🔐

GDPR Data Privacy Overview

Jun 16, 2025

Overview

This lecture covers key concepts in data privacy, focusing on GDPR principles, lawful processing bases, data subject rights, and exam preparation strategies for certifications like CIPP/E.

Certifications & Their Focus

  • CIPP (Certified Information Privacy Professional) covers global privacy laws; CIPP/E focuses on GDPR and EU law.
  • CIPM (Certified Information Privacy Manager) targets privacy program management and operations.
  • CIPT (Certified Information Privacy Technologist) centers on embedding privacy into technology solutions.
  • FIP is an accreditation, not a certificate; awarded to those holding 2 IAPP certifications plus relevant experience.

Exam Preparation Strategy

  • Book the exam early to set a clear target date; 30–45 days preparation is typical.
  • Read the official textbook and participant guide thoroughly.
  • Practice only with recommended official Q&A and reputable mock exams to avoid misinformation.
  • Aim to consistently score at least 75% on practice tests.
  • Simulate exam conditions by answering 90 questions in 2.5 hours per session.
  • Focus on understanding logic behind answers, not just memorizing them.

GDPR Principles

  • Lawfulness, Fairness & Transparency: Process data only on six lawful bases; inform subjects clearly about processing.
  • Purpose Limitation: Use personal data only for specified, stated purposes.
  • Data Minimization: Collect only necessary and relevant data.
  • Accuracy: Ensure personal data remains accurate and up-to-date.
  • Storage Limitation: Retain data only as long as needed for its purpose.
  • Integrity & Confidentiality: Protect data against unauthorized access and breaches.
  • Accountability: Demonstrate compliance with all GDPR obligations.

Lawful Bases for Processing

  • Consent: Freely given, specific, informed, and reversible.
  • Contract: Necessary for contract fulfillment or at the data subject’s request.
  • Legal Obligation: Required by law.
  • Vital Interest: Needed to protect life in emergencies.
  • Public Task: Needed for official authority or public interest tasks.
  • Legitimate Interest: Used where justified, with documented assessment.

Data Subject Rights

  • Right to Information/Access: Know and obtain your data held by organizations.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of personal data under certain conditions.
  • Right to Restrict Processing: Limit processing in specific circumstances.
  • Right to Data Portability: Transfer data to another service provider.
  • Right to Object: Object to processing based on public task or legitimate interest.
  • Rights regarding Automated Decision-Making: Not to be subject to decisions based solely on automated processing.

Information Provision Obligations

  • When collecting data directly, provide identity, contact of DPO, purposes, lawful basis, recipients, retention, rights, and complaint options.
  • Use layered notices and clear, accessible language, especially for children’s data.

Key Terms & Definitions

  • Data Subject — Individual whose personal data is processed.
  • Lawful Basis — Legal grounds for processing personal data under GDPR.
  • Data Minimization — Collecting only necessary and relevant data.
  • Legitimate Interest Assessment (LIA) — Documentation justifying using legitimate interest as a basis.
  • Supervisory Authority — Independent public authority overseeing data protection in EU member states.

Action Items / Next Steps

  • Begin reading the official GDPR textbook and participant guide.
  • Schedule the certification exam and create a study plan.
  • Practice with recommended mock exams and official IAPP Q&A.
  • Review the IAPP glossary and GDPR articles, especially Articles 4–50 and 84–91.
  • Prepare notes on key principles and rights for quick revision.

Full transcript