GyanDesk

GDPR & Financial Data Protection: Simple Guide

GDPR & Data Protection – Competitive Exam Master Guide
Competitive Exam Master Guide

GDPR & Data Protection
for Cyber Security

Complete study resource for UPSC, Banking, SSC, Railways, RBI, SEBI, and all Government Exams — with 65+ MCQs, Indian laws, key definitions, and quick revision cards

🏦 Banking Exams 🏛️ UPSC / IAS 🚂 SSC / Railways 📊 RBI / SEBI / NABARD 💻 Cyber Security 🇮🇳 Indian Data Laws
📋 Table of Contents
  1. What is GDPR? — Origin & Purpose
  2. Key Principles of GDPR (7 Pillars)
  3. Rights Given to Individuals
  4. GDPR Compliance for Banks & Fintech
  5. Penalties & Enforcement
  6. India’s Data Protection Framework
  7. Indian Cybersecurity Laws & Organizations
  8. Key Cybersecurity Concepts & Terms
  9. GDPR vs DPDP Act 2023 — Comparison
  10. Quick Revision Sheet
  11. MCQ Practice Bank (65+ Questions)
Section 01

01 What is GDPR? — Origin & Purpose

Definition GDPR (General Data Protection Regulation) is a comprehensive data privacy law enacted by the European Union (EU), effective from 25 May 2018. It governs how organizations collect, store, process, use, and share the personal data of EU residents — regardless of where the organization is located in the world.
🗓️
Effective Date
25 May 2018 — replaced the outdated Data Protection Directive of 1995.
🌍
Jurisdiction
Applies globally to ANY organization processing data of EU citizens — including Indian banks, fintech, and IT companies.
🎯
Primary Goal
Give individuals control over their personal data and unify data protection rules across Europe.
Why Introduced?
Rising cyber fraud, data leaks (Cambridge Analytica scandal), and lack of global data standards.

📅 Timeline of Data Protection Evolution

1995
EU Data Protection Directive — first EU data law (outdated, weak enforcement)
2012
EU proposes new data regulation to address digital age challenges
2016
GDPR officially adopted by European Parliament (April 2016)
2018
GDPR comes into force — 25 May 2018. 2-year transition given to organizations to comply.
2023
India passes Digital Personal Data Protection Act (DPDP Act) — inspired by GDPR

⚠️ Exam Alert — Frequently Asked

GDPR was enforced on 25 May 2018. It replaced the Data Protection Directive of 1995. It was introduced by the European Union, NOT the UN, US, or G20. It applies extraterritorially — even Indian companies must comply if they handle EU data.

Section 02

02 Key Principles of GDPR — The 7 Pillars

Memory Trick Remember GDPR’s 7 principles as: “LAMP-SIA” — Lawfulness, Accuracy, Minimisation, Purpose Limitation, Storage Limitation, Integrity & confidentiality, Accountability
# Principle What It Means Banking Example
1 Lawfulness, Fairness & Transparency Data collected only with legal basis; users must know what data is collected Bank must tell customers what KYC data is used for
2 Purpose Limitation Data used only for the purpose it was collected Loan data cannot be used for insurance marketing without consent
3 Data Minimisation Collect only data that is strictly necessary Don’t collect date-of-birth if only address is needed
4 Accuracy Data must be kept correct and up-to-date Customer can update mobile number in bank records
5 Storage Limitation Data should not be kept longer than needed Delete loan data after repayment and legal hold period
6 Integrity & Confidentiality Protect data from unauthorized access, loss, or theft Encrypt customer PAN card and card details in database
7 Accountability Organization must prove it follows GDPR; maintain audit records Bank must show data audit trail to regulator on demand
Section 03

03 Rights Given to Individuals Under GDPR

👁️
Right to Access
You can ask any organization what personal data they hold about you and get a free copy of it.
✏️
Right to Rectification
You can correct inaccurate or incomplete personal data held by an organization.
🗑️
Right to Erasure Hot MCQ
Also called “Right to be Forgotten” — you can request deletion of your data when it’s no longer needed.
📦
Right to Data Portability
You can receive your data in a machine-readable format and transfer it to another provider.
🚫
Right to Restrict Processing
You can request that your data is stored but not used (e.g., during a dispute).
🛑
Right to Object
You can stop your data from being used for marketing or profiling purposes.
🤖
Rights re: Automated Decisions
You can request human review of decisions made solely by algorithms (e.g., AI-based loan rejection).
Exam Focus The Right to be Forgotten = Right to Erasure. This is the most frequently asked GDPR right in competitive exams. GDPR gives 7 Rights total to individuals.
Section 04

04 GDPR Compliance for Banks & Fintech

RequirementDetailsRelated Technology
Explicit Consent Must be clear, specific, and freely given — no pre-ticked boxes Consent Management Platforms (CMP)
Data Encryption Customer data (PAN, card, UPI) must be encrypted at rest and in transit AES-256, TLS 1.3, End-to-End Encryption
Tokenization Replace sensitive card data with non-sensitive tokens — mandated by RBI PCI-DSS, CoF Tokenization
Multi-Factor Authentication (MFA) 2+ verification steps for digital transactions OTP, Biometric, Hardware tokens
Data Protection Officer (DPO) Mandatory appointment for large-scale data processors
Breach Reporting Must report data breaches to regulator within 72 hours SIEM, SOC, Incident Response
DPIA Data Protection Impact Assessment — mandatory before high-risk data processing Risk Management Tools
Privacy by Design Security and privacy must be built into systems from the start DevSecOps, Zero Trust Architecture
Data Localisation RBI mandates payment data stored within India. DPDP Act restricts cross-border transfers On-premise servers, India-based cloud
Right to opt-out Customers must be given easy way to withdraw consent Preference Centre

