Why is "Discussing only organisational protections, ignoring individual responsibility." a common mistake in Potential risks to data and personal information when information is transmitted and stored digitally?

Why it happens: Focus on big-tech security. How to avoid it: Both ORGANISATIONS and INDIVIDUALS have roles in data protection. Strong passwords, MFA, careful sharing — all individual actions.

Why is "Assuming public Wi-Fi is automatically encrypted." a common mistake in Potential risks to data and personal information when information is transmitted and stored digitally?

Why it happens: Devices connect successfully. How to avoid it: Many public networks are OPEN (no Wi-Fi password). Even with WPA2, the operator can see your traffic. Use VPN or HTTPS only.

Why is "Believing 'deleted online data is gone'." a common mistake in Potential risks to data and personal information when information is transmitted and stored digitally?

Why it happens: Recycle bin / delete button. How to avoid it: Deleted from one service usually means hidden, not erased. Other services may have copies. Cached by search engines. Backed up by providers. Always assume online posts are permanent.

Why is "Confusing personal data with sensitive personal data." a common mistake in Potential risks to data and personal information when information is transmitted and stored digitally?

Why it happens: Both sound 'private'. How to avoid it: Personal = identifies someone. Sensitive (special category) = subset needing EXTRA protection: race, religion, health, biometrics, sexual orientation, etc.

Operating OnlinePearson Edexcel IGCSE ICT 4IT1

Potential risks to data and personal information when information is transmitted and stored digitally

Q: Why is "Calling all attacks 'hacking'." a common mistake in Potential risks to data and personal information when information is transmitted and stored digitally?

Why it happens: Hacking is a common umbrella term. How to avoid it: Phishing tricks the USER. Hacking exploits the SYSTEM. Identity theft uses stolen DETAILS. Be specific. Source: Edexcel 4IT1 examiner reports.

Q: Why is "Treating GDPR as a 'tech rule'." a common mistake in Potential risks to data and personal information when information is transmitted and stored digitally?

Why it happens: Associated with online services. How to avoid it: GDPR is a LEGAL framework. Compliance involves PROCESSES (consent, breach notification), not just technology.

Work through the notes, try the practice questions, then take the quiz. The report tells you exactly what to revise next.

PreviousNext

Learn this Topic

Start with the slides for the quick version, then go deeper with the full study notes.

Short Study Notes in the form of Slides

Read the notes first. If the method in a worked example clicks, you're ready for the questions.

Short Study Notes — Potential risks to data and personal information when information is transmitted and stored digitally

Start with these resources to cover the key concepts, then work through the practice questions.

Page 1 / 0

Detailed Notes

Full prose, callouts and a recap — built for A* mastery, not just a quick scan.

Take these study notes with you

Download a branded PDF — full prose, callouts, recap and memorise list for Potential risks to data and personal information when information is transmitted and stored digitally, ready to print or save offline.

Risks to Data and Personal Information — Edexcel IGCSE ICT (4IT1) Detailed Notes

The risks digital storage and transmission create — and the legal frameworks (GDPR, UK DPA 2018) plus personal and organisational safeguards that mitigate them.

What you’ll learn

Mapped to the Pearson Edexcel IGCSE 4IT1 syllabus (2026 onwards).

Distinguish personal, sensitive personal and non-personal data.
Identify the main risks to data when transmitted and stored digitally.
Describe how data-protection laws (GDPR, UK DPA) protect individuals.
List individual and organisational responsibilities.
Explain practical safeguards against common risks.
Evaluate the impact of a data breach.

Types of data — personal, sensitive, non-personal

Different categories warrant different protection.

Personal data: any information identifying a living individual — directly (name, photo) or indirectly (IP address, customer ID combined with other data).

Sensitive personal data (Special Category data under GDPR): requires stricter protection. Includes:

Race / ethnicity.
Religious / philosophical beliefs.
Political views.
Trade union membership.
Health and medical data.
Genetic and biometric data (where used for identification).
Sex life and sexual orientation.

Organisations need EXPLICIT consent or specific legal basis to process sensitive data.

Non-personal data: doesn't identify an individual. Aggregated statistics, anonymised research, public information about companies. Less regulated but still subject to general security.

Pseudonymised data: personal data with direct identifiers replaced (e.g., 'Patient 17' instead of name). Still treated as personal data because re-identification may be possible.

Main risks to personal data

Theft, breach, abuse, profiling, harassment.

