This chapter covers the basics of the General Data Protection Regulation (GDPR) for IT technicians, focusing on how it impacts your daily work handling personal data. GDPR is a critical component of CompTIA A+ 220-1102 Domain 4.0 (Operational Procedures), specifically Objective 4.5: 'Given a scenario, apply the basics of GDPR to protect personal data.' While GDPR questions may not be numerous, they are high-stakes because they test your understanding of legal obligations and data subject rights. Mastering this chapter will help you answer scenario-based questions about data breaches, consent, and data subject access requests.
Jump to a section
Imagine you run a hotel. Each guest (data subject) checks in and provides personal information (name, address, credit card). The hotel (data controller) decides why this info is collected (e.g., booking, payment). The hotel staff (data processors) handle the data to provide services. Now, a new law says guests have rights: they can ask what info you have, correct errors, or demand deletion. You must keep a log of who accessed each guest's file, and you can only share info with third parties (e.g., taxi service) if the guest explicitly agrees. If you break the rules, you face huge fines. The hotel must also appoint a privacy officer (DPO) if it handles lots of sensitive data. This mirrors GDPR: the controller determines purposes, the processor acts on instructions, the data subject has rights, and accountability is enforced via fines up to 4% of global turnover.
What is GDPR and Why Does It Exist?
The General Data Protection Regulation (GDPR) is a European Union regulation (Regulation (EU) 2016/679) enacted on May 25, 2018. It replaced the 1995 Data Protection Directive and aims to give individuals control over their personal data and simplify the regulatory environment for international business. GDPR applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is located. This extraterritorial reach means US-based technicians must understand it.
Key Definitions
Personal Data: Any information relating to an identified or identifiable natural person ('data subject'). This includes names, email addresses, location data, IP addresses, and biometric data.
Processing: Any operation performed on personal data, such as collection, recording, storage, retrieval, use, disclosure, or deletion.
Data Controller: The entity that determines the purposes and means of processing personal data. For example, a company that collects customer data for marketing.
Data Processor: The entity that processes personal data on behalf of the controller. For example, a cloud storage provider that hosts the data.
Data Subject: The individual whose personal data is processed.
Supervisory Authority: An independent public authority established by an EU member state to monitor GDPR compliance (e.g., ICO in the UK, CNIL in France).
Data Protection Officer (DPO): A person appointed by the controller or processor to oversee data protection strategy and compliance. Required for public authorities, organizations that engage in large-scale systematic monitoring, or large-scale processing of special categories of data.
Core Principles of GDPR (Article 5)
Lawfulness, Fairness, and Transparency: Processing must be lawful, fair, and transparent to the data subject.
Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimization: Data must be adequate, relevant, and limited to what is necessary for the purposes.
Accuracy: Data must be accurate and kept up to date.
Storage Limitation: Data must be kept in a form that permits identification of data subjects for no longer than necessary.
Integrity and Confidentiality (Security): Data must be processed in a manner that ensures appropriate security.
Accountability: The controller is responsible for and must be able to demonstrate compliance.
Legal Basis for Processing (Article 6)
Processing is only lawful if at least one of the following applies: - Consent: The data subject has given clear consent. - Contract: Processing is necessary for a contract or to take steps before entering a contract. - Legal Obligation: Processing is necessary for compliance with a legal obligation. - Vital Interests: Processing is necessary to protect someone's life. - Public Task: Processing is necessary for the performance of a task in the public interest or official authority. - Legitimate Interests: Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject's interests or rights.
Data Subject Rights (Chapter 3)
Right to be Informed: Controllers must provide information about processing in a concise, transparent, and easily accessible form.
Right of Access: Data subjects have the right to obtain confirmation of processing and access to their personal data.
Right to Rectification: Data subjects can have inaccurate data corrected.
Right to Erasure (Right to be Forgotten): Data subjects can request deletion of their data when it is no longer necessary, consent is withdrawn, or processing is unlawful.
