to comply with the regulation.

 Possible answer

 The data protection officer shall have at least the following tasks:

1. Inform and advice the controller, processor and the employees who carry out processing of their obligations pursuant to the GDPR and other data protection provisions
2. Monitor compliance with the GDPR
3. Provide advices with regard to data protection impact assessment
4. Monitor the performance of the data protection impact assessment
5. Cooperate with the supervisory authorities

Question 6 (5 points)
Please define at least three measures that an organization can implement to demonstrate compliance with the records of processing activities.

Possible answer

Records of processing activities 

• Establish a policy that requires maintenance of records regarding the processing activities
• Establish a policy that defines what information shall the documented records contain
• Establish system that separately describes data subject categories and personal data categories

Question 7 (10 questions)
Please define why the data mapping process is important and define the steps.

Possible answer

The process of data mapping helps an organisation obtain a 360° view of its data circulation. In order to enforce the regulatory requirements for personal data processing, companies must first identify and locate such data in their information systems (IS).

The process of data mapping helps organisations identify what categories of data are being stored, determine who owns the data and who has access to such data, additionally the process identifies to which recipients the data stored is disclosed.

Data mapping process steps include: 

1. Assigning a person/team in charge of designing and maintaining the data map
2. Defining a project plan
3. Collecting relevant information
4. Preparing the Data Map
5. Maintaining and updating the Data Mapping Plan

Question 8 (5 points)
According to the General Data Protection Regulation: “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”. Please list at least three processing activities that can harm the data subject.

Possible answer:

• The processing of data subject’s sensitive personal information; such as children's data
• The processing of data in vast amounts that can affect a great number of individuals
• The processing of data in a new manner or processing data during the time when the first DPIA has expired;
• A wide-spread processing of distinct categories of data, and criminal conviction and offences data

Question 9 (5 points)
The General Data Protection Regulation requires organisations to conduct a Privacy Impact Assessment only when the processing is likely to result in a high risk to the rights and freedoms of natural persons. Besides being a requirement of this regulation, organisation can benefit if a privacy impact assessment is carried out, therefore, please list at least three benefits that organisations can gain by carrying out such process.

Possible answer:

Benefits of carrying out a Privacy Impact Assessment include: 

• Identification of privacy risks and impacts
• Assessment of the impacts and the likelihood of new information system privacy risks
• Gaining valuable information that contribute to the design of privacy protection

Question 10 (5 points)
Please define at least two measures for each of the following requirements that an organisation can implement to demonstrate compliance.

Notification of a personal data breach to the supervisory authority

Possible answer 

• Establish a policy that requires the controller to notify the personal data breach to the supervisory authority without undue delay -no later than 72 hours- after having become aware of the personal data breach
• In the notification report describe the consequences of the personal data breach

 Information to be provided where personal data are collected from the data subject

 Possible answer

1. Establish a policy that requires the controller to provide the data subject with information such as the contact details and identity of the controller
2. Establish a policy that requires the controller to ensure fair and transparent processing by providing the data subject with all the necessary information as required by GDPR

 Security of processing

 Possible answer

1. Establish a procedure that defines what technical and organisational measures shall be implemented to demonstrate compliance with the GDPR
2. Establish a system that assesses the appropriate level of security when processing activities are carried out

Gikk spørsmålene som en lek?
Hvis svaret er nei, kan du ta DPO-kurset og lære alt du får bruk for. CDPO-kurset forbereder deg til rollen som Data Protection Officer (DPO). På dette akselererte 3-dagers Certified Data Protection Officer-kurset lærer du å implementere og administrere en ramme for å overholde reglene i General Data Protection Regulation (GDPR).

Som en del av kurset får du den offisielle PECB Data Protection Officer-sertifiseringen.