Types of Personal Data — What GDPR Protects

CategoryExamplesRisk Level
Basic Personal DataName, address, email, phone number, date of birthMedium
Financial DataBank account number, card details, CVV, UPI ID, transaction historyHigh
Authentication DataPasswords, OTPs, PINs, UPI PIN, security questionsVery High
Sensitive Personal Data (Special Category)Aadhaar, PAN, biometrics, health data, religion, political viewsVery High
Behavioural DataBrowsing history, purchase patterns, location trackingMedium
Section 05

05 GDPR Penalties & Enforcement

⚠️
Tier 1 — Lower Violation
Up to €10 million OR 2% of global annual turnover (whichever is greater)

e.g., Failure to appoint DPO, poor record-keeping
🚨
Tier 2 — Higher Violation
Up to €20 million OR 4% of global annual turnover (whichever is greater)

e.g., Violating consent rules, data subject rights

🏆 Notable GDPR Fines (Real World Cases)

CompanyFine AmountReasonYear
Amazon€746 millionCookie consent violations2021
Meta (Instagram)€405 millionChildren’s data processing2022
WhatsApp€225 millionLack of transparency in data sharing2021
Google Ireland€90 millionCookie consent issues2022
British Airways£20 millionData breach affecting 500,000 customers2020
Exam Focus — Frequently Tested Maximum GDPR fine = €20 million OR 4% of annual global turnover, whichever is greater. Largest fine to date = Amazon — €746 million.
Section 06

06 India’s Data Protection Framework

🇮🇳 Digital Personal Data Protection (DPDP) Act, 2023

FeatureDetail
EnactedAugust 2023 — received Presidential assent on 11 August 2023
PurposeProtect personal data of Indian citizens; regulate data fiduciaries
ScopeApplies to digital personal data within India AND data processed outside India if related to India-based individuals
Key TermsData Principal = individual; Data Fiduciary = organization processing data; Consent Manager = registered entity to manage user consents
Maximum PenaltyUp to ₹250 crore for major violations
RegulatorData Protection Board of India (DPBI) — to be set up by Central Government
Children’s DataAge of digital consent = 18 years; parental consent mandatory below 18
DPO RequirementMandatory for Significant Data Fiduciaries (SDFs)
Cross-border TransferGovernment can restrict data transfers to certain countries via whitelist
Right to ErasureRight to erase data included but with conditions
Important Note The DPDP Act 2023 does NOT give the “Right to Data Portability” unlike GDPR. It also uses the term “Data Principal” instead of “Data Subject” as in GDPR. The age of consent under DPDP = 18 years vs GDPR’s 16 years.

Other Relevant Indian Laws on Cyber & Data Security

Law / ActYearKey Provision
Information Technology (IT) Act2000 (amended 2008)Primary cybercrime law; Section 43A (compensation for data breach), Section 66C (identity theft), Section 66E (privacy violation), Section 67 (obscene content)
IT (Amendment) Act2008Added cybercrime provisions; Section 66A (struck down by SC 2015)
DPDP Act2023Comprehensive personal data protection law
RBI Tokenisation Guidelines2022Card-on-File (CoF) tokenisation mandatory for merchants
CERT-In Directions2022Mandatory cyber incident reporting within 6 hours; maintain logs for 180 days; VPN providers must keep records
National Cyber Security Policy2013India’s first comprehensive cybersecurity policy
PDPB (Personal Data Protection Bill)2019 (lapsed)Predecessor to DPDP Act; introduced data localisation concepts
Section 07

07 Indian Cybersecurity Organizations & Initiatives

Organization / InitiativeFull FormRole / Exam Relevance
CERT-In Hot MCQComputer Emergency Response Team – IndiaIndia’s nodal agency for cybersecurity incidents; under MeitY. Reports to it are mandatory within 6 hours.
NCIIPCNational Critical Information Infrastructure Protection CentreProtects critical infrastructure (power grids, banks, telecom) from cyber attacks; under NTRO
MeitYMinistry of Electronics and Information TechnologyGoverns IT policy, digital India, cybersecurity laws
NASSCOMNational Association of Software and Service CompaniesIT industry body; involved in cybersecurity skill development
DPBIData Protection Board of IndiaRegulator under DPDP Act 2023 — to adjudicate data protection complaints
NICNational Informatics CentreProvides IT infrastructure and cybersecurity for government
C-DACCentre for Development of Advanced ComputingWorks on cybersecurity R&D, supercomputing; develops Indian cybersecurity solutions
Digital India ProgrammeLaunched 2015 — promotes digital infrastructure, e-governance, internet access
Cyber Surakshit BharatMeitY initiative to spread awareness and train CISOs and IT officials of government bodies
National Cyber Coordination Centre (NCCC)Operational coordination for cybersecurity — real-time threat monitoring
I4CIndian Cybercrime Coordination CentreUnder MHA; coordinates cybercrime investigation across states; operates National Cybercrime Reporting Portal
Cybercrime Portalcybercrime.gov.inOnline reporting platform for cyber crimes; Helpline: 1930
Key Exam Points CERT-In = India’s cybersecurity nodal agency | Cyber Incident Reporting = 6 hours (CERT-In) vs 72 hours (GDPR) | National Cybercrime Helpline = 1930 | NCIIPC = protects critical infrastructure | I4C = under Ministry of Home Affairs
Section 08