Right to Restrict Processing: Data subjects can limit how their data is used.
Right to Data Portability: Data subjects can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object: Data subjects can object to processing based on legitimate interests or direct marketing.
Rights in Relation to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing that produces legal effects.
Breach Notification (Articles 33-34)
Notification to Supervisory Authority: Must be made within 72 hours of becoming aware of a personal data breach.
Notification to Data Subjects: Required if the breach is likely to result in a high risk to the rights and freedoms of individuals. Must be communicated without undue delay.
Documentation: Controllers must document all breaches, including facts, effects, and remedial actions.
Fines and Penalties (Article 83)
Non-compliance can result in administrative fines up to: - €10 million or 2% of global annual turnover (whichever is higher) for violations related to internal record-keeping, data protection by design, DPO appointment, and breach notification. - €20 million or 4% of global annual turnover (whichever is higher) for violations related to basic principles, consent, data subject rights, and international transfers.
Data Protection by Design and Default (Article 25)
Organizations must implement appropriate technical and organizational measures to integrate data protection into processing activities. By default, only personal data necessary for each specific purpose should be processed.
International Transfers (Chapter V)
Personal data can only be transferred to countries outside the EU if adequate protection is ensured. Mechanisms include: - Adequacy Decisions: The European Commission decides that a country ensures adequate protection. - Standard Contractual Clauses (SCCs): Pre-approved contracts between the data exporter and importer. - Binding Corporate Rules (BCRs): Internal rules for multinational groups. - Derogations: Specific situations like explicit consent or necessary for a contract.
Role of the IT Technician
Technicians often handle personal data as part of their job. Key responsibilities:
Ensure systems are configured to protect personal data (e.g., encryption, access controls).
Respond to data subject access requests (DSARs) by retrieving and providing data.
Assist in breach detection and response.
Implement data retention and deletion policies.
Use secure methods for data disposal (e.g., degaussing, shredding, wiping).
Practical Steps for Compliance
Data Mapping: Identify where personal data is stored, processed, and transmitted.
Privacy Notices: Ensure clear notices are provided to data subjects.
Consent Management: Obtain and manage consent records.
Access Controls: Implement least privilege principle.
Encryption: Use encryption for data at rest and in transit.
Incident Response Plan: Have a plan for breach detection and notification.
Training: Educate staff on GDPR requirements.
Common Exam Scenarios
A user requests deletion of their data: Apply the right to erasure. Check if any legal obligation prevents deletion.
A company wants to use customer data for a new purpose: Must obtain new consent or ensure it's compatible with original purpose.
A data breach occurs: Notify supervisory authority within 72 hours; notify affected individuals if high risk.
A technician needs to dispose of old hard drives: Use secure erasure or physical destruction.
Key Terms to Remember
PII (Personally Identifiable Information): US term; GDPR uses 'personal data'.
DPA (Data Processing Agreement): Contract between controller and processor.
DPIA (Data Protection Impact Assessment): Required for high-risk processing.
SAR (Subject Access Request): Request for access to personal data.
ICO (Information Commissioner's Office): UK supervisory authority.
Exam Tips
Memorize the 72-hour breach notification window.
Know the difference between controller and processor.
Understand data subject rights, especially right to erasure.
Recognize that GDPR applies to any company handling EU residents' data.
Be aware of the maximum fines (€20 million or 4% of global turnover).
Identify Personal Data in Systems
The first step is to locate where personal data resides within your organization's IT infrastructure. This includes databases, file shares, email archives, backup tapes, cloud storage, and even logs. For example, a customer database contains names, addresses, and payment details. A technician might run a data discovery tool or manually audit systems. This step is crucial because you cannot protect what you don't know. In an exam scenario, you might be asked what to do first when implementing GDPR compliance – the answer is often 'identify where personal data is stored.'