1. Identity theft. Stolen personal details used to impersonate someone — open accounts, apply for credit, access services. The victim faces financial loss and a long recovery process.

2. Online fraud. Romance scams, fake invoices, investment fraud, phishing. Often combines personal data with social engineering.

3. Hacking and data breaches. Unauthorised access to systems holding personal data. Large breaches expose millions of records at once.

4. Phishing. Tricking users into revealing credentials through fake emails, websites, or phone calls.

5. Harassment and stalking. Personal data (address, school, daily routine) used to harass victims online or in real life.

6. Profiling and unwanted advertising. Data collected from many sources combined to build detailed profiles, used for targeted ads or manipulation.

7. Loss / accidental disclosure. Lost laptops, USB sticks, accidentally emailing the wrong person. Often the largest cause of breaches in surveys.

8. Surveillance. Pervasive monitoring of online behaviour by states, employers, or platforms. Chilling effect on free expression.

9. Discrimination. Algorithmic decisions based on personal data (job applications, loans, insurance) may discriminate unfairly.

GDPR and UK Data Protection Act 2018

Rights for individuals; duties for organisations.

Six lawful bases for processing personal data:

Consent — freely given, specific, informed, unambiguous.
Contract — necessary to fulfil a contract.
Legal obligation — required by law.
Vital interests — protect life.
Public task — public interest, official authority.
Legitimate interests — balanced against individual rights.

Rights of individuals (data subjects):

Right of access — see what data is held.
Right to rectification — correct inaccurate data.
Right to erasure ('right to be forgotten').
Right to restrict processing.
Right to data portability — receive data in machine-readable format.
Right to object to processing.
Rights regarding automated decision-making and profiling.

Duties of organisations (data controllers):

Lawful basis for processing.
Data minimisation — collect only what's needed.
Purpose limitation — use only for stated purpose.
Accuracy — keep data correct.
Storage limitation — retain only as long as needed.
Integrity and confidentiality — secure with appropriate measures.
Accountability — demonstrate compliance.
Breach notification — notify regulator within 72 hours; individuals 'without undue delay'.

Penalties: maximum fine is the GREATER of €20 million OR 4% of global annual turnover.

How individuals protect themselves

Strong credentials, careful sharing, awareness.

Credentials:

Strong, unique passwords (12+ chars, passphrase format).
Password manager (Bitwarden, 1Password).
MFA on important accounts (email, banking, work).

Sharing:

Privacy settings on social media.
Avoid sharing PII publicly (address, birthday, school).
Question what each app requests.
Subject Access Requests to see what's held.

Technology:

HTTPS websites only (padlock).
VPN on public Wi-Fi.
Browser privacy mode for sensitive searches.
Keep OS and apps updated.
Run antivirus.

Awareness:

Recognise phishing (urgency, errors, unexpected requests).
Verify before clicking links / opening attachments.
Question 'too good to be true' offers.
Educate younger family members on online risks.

How organisations protect data

Technical + administrative controls + governance.

Technical controls:

Encryption at rest and in transit.
Strong access controls (least privilege).
Network firewalls, IDS/IPS.
Endpoint antivirus + EDR.
Regular security patches.
Backup and disaster recovery.

Administrative controls:

Data protection policy.
Employee training (phishing, password, BYOD).
Acceptable use policy.
Incident response plan.
Regular audits.

Governance:

Data Protection Officer (required for some organisations).
Records of processing activities.
Data Protection Impact Assessments (DPIAs) for high-risk processing.
Vendor risk management (cloud, SaaS).
Breach response process.

By design and by default:

Privacy considerations built INTO systems from start (Privacy by Design).
Default settings should be MOST private (e.g., social media default = private).

When a breach happens

Contain, assess, notify, remediate.

Standard breach response:

Detect and contain. Find the breach scope. Isolate affected systems to stop spread.
Assess. What data? How many people? What harm could result?
Notify regulators. Under GDPR, within 72 hours. Provide breach nature, categories of data, approximate numbers, consequences, measures taken.
Notify individuals. If high risk to rights and freedoms, inform affected people 'without undue delay'. Include what happened, what data, what action they should take.
Remediate. Patch vulnerabilities, change passwords, improve controls.
Document. Even minor breaches must be logged.
Review. Post-incident review to prevent recurrence.

Costs of a breach:

Regulatory fines.
Customer compensation.
Notification costs (mail, helpdesk).
IT remediation.
Lost business (customer churn).
Reputation damage (often the largest).
Typical: £100–£300 per record exposed.

