Most Recent BCS PDP9 Exam Questions & Answers

Independent supervisory authorities are public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the UK GDPR and the relevant national laws. The UK GDPR sets out the key requirements for independent supervisory authorities in Chapter VI, which include the following:

They must operate independently and remain free from external influence, whether direct or indirect, and must neither seek nor take instructions from anybody.

They must have adequate human, technical and financial resources to perform their tasks and exercise their powers effectively.

They must review data protection impact assessments in cases of unmitigated high risk and provide prior consultation to controllers on such processing operations.

They must provide each other with mutual assistance and cooperate with each other and the European Data Protection Board to ensure the consistent application of the UK GDPR across the EU.

They must handle complaints lodged by data subjects or by bodies, organisations or associations representing them, and investigate the subject matter of the complaint to the extent appropriate.

They must adopt binding decisions on matters concerning the application of the UK GDPR and impose effective, proportionate and dissuasive administrative fines for infringements of the UK GDPR.

The UK GDPR does not specify any fixed term for the leadership of independent supervisory authorities, nor does it require their leadership to change every four years. However, it does require that the members of the supervisory authority must be appointed by means of a transparent procedure by the parliament, the government or the head of state of the Member State concerned, and that they must act with integrity, refrain from any action incompatible with their duties and not engage in any incompatible occupation during and after their term of office. The UK GDPR also allows Member States to provide for rules regarding the establishment, appointment, duration of the term and dismissal of the head or members of the supervisory authority.Reference:

UK GDPR, Chapter VI7

ICO website, About the ICO8

Artificial intelligence (AI) is the use of digital systems to perform tasks that would normally require human intelligence, such as recognition, decision making, learning and adaptation. AI can bring many benefits to society, such as innovation, efficiency, personalisation and convenience. However, AI also carries new and complex risks that are not present in other technologies, such as opacity, unpredictability, bias, discrimination, intrusion, manipulation and harm. These risks can affect the rights and freedoms of individuals, especially their data protection rights, such as privacy, transparency, fairness, accuracy and accountability. Therefore, a risk-based approach to the use of AI is necessary, which means identifying, assessing and mitigating the potential adverse impacts of AI on individuals and society, while balancing them with the benefits and opportunities.A risk-based approach also means complying with the relevant legal and ethical frameworks, such as the UK GDPR and the DPA 2018, and following the best practices and guidance issued by the ICO and other authorities on AI and data protection234.Reference:

Guidance on AI and data protection2

Explaining decisions made with AI3

AI auditing framework4

Article 57 of the UK GDPR states that the tasks of the Commissioner include handling complaints raised by individuals/data subjects, providing general guidance to clarify the law, and advising UK Parliament on issues related to the protection of personal data, among other tasks. However, adopting consistency findings in cross-border data protection cases is not a task of the Commissioner, but of the European Data Protection Board (EDPB), which is an independent body composed of the heads of the supervisory authorities of the EU and EEA member states and the European Data Protection Supervisor. The EDPB is responsible for ensuring the consistent application of the EU GDPR across the EU and EEA, and for issuing opinions and decisions on matters of general application or affecting more than one member state. The UK is no longer part of the EU or the EEA, and therefore the EDPB does not have jurisdiction over the UK GDPR or the Commissioner. The UK has its own mechanism for ensuring consistency and cooperation with other countries, which involves the Commissioner and the Secretary of State.Reference:

Article 57 of the UK GDPR1

Article 63 and 64 of the EU GDPR4

ICO guidance on the UK GDPR and the EU GDPR5

The principle of transparency requires that any processing of personal data is fair, lawful and transparent to the data subjects. This means that data subjects should be informed about the existence, nature, purpose and consequences of the processing, as well as their rights and choices regarding their data. Transparency is essential for ensuring accountability, trust and compliance in data processing. However, the use of AI can pose challenges to the principle of transparency, as AI can lead to invisible processing, with data subjects not being aware of its presence, or the logic, significance and implications of the processing. For example, AI can be used to profile, infer, predict or influence the behaviour, preferences, interests, emotions or personality of data subjects, without their knowledge or consent. AI can also be used to make automated decisions that affect data subjects, such as credit scoring, recruitment, health diagnosis or social benefits, without providing meaningful explanations or opportunities for human intervention.Therefore, it is important to ensure that data subjects are informed and empowered when AI is involved in the processing of their data, and that they can exercise their rights, such as the right to access, rectify, object, restrict, erase or port their data, or the right to challenge or contest automated decisions56.Reference:

Guidance on AI and data protection5

Explaining decisions made with AI6

The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, as well as the use of cookies and similar technologies, and the security and privacy of electronic communications services. PECR apply to all organisations that market by phone, email, text, fax, or online, or that use cookies or similar technologies on their websites or other electronic services. PECR do not apply to postal marketing communications, which are not considered electronic communications under the definition of PECR. However, postal marketing communications may still be subject to the UK GDPR and the Data Protection Act 2018, as well as other regulations, such as the Consumer Protection from Unfair Trading Regulations 2008 and the Advertising Standards Authority codes of practice.Reference:

ICO Guide to PECR, What are PECR?4

ICO Guide to PECR, Electronic and telephone marketing5