Classify Data and Determine Legal Basis
Once personal data is identified, classify it by sensitivity (e.g., special categories like health data). Determine the legal basis for processing each dataset – consent, contract, legal obligation, etc. For example, processing employee data is necessary for the employment contract. This step affects how you handle data subject rights. If processing is based on consent, you must be able to withdraw consent easily. The exam may test that processing for a new purpose requires a new legal basis.
Implement Data Protection Measures
Apply technical controls to protect personal data. This includes encryption at rest (e.g., AES-256) and in transit (TLS 1.2+), access controls (least privilege), pseudonymization, and anonymization. For example, encrypt a database containing customer PII. Also implement data retention policies – auto-delete data after a set period. The exam expects you to know that encryption is a key security measure, but not a silver bullet – you still need access controls.
Respond to Data Subject Requests
When a data subject exercises their rights (e.g., access, erasure), you must respond within one month (extendable by two months for complex requests). For a right to erasure request, you must securely delete all copies of the data, including backups, unless there is a legal obligation to retain it. In an exam, you might be asked what to do when a user requests deletion – the correct answer is to delete the data unless a legal hold applies.
Detect and Report Data Breaches
If a breach occurs, you must notify the supervisory authority within 72 hours. Document the nature of the breach, categories of data involved, and likely consequences. If the breach poses a high risk to individuals, you must also notify the affected data subjects without undue delay. As a technician, you might be the first to detect a breach via intrusion detection systems or log analysis. The exam tests the 72-hour timeline and the conditions for notifying individuals.
In a real enterprise, GDPR compliance is a cross-departmental effort. For example, a US-based e-commerce company selling to EU customers must comply. The IT team works with legal to map data flows: customer data flows from the website to a CRM (Salesforce), then to a payment processor (Stripe), and is backed up to AWS S3. The technician configures encryption on S3 buckets (AES-256), enables TLS for the website, and sets up access controls so only authorized staff can view customer data. They also implement a data retention policy: delete customer data 7 years after last purchase (for tax compliance).
Another scenario: a healthcare provider in the EU uses a cloud-based EHR system. The provider (controller) signs a Data Processing Agreement (DPA) with the cloud vendor (processor). The technician ensures that the vendor's data centers are in the EU or in a country with an adequacy decision. They also enable audit logging to track who accesses patient records. When a patient requests access to their health data, the technician extracts the data in a machine-readable format (e.g., JSON) and provides it within the one-month deadline.
Common pitfalls: forgetting to include backups in deletion requests – you must delete data from all copies. Also, failing to update privacy notices when processing purposes change. Performance considerations: responding to many DSARs can be resource-intensive; automation tools can help. When misconfigured, data can be exposed – e.g., a misconfigured S3 bucket containing PII leads to a breach. The technician must then follow the breach notification process, which can cost millions in fines and reputational damage.
The 220-1102 exam tests GDPR basics under Objective 4.5. Expect scenario-based questions where you must apply GDPR principles. The most common wrong answers: 1. 'GDPR only applies to EU companies' – Wrong. It applies to any organization processing EU residents' data. 2. 'You have 30 days to report a breach' – Wrong. The correct time is 72 hours. 3. 'Consent is always required' – Wrong. There are five other legal bases. 4. 'You can ignore a deletion request if it's inconvenient' – Wrong. You must comply unless a legal exception applies.
Key numbers and terms that appear verbatim: - 72 hours for breach notification. - 1 month for responding to data subject requests (extendable by 2 months). - Fines up to €20 million or 4% of global annual turnover. - Data controller vs. data processor. - Right to erasure (right to be forgotten). - Data Protection Officer (DPO).
Edge cases: The exam may test that a company can refuse a deletion request if processing is necessary for legal compliance (e.g., tax records). Also, pseudonymized data is still personal data if the key to re-identify is kept separately. Anonymized data is not personal data.
To eliminate wrong answers, focus on the underlying mechanism: GDPR is about protecting individuals' rights. If an answer ignores a data subject's right or allows excessive data collection, it is likely wrong. Also, remember that GDPR requires accountability – you must be able to prove compliance.