How it’s examined

Paper 1: Identify risks (4–6 marks); state safeguards (4–6 marks); explain laws (6–8 marks); recommend protections for a scenario (6–8 marks); discuss breach impact (6 marks).

Frequent stems: 'Name THREE risks to personal data online…', 'Describe how an individual can protect…', 'Explain the role of GDPR…', 'Discuss the impact of a data breach on…'

Sources: Pearson Edexcel International GCSE in Information and Communication Technology (4IT1) Specification — Issue 3; Edexcel 4IT1 Examiner Reports (2022–2024). Last reviewed 2026-05-19.

Master this Topic

Worked examples, formulae, definitions and the mistakes examiners flag — everything you need to push from a pass to an A*.

Take this whole topic with you

Download a branded revision sheet — worked examples, formulae, definitions and common mistakes for Potential risks to data and personal information when information is transmitted and stored digitally, ready to print or save as PDF.

Step-by-step worked examples — Potential risks to data and personal information when information is transmitted and stored digitally

Step-by-step solutions to past-paper-style questions on potential risks to data and personal information when information is transmitted and stored digitally, written exactly the way a tutor would explain them at the board.

1Classify each as personal, sensitive personal, or non-personal
Getting started• Edexcel 4IT1 style — short-answer (5 marks)• data-classification, AO1
Question
Classify each data item: (a) Customer's name and address. (b) Medical records. (c) Anonymised statistics about Friday sales. (d) Religious beliefs. (e) Email address.
Step-by-step solution
1. Step 1
  Personal = identifies someone. Sensitive = special category under GDPR. Anonymous = no individual identifiable.
Answer
(a) Personal data.

(b) Sensitive personal data (special category).

(c) Non-personal — anonymised, no individual identifiable.

(d) Sensitive personal data.

(e) Personal data.
Examiner tip
Sensitive (special category) data under GDPR: race, religion, sexual orientation, health, genetics, biometrics, political views. Stricter protection than ordinary personal data.
2Identify the data risk being described
Getting started• Edexcel 4IT1 style — short-answer (5 marks)• risks, AO1
Question
Identify the risk: (a) Using stolen identity details to open a bank account. (b) Pretending to be a bank to trick a user into revealing their PIN. (c) Stalking someone using personal details posted online. (d) An employee accidentally emailing customer list to wrong address. (e) Hackers selling stolen passwords on the dark web.
Step-by-step solution
1. Step 1
  Match each to the standard risk category.
Answer
(a) Identity theft / fraud.

(b) Phishing / social engineering.

(c) Online harassment / stalking.

(d) Accidental data breach.

(e) Data theft / breach for criminal sale.
Examiner tip
Risks combine TYPE (theft, fraud, harassment) and CAUSE (malicious, accidental). Be specific.
3Match the protection to the risk
Building confidence• Edexcel 4IT1 style — short-answer (5 marks)• protection, AO1, AO2
Question
State the MOST appropriate protection: (a) Hackers reading data in transit on public Wi-Fi. (b) Stolen laptop with sensitive files. (c) Phishing emails reaching staff inboxes. (d) Customer accounts compromised by leaked password. (e) Stolen credentials used from far-away IP.
Step-by-step solution
1. Step 1
  Match defence to the specific threat.
Answer
(a) VPN + HTTPS (encryption in transit).

(b) Full-disk encryption + remote wipe.

(c) Email filter + staff phishing training.

(d) Multi-factor authentication (MFA).

(e) Geographic anomaly detection / risk-based authentication.
Examiner tip
Modern security pairs RISKS with appropriate CONTROLS. Generic 'antivirus' doesn't fit every case.
4Calculate the cost of a data breach
Building confidence• Edexcel 4IT1 style — calculation (5 marks)• breach-cost, AO1, AO2
Question
A breach exposes 10,000 customer records. Industry estimate: £150 per record (notification, regulatory fines, customer compensation, lost trust). Calculate (a) total cost, (b) state how this compares to spending £15,000 on preventive security upfront.
Step-by-step solution
1. Step 1
  Records × cost per record; compare ROI.
Answer
(a) Total cost = 10,000 × £150 = £1,500,000 = £1.5 million.

(b) Spending £15,000 on security is 0.01% of the breach cost — clearly worthwhile if it prevents the breach. Even reducing breach risk by 10% would 'save' £150,000 on average.