08 Key Cybersecurity Concepts & Terms

TermDefinitionExam Tip
EncryptionConverting data into unreadable code to protect it from unauthorized accessAES, RSA — most asked algorithms
TokenisationReplacing sensitive data (e.g., card number) with a non-sensitive placeholder (token)RBI mandated CoF tokenisation from Oct 2022
Multi-Factor Authentication (MFA)Using 2 or more verification methods — something you know + have + areOTP = 2FA; Biometric + PIN = MFA
PhishingFraudulent attempt to obtain sensitive information by posing as a trustworthy entity via email/SMSMost common cyber attack type in banking
RansomwareMalware that encrypts victim’s data and demands payment (ransom) to restore accessWannaCry, NotPetya — famous attacks
Zero Trust ArchitectureSecurity model: “never trust, always verify” — no implicit trust for any user or device inside/outside the networkLatest cybersecurity model
Data LocalisationRequirement to store citizen data within the country’s bordersRBI mandates payment data stored in India
SIEMSecurity Information and Event Management — real-time analysis of security alertsUsed in SOC operations
SOCSecurity Operations Centre — team that monitors and responds to cybersecurity eventsBanks required to have SOC under RBI guidelines
AnonymisationRemoving personal identifiers from data so individuals cannot be identifiedDifferent from pseudonymisation
PseudonymisationReplacing personal identifiers with pseudonyms — data can still be re-identified with a keyGDPR recognises this as a privacy enhancing technique
CVV (Card Verification Value)3-digit security code on credit/debit cardsMerchants cannot store CVV — PCI-DSS requirement
PCI-DSSPayment Card Industry Data Security Standard — global standard for card payment securityApplicable to all card processors worldwide
DPOData Protection Officer — person responsible for ensuring GDPR/data protection complianceMandatory under GDPR for large processors
DPIAData Protection Impact Assessment — risk assessment before processing high-risk dataRequired under GDPR before new data projects
AI & Automated ProfilingUse of algorithms to make decisions about individuals — GDPR requires human oversightRight to object automated decisions = GDPR
Dark WebPart of the internet not indexed by search engines; used for illegal activities including data tradeStolen banking data often sold on dark web
Social EngineeringPsychological manipulation of people to gain confidential informationVishing (voice phishing), Smishing (SMS phishing)
Man-in-the-Middle AttackAttacker secretly intercepts and relays communications between two partiesCommon in unsecured Wi-Fi networks
DeepfakeAI-generated fake videos/audio that impersonate real people — growing financial fraud riskEmerging threat in KYC fraud
Section 09

09 GDPR vs India’s DPDP Act 2023 — Comparison

🇪🇺 GDPR (EU)
Scope: EU citizens’ data, global applicability
Enacted: 2016, Effective 25 May 2018
Max Penalty: €20 million or 4% global turnover
Regulator: Data Protection Authority (DPA) of each EU member state
Rights: 7 rights including Right to Portability
Age of Consent: 16 years (can be 13 in some states)
Data Subject: Term used for individual
DPO: Mandatory for large processors
Data Portability: Yes — included
Cross-border transfers: Allowed to adequate countries
🇮🇳 DPDP Act 2023 (India)
Scope: Indian citizens’ digital personal data
Enacted: August 2023
Max Penalty: ₹250 crore
Regulator: Data Protection Board of India (DPBI)
Rights: Access, Correction, Erasure, Grievance, Nominee
Age of Consent: 18 years
Data Principal: Term used for individual
DPO: Mandatory for Significant Data Fiduciaries
Data Portability: Not included
Cross-border transfers: Government to issue whitelist of allowed countries
Key Difference — Exam Favourite GDPR uses Data Subject; DPDP Act uses Data Principal. GDPR has Right to Data Portability; DPDP Act 2023 does NOT. Age of digital consent: GDPR = 16 years; DPDP = 18 years.

⚡ 2-Minute Quick Revision Sheet

What is GDPR?
EU Data Privacy Regulation — Effective 25 May 2018 — Replaced 1995 Directive
Key Numbers
7 Principles · 7 Rights · 72-hour breach reporting · €20M or 4% max fine
India’s Law
DPDP Act 2023 — ₹250 Cr max fine — Age of consent: 18 yrs — Regulator: DPBI
Right to be Forgotten
= Right to Erasure. Customer can request deletion of stored data.
Data Protection Officer
DPO = mandatory under GDPR for large processors. Ensures compliance.
CERT-In (India)
Nodal cybersecurity agency. Incident reporting: 6 hours. Under MeitY.
Cybercrime Helpline
1930 · cybercrime.gov.in · I4C under Ministry of Home Affairs
Banking Security
Tokenisation + Encryption + MFA + SOC + DPIA + 72-hr breach reporting
Largest GDPR Fine
Amazon — €746 million (2021) — Cookie consent violations
Privacy by Design
Security must be built INTO systems from start — not added later.
Data Minimisation
Collect ONLY what is necessary — core GDPR principle.
RBI Tokenisation
Card-on-File (CoF) tokenisation mandatory from Oct 2022 — no raw card storage by merchants.
🧠

MCQ Practice Bank

65+ Questions — Based on Previous Exam Trends | Banking · UPSC · SSC · Railways · RBI · SEBI

