Editors note: This blog post was originally published in March 2017 and has since been updated for optimal relevance.
It's now been a whole year since the General Data Protection Regulation (GDPR) came into effect.
On 25th May 2018, the GDPR brought significant changes to data protection laws. The new regulation was designed to harmonise data privacy laws across Europe and to protect consumers.
Now the initial buzz has faded, is it time for a refresh on what GDPR means for your business? Maybe you still aren't 100% sure on the measures you should be taking to ensure your company doesn't come under fire.
If this is the case, then look no further!
Answers to 10 top frequently asked questions about GDPR:
1. What is GDPR?
GDPR stands for General Data Protection Regulation. GDPR came into effect on 25th May 2018 as the new European Union Regulation, replacing the Data Protection Directive (DPD) and The UK Data Protection Act 1998.
After many years of debate it was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals. Its aim is to ease the flow of personal data across the 28 EU member states.
2. When did GDPR come into effect?
The Regulation came into effect on the 25th May 2018 and brought with it significant changes to current data protection laws as we knew them. Any company deemed non-compliant faces hefty fines.
3. Who does GDPR apply to?
Any organisation which processes and holds the personal data of data subjects residing in the EU is obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states.
4. What responsibilities do companies have under GDPR?
Under GDPR, organisations have to ensure that personal data is gathered legally and with consent from the individual. Those who do collect it are obliged to protect it from misuse and exploitation.
If a data breach does happen, if information gets lost or stolen for example, organisations are required under GDPR to report them to the relevant supervisory authority within 72 hours of them becoming aware of it.
5. What kind of information does the GDPR apply to?
Much like the Data Protection Act 1998, GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
According to eugdpr.org, this definition "provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people."
The ICO outline the full list of identifiers that could be used to distinguish an individual here.
6. What specific rules should businesses be following in order to ensure compliance?
Article 5 of the EU GDPR states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
7. What are the penalties for failing to comply with GDPR?
The GDPR have introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed.
The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest. Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.
There have been a number of fines already issued under GDPR over the last year. In January, Google were fined €50 million, the largest and most high-profile fine for GDPR violations so far.
You can read more about the latest GDPR fines in our recent post - The biggest fines for data breaches pre and post GDPR.
8. What effect, if any, does Brexit have on GDPR?
If a company processes data about individuals in the context of selling goods or services to citizens in other EU countries then it will need to comply with the GDPR, regardless as to whether or not the UK retains the GDPR post-Brexit. If activities are limited to the UK, then the position after the initial exit period is less clear.
9. Should all organisations have a Data Protection Officer (DPO)?
It is not necessarily compulsory for all organisations to appoint a DPO as this is dependent upon a number of factors. According to the ICO, a company should appoint a DPO if they:
- are a public authority (with the exception of courts acting in their judicial capacity)
- carry out large scale systematic monitoring of individuals, such as, online behaviour tracking; or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences
Any organisation is able to appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.
10. What rights do individuals have under GDPR?
There are 8 fundamental rights of individuals under GDPR. These are:
- The right to be informed - Organisations must be completely transparent in how they are using personal data.
- The right of access - Individuals will have the right to know exactly what information is held about them and how it is processed.
- The right of rectification - Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure - Also known as 'the right to be forgotten', this refers to an individual's right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing - Refers to an individual's right to block or suppress processing of their personal data.
- The right to data portability - This allows individuals to retain and reuse their personal data for their own purpose.
- The right to object - In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
- Rights of automated decision making and profiling - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
To refresh your staff on everything they need to know about GDPR, download our free, customisable training presentation.
Want to know more about GDPR?
As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!