(Industry average cost-per-record varies by sector: healthcare ~£300, finance ~£250, retail ~£100.)
Examiner tip
Breach costs include direct (compensation, fines) AND indirect (lost customers, reputation damage). The indirect costs often dominate.
5Calculate maximum GDPR fine
Higher• Edexcel 4IT1 style — calculation (5 marks)• gdpr, AO1, AO2
Question
GDPR maximum fine is the GREATER of (a) €20 million OR (b) 4% of annual global turnover. Calculate the maximum fine for: (i) Small business with €2m turnover. (ii) Large company with €5 billion turnover. (iii) Tech giant with €100 billion turnover.
Step-by-step solution
1. Step 1
  4% of turnover vs €20m, take whichever is greater.
Answer
(i) 4% × €2m = €80,000. €20m is greater → fine cap €20m.

(ii) 4% × €5bn = €200m. Greater than €20m → fine cap €200m.

(iii) 4% × €100bn = €4bn. → fine cap €4bn.

GDPR's % approach ensures fines scale with company size — small fines for small companies, massive for tech giants.
Examiner tip
GDPR fines have been levied at €746m (Amazon, 2021) and €1.2bn (Meta, 2023). They're real and growing.
6Calculate the spread of a leaked password
Higher• Edexcel 4IT1 style — calculation (5 marks)• credential-stuffing, AO1, AO2, AO3
Question
A user reuses the same password across 15 online accounts. One service (a niche forum) is breached and the password leaks. Calculate (a) how many other accounts are potentially compromised, (b) if just 20% of breached accounts have valuable data (banking, work), how many are at risk.
Step-by-step solution
1. Step 1
  Reuse means all linked accounts are at risk.
Answer
(a) 14 other accounts are potentially compromised — credential stuffing attacks will try the same password on other services.

(b) Valuable accounts at risk = 14 × 20% = ~3 high-value accounts — potentially including banking, work email, payment services.

Mitigation: use a password manager + unique password per service. Credential stuffing accounts for 80%+ of account takeovers.
Examiner tip
Password reuse is the single biggest cause of account compromises. ONE breach + reuse = many compromises.
7Explain how individuals can protect their personal data
Higher• Edexcel 4IT1 style — explain (6 marks)• personal-protection, AO1, AO2
Question
Explain THREE actions individuals can take to protect their personal data when using online services.
Step-by-step solution
1. Step 1
  Each action: name + how it protects + concrete example.
Answer
1. Use strong, unique passwords with a password manager. Credential stuffing — attackers reuse leaked passwords across many sites. A different password per service prevents one breach cascading. Password managers (Bitwarden, 1Password) generate and store unique passwords automatically.

2. Enable Multi-Factor Authentication (MFA) on important accounts. Even if the password leaks, the attacker needs the second factor (authenticator app, SMS, hardware key). Blocks 99% of automated attacks. Especially important for email, banking, work accounts.

3. Limit what is shared online.

Privacy settings on social media — restrict who can see posts.

Don't post identifiable information (full address, birthday, holiday plans).

Question what data each app requests — does the torch app really need your contacts?

Right-to-be-forgotten / data subject access requests under GDPR allow individuals to delete or download their data.

(Additional actions candidates may mention: regular software updates, browser privacy mode, VPN on public Wi-Fi, recognising phishing, regular account audits, separate email for low-trust services.)
Examiner tip
Each action needs: NAME + HOW it protects + WHEN/WHERE to apply. Generic 'be careful' answers cap at 2/6.
8Explain the role of data-protection laws
Stretch• Edexcel 4IT1 style — extended (8 marks)• gdpr-laws, AO1, AO2, AO3
Question
Explain the purpose of data-protection laws (such as GDPR or UK Data Protection Act 2018), describing THREE rights of individuals AND THREE responsibilities of organisations.
Step-by-step solution
1. Step 1
  Rights + responsibilities + concrete examples.
Answer
Purpose: data-protection laws establish how personal data must be handled — giving individuals control over their own data and obligating organisations to act responsibly. They aim to balance the benefits of digital services with personal privacy and prevent misuse.

Three rights of individuals (under GDPR / UK DPA 2018):

Right of access (Subject Access Request). Any individual can ask an organisation 'what data do you hold about me?'. The organisation must respond, free of charge, usually within 30 days.

Right to be forgotten (erasure). Individuals can request that their data be deleted in many circumstances (no longer needed, consent withdrawn, processing was unlawful).

Right to rectification. If data held is wrong, the individual can demand correction. Important for accuracy and avoiding decisions based on incorrect data.