📘 Chapter 1 — GDPR Basics & Definitions (Q1–Q12)
★ HOT
Q1. GDPR stands for:
  • a) General Data Privacy Rules
  • b) General Data Protection Regulation ✓
  • c) Global Data Protection Rules
  • d) General Digital Privacy Regulations
Answer: b) General Data Protection Regulation
GDPR is the EU law protecting personal data. Full form is a frequent direct MCQ.
★ HOT
Q2. GDPR became enforceable from:
  • a) 1 January 2016
  • b) 25 May 2018 ✓
  • c) 5 August 2015
  • d) 1 March 2020
Answer: b) 25 May 2018
GDPR was adopted in April 2016 but enforcement began on 25 May 2018 after a 2-year grace period.
Q3
Q3. GDPR replaced which earlier EU data law?
  • a) EU Cybercrime Convention 2001
  • b) Digital Markets Act 2022
  • c) Data Protection Directive of 1995 ✓
  • d) Network Security Regulation 2010
Answer: c) Data Protection Directive of 1995
The 1995 Directive was outdated for the digital age and was replaced by GDPR.
★ HOT
Q4. GDPR applies to companies processing EU citizen data:
  • a) Only if headquartered inside the EU
  • b) Only to European companies
  • c) Globally — including Indian companies if they handle EU data ✓
  • d) Only to banks in EU countries
Answer: c) Globally
GDPR has extraterritorial reach. Any Indian bank or fintech processing EU citizen data must comply.
Q5
Q5. Which event significantly triggered the introduction of GDPR?
  • a) Enron accounting scandal
  • b) 9/11 terrorist attacks
  • c) Facebook–Cambridge Analytica data scandal ✓
  • d) Greek financial crisis
Answer: c) Facebook–Cambridge Analytica
The misuse of millions of Facebook users’ data without consent highlighted the urgent need for strong data protection laws.
Q6
Q6. Which of the following is considered “Special Category” (most sensitive) data under GDPR?
  • a) Email address and phone number
  • b) Employment details
  • c) Biometric data, health data, political opinions ✓
  • d) Social media username
Answer: c) Biometric data, health data, political opinions
Special Category data requires extra protection and explicit consent for processing under GDPR Article 9.
★ HOT
Q7. GDPR mandates that data breaches must be reported to the relevant authority within:
  • a) 24 hours
  • b) 7 days
  • c) 72 hours ✓
  • d) 30 days
Answer: c) 72 hours
Organizations must notify the relevant Data Protection Authority within 72 hours of discovering a breach.
Q8
Q8. The “Right to be Forgotten” under GDPR is also called:
  • a) Right to Access
  • b) Right to Restrict Processing
  • c) Right to Erasure ✓
  • d) Right to Object
Answer: c) Right to Erasure
The Right to Erasure (Article 17) allows individuals to request deletion of their personal data when it is no longer necessary.
Q9
Q9. Which officer must be appointed by large data processing organizations under GDPR?
  • a) Chief Risk Officer (CRO)
  • b) Chief Technology Officer (CTO)
  • c) Data Protection Officer (DPO) ✓
  • d) Chief Information Officer (CIO)
Answer: c) Data Protection Officer (DPO)
The DPO is responsible for overseeing GDPR compliance, advising on data protection, and liaising with regulators.
Q10
Q10. “Privacy by Design” under GDPR means:
  • a) Adding privacy features after a system is built
  • b) Creating a privacy logo for products
  • c) Building privacy and security features INTO systems from the start ✓
  • d) Hiring a privacy consultant after deployment
Answer: c) Building privacy and security features into systems from the start
Privacy by Design means security is not an afterthought — it is embedded into system architecture from day one.
Q11
Q11. How many key principles does GDPR have?
  • a) 5
  • b) 6
  • c) 7 ✓
  • d) 10
Answer: c) 7
GDPR has 7 principles: Lawfulness, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity & Confidentiality, Accountability.
Q12
Q12. The principle that an organization must prove it follows GDPR is called:
  • a) Transparency
  • b) Data Minimisation
  • c) Storage Limitation
  • d) Accountability ✓
Answer: d) Accountability
The accountability principle requires organizations to not only comply but actively demonstrate compliance through records and audits.
📗 Chapter 2 — Rights, Penalties & Compliance (Q13–Q28)
★ HOT
Q13. Maximum penalty under GDPR for serious violations is:
  • a) €10 million or 2% of global turnover
  • b) €20 million or 4% of global annual turnover (whichever is greater) ✓
  • c) €5 million or 1% turnover
  • d) €50 million flat
Answer: b) €20 million or 4% of global annual turnover
Tier 2 violations (most serious) attract this higher penalty. Tier 1 violations = €10M or 2%.
★ HOT
Q14. The largest GDPR fine ever imposed (as of 2024) was on:
  • a) Google
  • b) Amazon — €746 million ✓
  • c) Facebook
  • d) Microsoft
Answer: b) Amazon — €746 million (2021)
Amazon was fined €746 million by Luxembourg’s DPA for violations related to cookie consent and targeted advertising.
Q15
Q15. The right to move your personal data from one service provider to another is called:
  • a) Right to Rectification
  • b) Right to Erasure
  • c) Right to Data Portability ✓
  • d) Right to Object
Answer: c) Right to Data Portability
This right allows users to receive their personal data in a structured, commonly used format and transfer it to another controller.
Q16
Q16. GDPR requires “explicit consent” before data collection. Which of the following is NOT valid consent?
  • a) A clear opt-in checkbox ticked by the user
  • b) A pre-ticked checkbox on a registration form ✓
  • c) A signed consent form
  • d) A verbal consent recorded and documented
Answer: b) Pre-ticked checkbox
GDPR requires active, freely given, specific, and informed consent. Pre-ticked boxes are NOT valid as consent must be given positively.
Q17
Q17. DPIA (Data Protection Impact Assessment) is required before:
  • a) Opening a new bank branch
  • b) Processing high-risk personal data — e.g., large-scale profiling or processing sensitive data ✓
  • c) Hiring new staff
  • d) Changing branch timings
Answer: b) Processing high-risk personal data
A DPIA is a risk assessment tool required under GDPR Article 35 before beginning any high-risk data processing activity.
Q18
Q18. Under GDPR, “Data Minimisation” principle means:
  • a) Use minimum number of servers
  • b) Store data in smallest possible file format
  • c) Collect only data that is strictly necessary for the purpose ✓
