Certified Information Privacy Manager (CIPM) — Question 69

The General Data Protection Regulation (GDPR) specifies fines that may be levied against data controllers for certain infringements. Which of the following will be subject to administrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?

Answer options

• A. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing
• B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default
• C. Failure to process personal information in a manner compatible with its original purpose
• D. Failure to provide the means for a data subject to rectify inaccuracies in personal data

Correct answer: B

Explanation

The correct answer is B because the GDPR explicitly states that organizations must implement appropriate technical and organizational measures to ensure data protection by design and by default, and failing to do so can lead to significant fines. Options A, C, and D do entail GDPR violations but are not subject to the same level of administrative fines as outlined in the question.