GDPR Cheat Sheet 2026

The 30 highest-yield GDPR facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

90 questions
150 min time limit
65.00% to pass
  1. What is the value of isolating variables during troubleshooting? It identifies the specific cause by changing one factor at a time
  2. What is the role of a supervisory authority under GDPR? Monitor and enforce GDPR compliance
  3. The 'public task' lawful basis under Article 6(1)(e) applies when processing is necessary for: Performance of a task carried out in the public interest or exercise of official authority
  4. Which architectural pattern provides the best fault isolation? Microservices architecture with independent service boundaries
  5. Which principle requires that data be collected for specific, explicit, and legitimate purposes? Purpose limitation
  6. What is a primary responsibility of a data controller under GDPR? Determining purposes and means of data processing
  7. What is the primary purpose of security auditing? To identify vulnerabilities and verify compliance with security policies
  8. Which GDPR mechanism allows personal data to be transferred to a third country that the European Commission has deemed to provide adequate protection? Adequacy Decision
  9. Which document must processors maintain under GDPR? Record of processing activities
  10. What is the principle of least privilege? Granting users only the minimum access necessary to perform their duties
  11. What is the first step in performance optimization? Establish baseline measurements and identify bottlenecks
  12. What is the right to rectification under GDPR? The right to correct inaccurate data
  13. How should a root cause analysis be conducted? Systematically investigate underlying causes rather than just symptoms
  14. What is the recommended approach for deploying system updates? Incremental rollouts with rollback plans and monitoring
  15. Which right allows individuals to move their personal data between services? Right to data portability
  16. Which of the following is NOT one of the six lawful bases listed in Article 6(1) of the GDPR? Public interest research
  17. Which of the following is a lawful basis for processing personal data under GDPR? Consent
  18. Which GDPR principle most directly underpins the requirement to maintain an internal breach register even for low-risk incidents not reported to the DPA? Accountability
  19. What is the benefit of using a layered architecture approach? Separation of concerns enabling independent development and testing
  20. What is the first step in a systematic troubleshooting approach? Identify and clearly define the problem symptoms
  21. What role does the Data Protection Officer (DPO) play under GDPR? Monitors and advises on GDPR compliance
  22. Under GDPR Article 47, Binding Corporate Rules (BCRs) must be approved by: The relevant national supervisory authority and recognized by other EEA authorities
  23. When is automation NOT appropriate? For one-time tasks or processes requiring complex human judgment
  24. A retailer processes customer data solely to fulfill an online purchase order. Which lawful basis under Article 6 applies? Contract
  25. How many lawful bases for processing personal data are defined under Article 6 of the GDPR? 6
  26. What does the right to object allow individuals to do? Object to specific processing of their data
  27. What is the recommended approach for testing automation scripts? Test in a non-production environment with realistic data before deployment
  28. What is the purpose of a staging environment? To test configurations and changes before deploying to production
  29. When a processor becomes aware of a personal data breach, what is their primary obligation toward the controller under Article 33(2)? Notify the controller without undue delay
  30. What role does documentation play in system architecture? It enables team understanding, maintenance, and future development decisions
Turn these facts into recall: