Exin Privacy and Data Protection Foundation PDPF Question # 32 Topic 4 Discussion
PDPF Exam Topic 4 Question 32 Discussion:
Question #: 32
Topic #: 4
A security breach has occurred in an information system that also holds personal data. According to the GDPR, what is the very first thing the controller must do?
A.
Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA)
B.
Ascertain whether the breach may have resulted in loss or unlawful processing of personal data
C.
Report the breach immediately to all data subjects and the relevant supervisory authority
D.
Assess whether personal data of a sensitive nature has or may have been unlawfully processed
Ascertain whether the breach may have resulted in loss or unlawful processing of personal data: Correct. The very first thing that needs to be done is ascertain that the security incident is in fact a personal data breach. (Literature: A, Chapter 5)
Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA): Incorrect. A DPIA is conducted when designing personal data processing operations. It is not a part of the procedure for a data breach.
Assess whether personal data of a sensitive nature has or may have been unlawfully processed. Incorrect. This is the next step if the incident proves to be a personal data breach - ascertain what type of data breach.
Report the breach immediately to all data subjects and the relevant supervisory authority. Incorrect. Whether the data breach needs to be reported and to whom depends on whether it is a data breach and if so, the type of data breach.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit