Explain GDPR’s key principles.
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
Six principles (Art. 5): lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality. Plus accountability — the controller must demonstrate compliance. Key rights: access, erasure, portability, rectification. Lawful bases include consent, contract, legal obligation, legitimate interest. Breaches notifiable within 72 hours. Fines up to 4% of global turnover or €20M.
WHAT INTERVIEWERS LISTEN FOR
- ✓Six principles (Art. 5)
- ✓Accountability requirement
- ✓Key data subject rights
- ✓Lawful bases for processing
- ✓72-hour breach notification
COMMON MISTAKES
- ✗Omitting accountability principle
- ✗Confusing GDPR with CCPA
- ✗Forgetting 72-hour notification deadline
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- Explain the structure of MaRisk.
- Explain double materiality.
- What is the primary difference between model validation and model monitoring under SR 11-7?
- Walk me through IFRS 9 expected credit loss staging and what triggers a move from Stage 1 to Stage 2.
- What is individual senior-manager accountability (e.g., UK SMCR), and how does it change conduct risk management?
- What is the sanctions '50 percent rule', and why does it make ownership analysis critical?