Three responsibilities of organisations:

Lawful basis for processing. Organisations must have a legal reason to use personal data — consent, contract, legal obligation, vital interests, public task, or legitimate interest.

Data minimisation and purpose limitation. Collect only what is needed; use only for the stated purpose.

Breach notification. If personal data is exposed, the organisation must notify the regulator within 72 hours, and affected individuals 'without undue delay' if there is high risk.

Penalties: GDPR fines can reach €20 million OR 4% of global turnover, whichever is GREATER. Examples: Amazon €746m (2021), Meta €1.2bn (2023).

Conclusion: modern data protection law shifts the balance toward the individual — they have rights, and organisations have obligations enforced by significant penalties.
Examiner tip
A* answers (1) name specific rights + responsibilities, (2) give concrete examples, (3) mention real penalties, (4) acknowledge the balance between rights and obligations.
9Discuss risks to teenagers from social media data sharing
Stretch• Edexcel 4IT1 style — extended (8 marks)• social-media, teenagers, AO1, AO2, AO3
Question
Discuss the risks faced by teenagers from sharing personal information on social media, including potential mitigations.
Step-by-step solution
1. Step 1
  Identify risks; explain impact; suggest mitigations.
Answer
Risks faced by teenagers:

1. Identity theft. Birthday + name + school + address (often visible in profiles or posts) is enough for someone to impersonate a teenager — opening accounts, applying for credit cards.

2. Online predators / grooming. Strangers can build relationships with vulnerable young people through fake profiles, exploit them emotionally or financially, or attempt to meet in person.

3. Cyberbullying. Personal information enables targeted bullying — finding home addresses, schools, friends. Has led to real-world harm and tragic outcomes.

4. Long-term digital footprint. Posts made at 14 may resurface at 24 when applying for university or jobs. Employers and admissions officers do check.

5. Data exploitation by companies. Apps profile minors for advertising, sometimes against their best interests (junk food, gambling-adjacent content).

6. Location tracking. Tagging photos with location or 'checking in' tells strangers where the teenager is or lives.

Mitigations:

Privacy settings — limit who can see posts and profile data.

Don't share PII — full address, phone, school, daily routine.

Question friend requests — only accept known people.

Disable location tagging in app permissions.

Education — schools and parents must teach digital literacy.

Legal protections — UK Online Safety Act 2023 places duties on platforms to protect children.

Account separation — public 'work' account vs private 'friends' account.

Conclusion: social media offers real benefits to teenagers (connection, expression, community) but the risks are serious and the burden falls on individuals, parents, platforms AND regulators. Education and platform-level protections are essential.
Examiner tip
A* answers (1) identify SPECIFIC risks, (2) describe IMPACTS, (3) propose layered MITIGATIONS, (4) conclude with balanced view.

Key Formulae — Potential risks to data and personal information when information is transmitted and stored digitally

The formulae you need to memorise for potential risks to data and personal information when information is transmitted and stored digitally on the Pearson Edexcel IGCSE 4IT1 paper, with every variable defined in plain English and a note on when to use it.

Total data breach cost
$Breach Cost = Records Exposed × Cost per Record$
$Cost per Record$
Industry average: £100–£300 depending on sector
When to use
Estimating financial impact of a data breach.
Example
10,000 × £150 = £1.5m total cost.
GDPR maximum fine
$Max Fine = MAX(€20 million, 4% × Annual Global Turnover)$
When to use
Calculating regulatory exposure.
Example
Company turnover €5bn: 4% = €200m → fine cap €200m.
Accounts at risk from credential reuse
$Accounts at Risk = (Reused Accounts − 1) × Probability of Targeting$
When to use
Quantifying credential reuse risk.
Example
14 accounts × 20% high-value = ~3 high-risk.

Key Definitions and Keywords — Potential risks to data and personal information when information is transmitted and stored digitally

Definitions to memorise and the exact keywords mark schemes credit for potential risks to data and personal information when information is transmitted and stored digitally answers — sharpened from recent examiner reports for the 2026 Pearson Edexcel IGCSE 4IT1 sitting.

