Skip to content

This textbook is in beta – content is actively being refined. Report issues or suggestions

16.02 Privacy By Design - Quiz

Check your understanding

  1. What is the core principle of data minimization?

    • Collect as much data as possible for future use
    • Collect, process, and store only necessary personal data { data-correct }
    • Always encrypt all collected data
    • Delete all data after 30 days

  2. Which of the seven Privacy by Design principles requires that privacy protections are the default setting?

    • Proactive not Reactive
    • Privacy as the Default { data-correct }
    • Privacy Embedded into Design
    • End-to-End Security

  3. Under GDPR, valid consent must be all of the following EXCEPT:

    • Freely given
    • Specific
    • Permanent and irrevocable { data-correct }
    • Informed and unambiguous

  4. What is the maximum time allowed under GDPR to respond to a data subject access request?

    • 7 days
    • 15 days
    • 30 days { data-correct }
    • 90 days

  5. Which type of data processing typically requires explicit consent under GDPR?

    • Processing necessary for a contract
    • Processing for legal compliance
    • Marketing communications { data-correct }
    • Processing for legitimate interests

  6. What is purpose limitation in privacy law?

    • Limiting the amount of data collected
    • Using data only for the purposes it was collected for { data-correct }
    • Limiting data retention to one year
    • Restricting data access to one person

  7. When is a Privacy Impact Assessment (PIA) typically required?

    • For all data processing activities
    • Only for marketing activities
    • For high-risk processing activities { data-correct }
    • Only when there’s a data breach

  8. Which GDPR right allows individuals to receive their personal data in a machine-readable format?

    • Right of access
    • Right to rectification
    • Right to data portability { data-correct }
    • Right to be forgotten

  9. What should happen immediately when a user withdraws consent for data processing?

    • Data should be deleted within 30 days
    • Processing based on that consent should stop immediately { data-correct }
    • User should be asked to reconsider
    • Processing can continue for 7 more days

  10. Which data category typically has the longest retention period?

    • Marketing preferences
    • Website analytics data
    • Essential account data required by law { data-correct }
    • User session data

  11. What is the main benefit of implementing data minimization?

    • Faster database queries
    • Reduced attack surface and privacy risks { data-correct }
    • Lower storage costs only
    • Simplified user interface design

  12. Under GDPR, which legal basis does NOT require user consent?

    • Marketing communications
    • Behavioral analytics for advertising
    • Processing necessary for service delivery { data-correct }
    • Personalized content recommendations

  13. What should be included in a consent request to make it GDPR-compliant?

    • Only a checkbox with “I agree”
    • Clear information about purposes, data types, and rights { data-correct }
    • A legal disclaimer only
    • Just the company’s privacy policy link

  14. Which scenario would likely require consultation with a privacy authority?

    • Basic user registration system
    • Simple newsletter signup
    • High-risk automated decision making with sensitive data { data-correct }
    • Standard website analytics

  15. What is the primary purpose of purpose limitation controls?

    • To reduce data storage costs
    • To prevent unauthorized use of personal data { data-correct }
    • To improve system performance
    • To simplify database design

  16. When can an organization reject a “right to be forgotten” request?

    • Never, all requests must be honored
    • When there are legal obligations to retain the data { data-correct }
    • When the data is less than one year old
    • When the user is a premium customer

  17. What is a key component of effective consent management?

    • Making consent permanent once given
    • Hiding consent options in terms of service
    • Enabling easy consent withdrawal { data-correct }
    • Requiring payment for consent changes

  18. Which practice best supports data minimization?

    • Collecting extra data “just in case”
    • Using separate forms for different purposes { data-correct }
    • Storing all data indefinitely
    • Combining all data into a single database

  19. What triggers the need for a Privacy Impact Assessment?

    • Any data collection activity
    • Processing that poses high risks to individual privacy { data-correct }
    • Only international data transfers
    • Processing of any financial data

  20. Under Privacy by Design, when should privacy protections be implemented?

    • After the system is built
    • During user testing
    • From the earliest design stages { data-correct }
    • Only when required by law