  • d) Minimize the number of employees accessing data
Answer: c) Collect only data that is strictly necessary
Organizations should not collect data “just in case” — only what is needed for the specific, stated purpose.
Q19
Q19. The right to stop processing of your data for direct marketing purposes is:
  • a) Right to Access
  • b) Right to Erasure
  • c) Right to Object ✓
  • d) Right to Portability
Answer: c) Right to Object
Individuals have an absolute right to object to processing their data for direct marketing — the organization must stop immediately.
Q20
Q20. “Storage Limitation” under GDPR means:
  • a) Use storage servers within EU only
  • b) Data should not be kept longer than necessary for its purpose ✓
  • c) Limit to 1 GB of data per customer
  • d) Store only in encrypted format
Answer: b) Data should not be kept longer than necessary
Organizations must set and follow data retention periods and delete data once the purpose is fulfilled.
Q21
Q21. Which of the following gives individuals the right to halt processing of their data during a legal dispute?
  • a) Right to Erasure
  • b) Right to Portability
  • c) Right to Restrict Processing ✓
  • d) Right to Rectification
Answer: c) Right to Restrict Processing
This right allows data to be stored but not used, typically during the period when a person contests accuracy or objects to processing.
Q22
Q22. Which right under GDPR protects individuals from decisions made purely by automated systems (AI)?
  • a) Right to Erasure
  • b) Right to Access
  • c) Right not to be subject to automated decision-making ✓
  • d) Right to Object
Answer: c) Right not to be subject to automated decision-making
GDPR Article 22 ensures individuals can request human review of significant decisions made by algorithms, like AI-based loan rejection.
Q23
Q23. GDPR’s “Integrity and Confidentiality” principle is most directly related to:
  • a) Marketing accuracy
  • b) Protecting data from unauthorized access, loss, or destruction through cybersecurity measures ✓
  • c) Customer satisfaction ratings
  • d) Data entry speed
Answer: b) Protecting data from unauthorized access, loss, or destruction
This principle mandates appropriate technical and organizational security measures — encryption, access controls, etc.
Q24
Q24. GDPR “Purpose Limitation” means data collected for one purpose:
  • a) Can be freely used for other purposes
  • b) Should be deleted immediately after collection
  • c) Cannot be used for other incompatible purposes without fresh consent ✓
  • d) Should be shared with government agencies
Answer: c) Cannot be used for other incompatible purposes without fresh consent
If a bank collects KYC data for account opening, it cannot use that data to market insurance products without separate consent.
Q25
Q25. Tier 1 (lower) GDPR violations attract a penalty of:
  • a) Up to €10 million or 2% of annual global turnover ✓
  • b) Up to €20 million or 4% of global turnover
  • c) Up to €5 million or 1% of turnover
  • d) Up to €50 million flat
Answer: a) Up to €10 million or 2% of annual global turnover
Tier 1 applies to less serious violations like failure to appoint a DPO. Tier 2 (more serious) = €20M or 4%.
Q26
Q26. Which GDPR principle requires data to be kept factually correct and updated?
  • a) Storage Limitation
  • b) Transparency
  • c) Accuracy ✓
  • d) Purpose Limitation
Answer: c) Accuracy
GDPR requires organizations to take reasonable steps to ensure personal data is accurate and kept up-to-date.
Q27
Q27. A customer can ask an organization “What personal data do you hold about me?” This is exercising the:
  • a) Right to Access ✓
  • b) Right to Erasure
  • c) Right to Portability
  • d) Right to Rectification
Answer: a) Right to Access
The Right to Access (Subject Access Request) entitles individuals to receive confirmation of whether their data is being processed and a copy of it.
Q28
Q28. GDPR’s accountability principle requires organizations to:
  • a) Blame data breaches on employees
  • b) Pay taxes to the EU
  • c) Maintain records and actively demonstrate compliance with GDPR ✓
  • d) Store data only in EU data centres
Answer: c) Maintain records and actively demonstrate compliance
Organizations must keep processing records, conduct DPIAs, and be able to show compliance on demand from regulators.
📙 Chapter 3 — Indian Data Laws & Cybersecurity (Q29–Q45)
★ HOT
Q29. India’s comprehensive personal data protection law enacted in 2023 is:
  • a) Information Technology Act, 2000
  • b) Personal Data Protection Bill, 2019
  • c) Digital Personal Data Protection (DPDP) Act, 2023 ✓
  • d) Cyber Security Framework Act, 2023
Answer: c) DPDP Act, 2023
The DPDP Act received Presidential assent on 11 August 2023. It is India’s primary personal data protection law.
★ HOT
Q30. Under the DPDP Act 2023, the individual whose data is collected is called:
  • a) Data Subject
  • b) Data Controller
  • c) Data Principal ✓
  • d) Data Manager
Answer: c) Data Principal
The DPDP Act uses “Data Principal” (individual) and “Data Fiduciary” (organization). GDPR uses “Data Subject” and “Data Controller”.
Q31
Q31. Maximum penalty under India’s DPDP Act 2023 is:
  • a) ₹10 crore
  • b) ₹100 crore
  • c) ₹250 crore ✓
  • d) ₹500 crore
Answer: c) ₹250 crore
The DPDP Act 2023 imposes penalties up to ₹250 crore for significant data protection violations.
★ HOT
Q32. India’s nodal cybersecurity agency responsible for handling cyber incidents is:
  • a) NIC
  • b) NASSCOM
  • c) CERT-In ✓
  • d) NCIIPC
Answer: c) CERT-In (Computer Emergency Response Team – India)
CERT-In is under MeitY and is India’s primary agency for cybersecurity incident response and coordination.
Q33
Q33. As per CERT-In 2022 directions, organizations must report cyber incidents within:
  • a) 24 hours
  • b) 6 hours ✓
  • c) 72 hours
  • d) 48 hours
Answer: b) 6 hours
CERT-In 2022 directions mandate cyber incident reporting within 6 hours of detection — much stricter than GDPR’s 72 hours.
Q34
Q34. Which Indian organization protects Critical Information Infrastructure like power grids and banking systems?
  • a) CERT-In
  • b) NCIIPC (National Critical Information Infrastructure Protection Centre) ✓
  • c) NIC
  • d) MeitY
Answer: b) NCIIPC
NCIIPC operates under NTRO (National Technical Research Organisation) and is mandated to protect India’s critical infrastructure from cyber threats.
