CSC - Cybersecurity Compliance GDPR Data Protection Principles Questions and Answers

Question 1

A financial services company collects client data to process loan applications. The company later wants to use this same data for unsolicited marketing of third-party insurance products. Which GDPR principle would this action most likely violate?

Accepted Answer

Purpose limitation

Answer

The purpose limitation principle, outlined in Article 5(1)(b) of the GDPR, states that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those initial purposes. Using loan application data for unrelated marketing is an incompatible purpose for which new consent would be required.

Question 2

A new social media app requires users to provide their full name, date of birth, home address, and phone number just to create a basic profile and view public content. Which GDPR data protection principle is the app failing to adhere to?

Accepted Answer

Data minimization

Answer

The data minimization principle requires that personal data collected be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. Requiring extensive personal information like a home address and phone number for a basic social media profile is excessive and not necessary for the service's core function.

Question 3

Which of the following is the BEST example of a company adhering to the GDPR's 'storage limitation' principle?

Accepted Answer

Anonymizing customer data after 5 years, when it is no longer needed for its original purpose.

Answer

The storage limitation principle dictates that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Anonymizing or deleting data after it is no longer necessary fulfills this requirement. While encryption and backups are good security practices (integrity and confidentiality), and self-service portals aid accuracy, they don't directly address the retention period of identifiable data.

Question 4

Under the GDPR, the 'accountability' principle requires a data controller to do which of the following?

Accepted Answer

Be responsible for and able to demonstrate compliance with the GDPR principles.

Answer

The accountability principle, as per Article 5(2), mandates that the data controller is responsible for, and must be able to demonstrate, compliance with all the data protection principles. This involves maintaining documentation, implementing data protection policies, and having appropriate measures in place.

Question 5

A cybersecurity analyst discovers that customer support staff are using a shared spreadsheet on an unsecured, public cloud service to track sensitive customer issues, including names, contact details, and account numbers. This practice directly contravenes which GDPR principle?

Accepted Answer

Integrity and confidentiality

Answer

The 'integrity and confidentiality' principle requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures. Storing sensitive data in an unsecured, shared location is a clear failure to implement such measures.

(CSC) Cybersecurity Compliance Certification Practice Test

(CSC) Cybersecurity Compliance Certification Practice Test

CSC - Cybersecurity Compliance GDPR Data Protection Principles Questions and Answers