Under the General Data Protection Regulation (GDPR), which of the following situations would LEAST likely require a controller to notify a data subject?
A.
An encrypted USB key with sensitive personal data is stolen
B.
A direct marketing email is sent with recipients visible in the ‘cc’ field
C.
Personal data of a group of individuals is erroneously sent to the wrong mailing list
D.
A hacker publishes usernames, phone numbers and purchase history online after a cyber-attack
Ultimately, A could absolutely be seen as less likely to require notification by the strict letter of the law if encryption is in place and there's minimal risk of decryption. But, if we're looking at risk factors in the broader sense, B could very well be a case where notification wouldn't always be required unless harm is foreseeable.
A. An encrypted USB key with sensitive personal data is stolen.
Explanation:
Under the GDPR, if personal data has been encrypted or pseudonymized and the keys to unlock the encryption or pseudonymization are not compromised, it can be considered safe from being accessed in an unauthorized manner. Thus, the loss or theft of an encrypted USB key with sensitive personal data would be considered a data breach, but it might not necessarily require notification to the data subjects, especially if there's a low risk of harm to the individuals due to the encryption.
I suggest A, GDPR suggests if in the case there is reasonable protection like encryption it is likely that notification is not needed
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
0ef35ef
1 week agoalaaz
2 months agocarlosbui
1 year, 2 months agoSsourav
1 year, 4 months agoemily0922
1 year, 5 months ago