GDPR applies to any organization processing EU residents' personal data, regardless of location.
Breach notification must be made within 72 hours to the supervisory authority.
Data subject access requests must be responded to within one month (extendable by two months).
Maximum fines are €20 million or 4% of global annual turnover, whichever is higher.
There are six legal bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Data controllers determine processing purposes; data processors act on instructions.
Right to erasure (right to be forgotten) allows data subjects to request deletion of their data.
A Data Protection Officer (DPO) is required for certain organizations, not all.
Pseudonymized data is still personal data; anonymized data is not.
Data Protection Impact Assessments (DPIAs) are required for high-risk processing.
These come up on the exam all the time. Here's how to tell them apart.
Data Controller
Determines purposes and means of processing.
Responsible for compliance and data subject rights.
Must have a legal basis for processing.
Signs a DPA with the processor.
Example: A hospital that collects patient data.
Data Processor
Processes data on behalf of the controller.
Must follow controller's instructions.
Must implement security measures.
Can only engage sub-processors with controller's consent.
Example: A cloud storage provider hosting the data.
Mistake
GDPR only applies to European companies.
Correct
GDPR applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is based. This includes US companies with EU customers.
Mistake
You must always obtain consent to process personal data.
Correct
Consent is only one of six legal bases. Others include contract, legal obligation, vital interests, public task, and legitimate interests.
Mistake
A data breach must be reported to the supervisory authority immediately.
Correct
You have 72 hours to report a breach. It must be done 'without undue delay' and within 72 hours of becoming aware.
Mistake
Anonymized data is still considered personal data under GDPR.
Correct
Anonymized data (irreversibly de-identified) is not personal data. However, pseudonymized data (where a key can re-identify) is still personal data.
Mistake
A Data Protection Officer (DPO) is required for all companies.
Correct
A DPO is only required for public authorities, organizations that engage in large-scale systematic monitoring, or large-scale processing of special categories of data.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The data controller determines the purposes and means of processing personal data. The data processor processes data on behalf of the controller. For example, a company (controller) uses a cloud service (processor) to store customer data. The controller is responsible for compliance, while the processor must follow the controller's instructions and implement security measures. The exam often tests this distinction in scenario questions.
You must notify the supervisory authority within 72 hours of becoming aware of the breach. If you fail to do so, you must provide a reasoned justification for the delay. Additionally, if the breach is likely to result in a high risk to individuals, you must also notify the affected data subjects without undue delay. This 72-hour window is a key exam point.
Fines can be up to €10 million or 2% of global annual turnover for less severe violations (e.g., record-keeping), and up to €20 million or 4% of global annual turnover for more severe violations (e.g., processing without a legal basis). The higher of the two amounts applies. These figures are commonly tested on the exam.
The right to erasure, also known as the right to be forgotten, allows data subjects to request the deletion of their personal data. Controllers must comply if the data is no longer necessary, consent is withdrawn, processing is unlawful, or there is a legal obligation to erase. However, exceptions exist, such as for exercising freedom of expression or complying with a legal obligation.
No. A DPO is only required for public authorities, organizations that engage in large-scale systematic monitoring of individuals, or organizations that process large amounts of special categories of data (e.g., health data). Many smaller companies do not need a DPO. The exam may test when a DPO is mandatory.
A DPIA is a process to identify and minimize data protection risks. It is required when processing is likely to result in a high risk to individuals' rights and freedoms, such as using new technologies, profiling, or processing sensitive data on a large scale. The DPIA must contain a systematic description of processing, assessment of necessity and proportionality, and risk mitigation measures.
Yes, but only if adequate safeguards are in place. Mechanisms include adequacy decisions (e.g., EU-US Data Privacy Framework), Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or explicit consent from the data subject. Transfers to countries without adequate protection are generally prohibited unless a derogation applies.
You've just covered GDPR Basics for Technicians — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?