Personal data
Examiner keyword
Any information relating to an identified or identifiable person — name, address, phone, email, IP address, photos.
Sensitive personal data (special category)
Examiner keyword
Data needing extra protection: race, ethnicity, religion, political views, trade union membership, health, genetics, biometrics, sex life or orientation.
Identity theft
Examiner keyword
Stealing someone's personal details to impersonate them — opening accounts, applying for credit, accessing services in their name.
Online fraud
Examiner keyword
Deception conducted online for financial gain — fake invoices, payment scams, romance scams, investment fraud.
Data breach
Examiner keyword
An incident where personal data is exposed, lost, or accessed without authorisation. Can be malicious (hacking) or accidental (lost device, wrong recipient).
Credential stuffing
Automated attack using leaked username/password pairs against many sites, exploiting password reuse.
GDPR (General Data Protection Regulation)
Examiner keyword
EU regulation (2018) governing how personal data must be processed. Strong rights for individuals; significant fines for organisations breaching rules.
UK Data Protection Act 2018
Examiner keyword
The UK implementation of GDPR. Sets rules for collection, storage and use of personal data.
Subject Access Request (SAR)
An individual's right under GDPR to ask any organisation what data it holds about them. Organisations must respond within 30 days, usually free.
Right to be forgotten (erasure)
An individual's right to demand that personal data held about them be deleted, in many circumstances.
Data controller
An organisation that decides WHY and HOW personal data is processed. Has primary legal responsibility under GDPR.
Data processor
An organisation that processes data ON BEHALF OF a controller (e.g., a payroll service, a cloud provider).

Common Mistakes and Misconceptions — Potential risks to data and personal information when information is transmitted and stored digitally

The traps other students keep falling into on potential risks to data and personal information when information is transmitted and stored digitally questions — taken from recent Pearson Edexcel IGCSE 4IT1 examiner reports and mark schemes — and how to avoid them.

✕Calling all attacks 'hacking'.
Edexcel 4IT1 examiner reports.
Why it happens
Hacking is a common umbrella term.
How to avoid it
Phishing tricks the USER. Hacking exploits the SYSTEM. Identity theft uses stolen DETAILS. Be specific.
✕Treating GDPR as a 'tech rule'.
Why it happens
Associated with online services.
How to avoid it
GDPR is a LEGAL framework. Compliance involves PROCESSES (consent, breach notification), not just technology.
✕Discussing only organisational protections, ignoring individual responsibility.
Why it happens
Focus on big-tech security.
How to avoid it
Both ORGANISATIONS and INDIVIDUALS have roles in data protection. Strong passwords, MFA, careful sharing — all individual actions.
✕Assuming public Wi-Fi is automatically encrypted.
Why it happens
Devices connect successfully.
How to avoid it
Many public networks are OPEN (no Wi-Fi password). Even with WPA2, the operator can see your traffic. Use VPN or HTTPS only.
✕Believing 'deleted online data is gone'.
Why it happens
Recycle bin / delete button.
How to avoid it
Deleted from one service usually means hidden, not erased. Other services may have copies. Cached by search engines. Backed up by providers. Always assume online posts are permanent.
✕Confusing personal data with sensitive personal data.
Why it happens
Both sound 'private'.
How to avoid it
Personal = identifies someone. Sensitive (special category) = subset needing EXTRA protection: race, religion, health, biometrics, sexual orientation, etc.

Practice questions

Exam-style questions with step-by-step worked solutions. Try one before checking the method.

Past paper style quiz

Get a report showing which sub-topics you've nailed and which ones still need work.

Potential risks to data and personal information when information is transmitted and stored digitally

Short Study Notes in the form of Slides

Short Study Notes — Potential risks to data and personal information when information is transmitted and stored digitally

Detailed Notes

What you’ll learn

How it’s examined

1Classify each as personal, sensitive personal, or non-personal

2Identify the data risk being described

3Match the protection to the risk

4Calculate the cost of a data breach

5Calculate maximum GDPR fine

6Calculate the spread of a leaked password

7Explain how individuals can protect their personal data

8Explain the role of data-protection laws

9Discuss risks to teenagers from social media data sharing

Total data breach cost

GDPR maximum fine

Accounts at risk from credential reuse

Personal data

Sensitive personal data (special category)

Identity theft

Online fraud

Data breach

Credential stuffing

GDPR (General Data Protection Regulation)

UK Data Protection Act 2018

Subject Access Request (SAR)

Right to be forgotten (erasure)

Data controller

Data processor

✕Calling all attacks 'hacking'.

✕Treating GDPR as a 'tech rule'.

✕Discussing only organisational protections, ignoring individual responsibility.

✕Assuming public Wi-Fi is automatically encrypted.

✕Believing 'deleted online data is gone'.

✕Confusing personal data with sensitive personal data.

Practice questions

Past paper style quiz

Assess your understanding