Q35
Q35. The national helpline number for reporting cybercrime in India is:
  • a) 112
  • b) 100
  • c) 1930 ✓
  • d) 1800-11-0001
Answer: c) 1930
The National Cybercrime Helpline is 1930. Online complaints can be filed at cybercrime.gov.in. Managed by I4C under Ministry of Home Affairs.
Q36
Q36. Under which Section of the IT Act 2000 is identity theft a punishable offence?
  • a) Section 43
  • b) Section 43A
  • c) Section 66C ✓
  • d) Section 72
Answer: c) Section 66C
Section 66C of the IT Act deals with identity theft — dishonest use of someone’s electronic signature, password, or other unique identification feature.
Q37
Q37. Age of digital consent under India’s DPDP Act 2023 is:
  • a) 13 years
  • b) 16 years
  • c) 18 years ✓
  • d) 21 years
Answer: c) 18 years
The DPDP Act sets 18 years as the age of digital consent. Parental consent is required for processing data of individuals under 18.
Q38
Q38. RBI mandated Card-on-File (CoF) tokenisation for merchants from:
  • a) January 2020
  • b) March 2021
  • c) October 2022 ✓
  • d) April 2023
Answer: c) October 2022
From October 1, 2022, RBI banned merchants from storing raw card data. All card-on-file data must be in tokenised form.
Q39
Q39. “Cyber Surakshit Bharat” is an initiative of:
  • a) Ministry of Finance
  • b) RBI
  • c) MeitY (Ministry of Electronics and Information Technology) ✓
  • d) SEBI
Answer: c) MeitY
Cyber Surakshit Bharat is a MeitY initiative to spread cybersecurity awareness and train government officials, particularly CISOs.
Q40
Q40. DPDP Act 2023 does NOT include which GDPR right?
  • a) Right to Access
  • b) Right to Erasure
  • c) Right to Data Portability ✓
  • d) Right to Correction
Answer: c) Right to Data Portability
Unlike GDPR, India’s DPDP Act 2023 does not include the Right to Data Portability. This is a key difference frequently tested in exams.
Q41
Q41. I4C (Indian Cybercrime Coordination Centre) operates under:
  • a) MeitY
  • b) RBI
  • c) Ministry of Home Affairs (MHA) ✓
  • d) Ministry of Finance
Answer: c) Ministry of Home Affairs (MHA)
I4C coordinates cybercrime investigations across India and operates cybercrime.gov.in and the 1930 helpline.
Q42
Q42. India’s National Cyber Security Policy was first released in:
  • a) 2000
  • b) 2008
  • c) 2013 ✓
  • d) 2018
Answer: c) 2013
India’s first National Cyber Security Policy was released in July 2013 to build a secure and resilient cyberspace.
Q43
Q43. Which provision of the IT Act 2000 deals with compensation for data breaches by companies?
  • a) Section 43
  • b) Section 43A ✓
  • c) Section 66C
  • d) Section 67
Answer: b) Section 43A
Section 43A holds companies liable to pay compensation if they fail to protect sensitive personal data through reasonable security practices.
Q44
Q44. The regulator to be established under DPDP Act 2023 for adjudicating data protection complaints is:
  • a) Cyber Appeals Tribunal
  • b) CERT-In
  • c) Data Protection Board of India (DPBI) ✓
  • d) NCIIPC
Answer: c) Data Protection Board of India (DPBI)
DPBI will be set up by the Central Government and will adjudicate data breach complaints and impose penalties under the DPDP Act 2023.
Q45
Q45. Under CERT-In 2022 directions, organizations must retain logs for:
  • a) 30 days
  • b) 90 days
  • c) 180 days ✓
  • d) 365 days
Answer: c) 180 days
CERT-In 2022 directions require organizations to maintain ICT system logs within India for a rolling period of 180 days.
📕 Chapter 4 — Cybersecurity Concepts & Technologies (Q46–Q60)
★ HOT
Q46. “Tokenisation” in the context of digital payments means:
  • a) Converting currency into digital tokens
  • b) Blockchain-based payment
  • c) Replacing sensitive card data with a non-sensitive placeholder (token) ✓
  • d) Encrypting UPI passwords
Answer: c) Replacing sensitive card data with a non-sensitive placeholder
Tokenisation ensures that even if data is stolen, the token is useless without the tokenisation system key. Mandated by RBI from Oct 2022.
Q47
Q47. Multi-Factor Authentication (MFA) uses:
  • a) Multiple usernames
  • b) Two or more verification factors: something you know + have + are ✓
  • c) Multiple bank accounts
  • d) Multiple devices for login
Answer: b) Two or more verification factors
MFA combines: something you know (PIN/password) + something you have (OTP/token) + something you are (biometric). Greatly reduces fraud.
★ HOT
Q48. Ransomware is best defined as:
  • a) Software that speeds up computers
  • b) Antivirus software
  • c) Malware that encrypts data and demands payment (ransom) for decryption ✓
  • d) A type of firewall
Answer: c) Malware that encrypts data and demands ransom
Famous ransomware attacks: WannaCry (2017), NotPetya (2017). Often targets hospitals, banks, and government systems.
Q49
Q49. “Phishing” is a cyber attack technique that:
  • a) Uses physical force to access systems
  • b) Tricks individuals into revealing sensitive information via fake emails/websites ✓
  • c) Breaks encryption using quantum computing
  • d) Installs antivirus software secretly
Answer: b) Tricks individuals into revealing sensitive information via fake emails/websites
Phishing is the most common form of cyber attack. Variants: Spear Phishing (targeted), Vishing (voice), Smishing (SMS).
Q50
Q50. “Zero Trust Architecture” in cybersecurity means:
  • a) Trust all users within the internal network
  • b) Block all external users
  • c) “Never trust, always verify” — no implicit trust for any user or device ✓
  • d) Use zero passwords
Answer: c) “Never trust, always verify”
Zero Trust assumes breach is inevitable and continuously validates every user, device, and application trying to access resources.
Q51
Q51. PCI-DSS stands for:
  • a) Personal Card Industry Data Security Standard
  • b) Payment Card Industry Data Security Standard ✓
  • c) Public Credit Identity Data Security Standard
  • d) Private Card Institution Data Security System
Answer: b) Payment Card Industry Data Security Standard
PCI-DSS is the global security standard for organizations that process card payments. It prohibits storage of CVV by merchants.
Q52
Q52. Replacing an individual’s identity with a pseudonym while keeping a key to re-identify is called:
  • a) Encryption
  • b) Anonymisation
  • c) Pseudonymisation ✓
