GDPR Cheat Sheet 2026
The 30 highest-yield GDPR facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
90 questions
150 min time limit
65.00% to pass
- What is the value of isolating variables during troubleshooting? → It identifies the specific cause by changing one factor at a time
- What is the role of a supervisory authority under GDPR? → Monitor and enforce GDPR compliance
- The 'public task' lawful basis under Article 6(1)(e) applies when processing is necessary for: → Performance of a task carried out in the public interest or exercise of official authority
- Which architectural pattern provides the best fault isolation? → Microservices architecture with independent service boundaries
- Which principle requires that data be collected for specific, explicit, and legitimate purposes? → Purpose limitation
- What is a primary responsibility of a data controller under GDPR? → Determining purposes and means of data processing
- What is the primary purpose of security auditing? → To identify vulnerabilities and verify compliance with security policies
- Which GDPR mechanism allows personal data to be transferred to a third country that the European Commission has deemed to provide adequate protection? → Adequacy Decision
- Which document must processors maintain under GDPR? → Record of processing activities
- What is the principle of least privilege? → Granting users only the minimum access necessary to perform their duties
- What is the first step in performance optimization? → Establish baseline measurements and identify bottlenecks
- What is the right to rectification under GDPR? → The right to correct inaccurate data
- How should a root cause analysis be conducted? → Systematically investigate underlying causes rather than just symptoms
- What is the recommended approach for deploying system updates? → Incremental rollouts with rollback plans and monitoring
- Which right allows individuals to move their personal data between services? → Right to data portability
- Which of the following is NOT one of the six lawful bases listed in Article 6(1) of the GDPR? → Public interest research
- Which of the following is a lawful basis for processing personal data under GDPR? → Consent
- Which GDPR principle most directly underpins the requirement to maintain an internal breach register even for low-risk incidents not reported to the DPA? → Accountability
- What is the benefit of using a layered architecture approach? → Separation of concerns enabling independent development and testing
- What is the first step in a systematic troubleshooting approach? → Identify and clearly define the problem symptoms
- What role does the Data Protection Officer (DPO) play under GDPR? → Monitors and advises on GDPR compliance
- Under GDPR Article 47, Binding Corporate Rules (BCRs) must be approved by: → The relevant national supervisory authority and recognized by other EEA authorities
- When is automation NOT appropriate? → For one-time tasks or processes requiring complex human judgment
- A retailer processes customer data solely to fulfill an online purchase order. Which lawful basis under Article 6 applies? → Contract
- How many lawful bases for processing personal data are defined under Article 6 of the GDPR? → 6
- What does the right to object allow individuals to do? → Object to specific processing of their data
- What is the recommended approach for testing automation scripts? → Test in a non-production environment with realistic data before deployment
- What is the purpose of a staging environment? → To test configurations and changes before deploying to production
- When a processor becomes aware of a personal data breach, what is their primary obligation toward the controller under Article 33(2)? → Notify the controller without undue delay
- What role does documentation play in system architecture? → It enables team understanding, maintenance, and future development decisions
Turn these facts into recall: