Up to 67% of IT professionals in UK businesses are unprepared for General Data Protection

Regulation (GDPR) coming into effect on 25th May 2018, revealed Spiceworks’ “IT data
Snapshot” survey.

What is GDPR?

GDPR builds on the current Data Protection Act (DPA), extending the right of the individual
and forcing organisations to adhere to clear policies and procedures that protect EU citizens’
data.

The new regulations will affect all aspects of your business – this includes how IT security
teams safely store this data and effectively re-engineer breech detection. Plus, a lack of
compliance with the GDPR can lead to severe fines.

How will it affect my business?

Any business that stores EU citizens’ data, regardless of whether or not they’re in the EU,
will be affected by GDPR.

Read this blog post on the 6 things you need to know about GDPR to understand how your
business is affected by GDPR and how to plan for it.

To help you prepare for your GDPR Practitioner exam and to give you an idea of the
complexities of the new GDPR regulations, we’ve included 10 official exam sample
questions that could be included on our official GDPR Practitioner course:

1. Which of the following controller/processing scenarios in principle CAN use the Public
Interest legal basis?

A. A vehicle licensing agency selling owner names and contact details to the private sector in
exchange for money

B. A company director credit checking agency republishing the contents of a Mandatory

Public Register of directors which is already in the public domain publishing the names and
addresses of directors on the internet

C. A registered and regulated charity receiving information from any public sector body as
part of a lawful Data Sharing Agreement

D. None of the above

2. Where the data subject is a child, what steps must controllers take in respect of consent,
within the constraints of available technology?
A. Controllers must make best efforts to verify the consent

B. Controllers must make reasonable efforts to verify the consent

C. Controllers must make best efforts to request the consent in clear and plain language, in
the context of the age of the child

D. Controllers must make reasonable efforts to request the consent in clear and plain
language, in the context of the age of the child

3. "While implementing certain data subject rights the controller is NOT obliged by Article
19 to inform each third party recipient of the personal data" For which of the following
rights is that statement TRUE?

A. "Non-profiling" under Article 22

B. B. Rectification under Article 16

C. Erasure / "right to be forgotten" under Article 17

D. Restriction under Article 18

4. For purposes of a data protection impact assessment, when must the controller seek the
views of data subjects or their representatives on the intended processing?

A. Always

B. Never

C. When appropriate

D. When the supervisory authority requests it

5. Regarding data subjects protected by the GDPR, which of the following statements is
true?

A. The GDPR protects only people who are physically located in the EU

B. The GDPR protects only EU citizens

C. The GDPR protects only EU residents

D. The GDPR protects only EU domiciliaries

6. In respect of non-profit representation of data subjects, which of the following

statements is FALSE?
A. For a not-for-profit body, organisation to execute a mandate on behalf of a data subject, it
must have been properly constituted in accordance with the law of a Member State.

B. Member State laws may provide that not-for-profit bodies may bring complaints under
Articles 77, 78, and 79 in the absence of mandates from affected data subjects.

C. Any data subject has the right to mandate any not-for-profit body, organisation or
association to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and
to exercise the right to receive compensation referred to in Article 82 on his or her behalf.

D. Unless a Member State's laws facilitate it, a not-for-profit body cannot exercise the right to
receive compensation referred to in Article 82 on a data subject's behalf.

How did you do?

Highlight the text to see the answers:

1. D

2. B

3. A

4. C

5. A

6. C

Update - More GPDR exam questions

PECB, a leading certification body for accrediting GDPR and data protection skills, has also
provided practice exam questions.

These exam questions relate to the GDPR Foundation certification and are great examples of
what you might expect on an entry-level GDPR exam.

Question 1 (5 points): Please list at least five GDPR implementation advantages.

Possible answer

Some of the advantages that organisations gain due to GDPR implementation include:
 1. More confidence in transactions between the data subjects and data processors
2. Following a single regulation
3. Setting a framework that provides reasonable assurance of privacy
4. Establishment of a trustworthy reputation in the global market
5. Maximising the possibilities to provide safe data processing services

Question 2 (5 points): Considering that the aim of General Data Protection Regulation is
to ensure a consistent level of protection for natural persons throughout the European
Union and to prevent divergences hampering the free movement of personal data, please
list at least five changes that an organisation can face due to its implementation.

Possible answer

Some of the changes that an organization can face due to GDPR implementation include:

1. Appointment of a data protection officer

2. Drafting and establishing new policies regarding the international data transfers
3. Drafting and establishing new policies regarding the notification of a data breach
4. Drafting and establishing new policies that require compliance with the principles of
data processing activities
5. Drafting and establishing new policies that require compliance to data subject rights

Question 3 (5 points): Organisations wanting to comply with the General Data Protection
Regulation shall respect the data subject rights. Please provide at least one concrete action
that would support an organisation in complying with the following rights.

Right to data portability (Article 18)

Possible answer:

 Documented policy that enables the data subject to request restriction of processing
his/her personal data if such processing is unlawful

Right to object (Article 21)

Possible answer:

 Establishment of a policy that enables the data subject to object at any time processing
of his/her personal data for marketing purposes
Question 4 (5 points): Please define what measures an organisation can implement to
demonstrate compliance with the following:

Security of processing

Possible answer:

1. Establish a procedure that defines what technical and organisational measures shall be
implemented to demonstrate compliance with the GDPR
2. Establish a system that assesses the appropriate level of security when processing
activities are carried out

How to learn GDPR fast

Whether or not you got the answers right, upskill your team and prepare your business in
time with Firebrand’s accelerated 3-day GDPR Practitioner Certification - built by a former
Data Manager and Solicitor of the Supreme Courts of England and Wales.