  • d) Tokenisation
Answer: c) Pseudonymisation
Unlike anonymisation (irreversible), pseudonymisation replaces identifiers with pseudonyms but a mapping key exists. GDPR recognises it as a privacy-enhancing technique.
Q53
Q53. “Man-in-the-Middle” (MitM) attack refers to:
  • a) A denial of service attack
  • b) An attacker secretly intercepting and possibly altering communications between two parties ✓
  • c) Physical theft of hardware
  • d) Email spam attack
Answer: b) Attacker secretly intercepting communications between two parties
MitM attacks are common on unsecured public Wi-Fi. TLS/HTTPS and certificate pinning help prevent them.
Q54
Q54. “Social Engineering” in cybersecurity is:
  • a) Building secure social media platforms
  • b) Engineering courses about social systems
  • c) Psychological manipulation of people to gain unauthorized access to systems or information ✓
  • d) A method to improve team collaboration
Answer: c) Psychological manipulation of people
Social engineering exploits human psychology, not technical vulnerabilities. Examples: Phishing, Pretexting, Baiting, Quid pro quo.
Q55
Q55. SOC (Security Operations Centre) in banking primarily:
  • a) Handles loan disbursements
  • b) Manages ATM operations
  • c) Monitors and responds to cybersecurity threats in real-time ✓
  • d) Processes customer complaints
Answer: c) Monitors and responds to cybersecurity threats in real-time
RBI guidelines require banks to have a Security Operations Centre (SOC) for continuous monitoring of cyber threats and incidents.
Q56
Q56. “Deepfake” technology poses which cyber threat to banking and finance?
  • a) Slowing down internet connections
  • b) Creating counterfeit currency notes
  • c) Impersonating individuals in video KYC or voice-based authentication to commit fraud ✓
  • d) Disrupting ATM networks
Answer: c) Impersonating individuals in video KYC or voice-based authentication
Deepfakes use AI to generate fake but realistic video/audio. They are being used to bypass KYC verification — a growing financial fraud risk.
Q57
Q57. “Data Localisation” means:
  • a) Translating data into local languages
  • b) Storing citizen/user data on servers physically located within a country’s borders ✓
  • c) Using local area networks for data transfer
  • d) Encrypting data in local dialects
Answer: b) Storing citizen/user data on servers physically located within a country’s borders
RBI mandates payment data localisation in India. The DPDP Act 2023 also restricts cross-border data transfers.
Q58
Q58. SMS-based phishing attacks are specifically called:
  • a) Phishing
  • b) Vishing
  • c) Smishing ✓
  • d) Spear phishing
Answer: c) Smishing
Smishing = SMS + Phishing. Vishing = Voice + Phishing (phone calls). Spear Phishing = targeted phishing aimed at a specific individual.
Q59
Q59. WannaCry cyber attack in 2017 was an example of:
  • a) Phishing attack
  • b) DDoS attack
  • c) Ransomware attack ✓
  • d) Social engineering attack
Answer: c) Ransomware attack
WannaCry (May 2017) encrypted over 200,000 computers in 150 countries and demanded Bitcoin ransoms. It exploited a Windows vulnerability called EternalBlue.
Q60
Q60. The security model that builds security INTO software development from the beginning is called:
  • a) SecOps
  • b) DevSecOps ✓
  • c) NetOps
  • d) DataOps
Answer: b) DevSecOps
DevSecOps integrates security practices into the DevOps pipeline — aligning with GDPR’s “Privacy by Design” principle. Security is not an afterthought.
📒 Chapter 5 — Tricky & High-Probability Questions (Q61–Q65)
★ HOT
Q61. Difference between CERT-In breach reporting (6 hours) and GDPR breach reporting (72 hours): Which is STRICTER?
  • a) CERT-In — 6 hours is stricter than GDPR’s 72 hours ✓
  • b) GDPR — 72 hours is stricter
  • c) Both have same reporting window
  • d) Neither have mandatory reporting
Answer: a) CERT-In (6 hours) is stricter
CERT-In 2022 directions require incident reporting within 6 hours — far more aggressive than GDPR’s 72-hour window. Both are mandatory for respective jurisdictions.
★ HOT
Q62. An Indian IT company serving EU clients processes EU citizen data from its offices in Bengaluru. Must it comply with GDPR?
  • a) No — GDPR applies only to companies based in EU
  • b) Only if the company has an office in EU
  • c) Yes — GDPR applies extraterritorially to any organization processing EU citizen data ✓
  • d) Only if the company has revenue over €1 billion
Answer: c) Yes — GDPR applies extraterritorially
GDPR’s territorial scope extends globally. Any company — regardless of location — that processes EU residents’ data must comply.
Q63
Q63. Under GDPR, an AI system rejects a loan application automatically without any human involvement. The customer has the right to:
  • a) Appeal to the Supreme Court
  • b) Pay more fees for reconsideration
  • c) Request human review of the automated decision under the Right not to be subject to automated decision-making ✓
  • d) Accept the decision without recourse
Answer: c) Request human review
GDPR Article 22 gives individuals the right to not be subject to decisions based solely on automated processing, especially when the decision significantly affects them.
Q64
Q64. A bank’s marketing team wants to use customer loan data to send insurance product offers. Under GDPR, this requires:
  • a) No additional steps — loan data can be used for any purpose
  • b) Fresh, explicit consent from the customer for this new, different purpose ✓
  • c) Only internal management approval
  • d) Only DPO notification
Answer: b) Fresh explicit consent
GDPR’s “Purpose Limitation” principle prohibits using data for purposes incompatible with why it was originally collected, without new consent.
★ HOT
Q65. Which statement about the DPDP Act 2023 vs GDPR is CORRECT?
  • a) Both have the same maximum financial penalty
  • b) DPDP Act includes Right to Data Portability; GDPR does not
  • c) GDPR uses “Data Subject”; DPDP uses “Data Principal”
  • c) GDPR uses “Data Subject”; DPDP uses “Data Principal” ✓
  • d) Age of consent is 16 years under both laws
Answer: c) GDPR uses “Data Subject”; DPDP uses “Data Principal”
Key differences: Terminology differs — Data Subject (GDPR) vs Data Principal (DPDP). DPDP does NOT include Right to Data Portability. Age of consent: GDPR=16, DPDP=18.
Master Reference

