OneTrust Certified Privacy Professional Practice Exam

What does GDPR mandate regarding personal data processing practices?

• A. They should be complex and multi-layered
• B. They should respect data subjects' rights
• C. They can be exploitative without consequences
• D. They should focus solely on organizational benefits

The correct answer is: They should respect data subjects' rights

The General Data Protection Regulation (GDPR) mandates that personal data processing practices must respect the rights of data subjects. This is a foundational principle of the regulation and reflects a strong commitment to individual privacy and protection. Under GDPR, data subjects have specific rights, such as the right to access their personal data, the right to rectification, the right to erasure (also known as the "right to be forgotten"), and the right to data portability, among others. This emphasis on respecting and safeguarding the rights of individuals highlights the regulation's purpose to empower data subjects and ensure that their personal information is handled with care and transparency. Organizations must not only comply with GDPR but actively protect these rights through their data practices, ensuring that individuals have control over their personal data. In contrast, the other choices do not align with the fundamental principles of GDPR. For example, the notion that data practices should be complex is not in line with GDPR's aim for transparency. Furthermore, the idea that processing can be exploitative without consequences directly opposes the regulation's intention to hold organizations accountable for their data handling. Finally, focusing solely on organizational benefits contradicts the GDPR's emphasis on individual rights, maintaining a balance between organizational needs and data subjects’ rights.