Complete Reference Table — Key Numbers & Facts

TopicKey Fact / Number
GDPR Effective Date25 May 2018
GDPR enacted byEuropean Union
GDPR replacesData Protection Directive, 1995
GDPR Number of Principles7
GDPR Number of Individual Rights7
GDPR Breach Reporting72 hours
GDPR Max Penalty (Tier 2)€20 million or 4% of global annual turnover
GDPR Max Penalty (Tier 1)€10 million or 2% of global annual turnover
Largest GDPR FineAmazon — €746 million (2021)
India’s Data LawDPDP Act 2023 — Royal Assent: 11 August 2023
DPDP Max Penalty₹250 crore
DPDP RegulatorData Protection Board of India (DPBI)
Age of Consent (GDPR)16 years
Age of Consent (DPDP)18 years
CERT-In Incident Reporting6 hours
CERT-In Log Retention180 days
National Cybercrime Helpline1930
Cybercrime Websitecybercrime.gov.in
RBI Tokenisation EffectiveOctober 2022
India’s Cybersecurity Nodal AgencyCERT-In (under MeitY)
Critical Infrastructure Protection (India)NCIIPC (under NTRO)
IT Act Data Breach CompensationSection 43A
IT Act Identity TheftSection 66C
India’s First Cyber PolicyNational Cyber Security Policy, 2013
WannaCry Attack YearMay 2017 — Ransomware
GDPR “Data Subject” equivalent in DPDPData Principal
GyanDesk — Competitive Exam Study Resource
This guide covers GDPR, India’s DPDP Act 2023, Cybersecurity Laws, and 65+ MCQs for Banking, UPSC, SSC, Railways & other exams.
⚠️ Always verify latest developments before your exam — laws and regulations evolve.

© GyanDesk | Study Smart. Revise Fast. Score High.