Almost five years after it came into force, many are still unsure of the basics of GDPR. And in the UK, Brexit has not exactly helped bring clarity.
So we have answered the top 10 questions everyone has been asking.
For those wanting to avoid the hefty fines resulting from GDPR breaches, read our GDPR roadmap, which explains how to maintain compliance.
Top 10 GDPR Questions Answered
1. What is the GDPR?
GDPR stands for the General Data Protection Regulation. GDPR came into effect on 25th May 2018 as the new European Union Regulation, replacing the Data Protection Directive (DPD) and The UK Data Protection Act 1998.
After many years of debate, it was approved by the EU Parliament on April 14th 2016. It relates to the protection of personal data and the rights of individuals. Its main aim is to ease the flow of personal data and increase privacy and rights for EU residents across all member states.
2. When did the GDPR come into effect?
The Regulation came into effect on the 25th of May 2018 and brought significant changes to current data protection laws.
3. To whom does the GDPR apply?
Any organisation which processes and holds the personal data of EU citizens is obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they reside in one of the 27 EU member states.
4. What responsibilities do companies have under the GDPR?
Under the GDPR, organisations have to meet six data protection principles whenever they process personal data - including ensuring that their use of personal data is lawful, fair and transparent. Those who do collect it are obliged to protect it from misuse and exploitation.
If a data breach does happen, for example, if information gets lost or stolen. Then organisations are required under the GDPR to report certain types of breaches to the relevant supervisory authority within 72 hours of them becoming aware of it.
5. What kind of information does the GDPR apply to?
Much like the Data Protection Act 1998, GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
According to gdpr-info.eu, this definition provides for a wide range of personal identifiers "such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
The ICO provides a full list of identifiers that could be used to distinguish an individual.
Crucially, organisations need to take extra care when processing special category (sensitive) data - for example, personal information about someone's race or ethnic origin, political or religious beliefs, biometric data, health, sex life or sexual orientation.
6. What rules should businesses follow to ensure compliance?
GDPR Article 5 states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and lawful purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept only for as long as it is needed and no longer
- Protected in a manner that ensures its security and integrity
7. What are the penalties for GDPR breaches?
The GDPR introduced a tiered approach to fines, meaning that the severity of the breach determines the fine imposed.
The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest. For less serious violations, such as having improper records, there is a maximum of 2% of their annual global turnover, or €10 million.
Each year significant fines are issued for GDPR breaches. In the year following the introduction of the regulation, these reached hundreds of millions. Although the biggest penalties have gotten smaller, they still reach tens of millions.
8. How does Brexit affect GDPR?
If a company processes data about individuals in the context of selling goods or services to citizens in other EU countries, it needs to comply with the GDPR.
From the 1st of January 2021, the UK stopped being part of the EU, meaning that the EU GDPR no longer protected UK citizens. Now the general data protection regime that applies to most UK businesses and organisations is the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.
It explains each of the data protection principles, rights and obligations. It summarises the key points you need to know, answers frequently asked questions and contains practical checklists to help you comply.
9. Does everyone need a Data Protection Officer (DPO)?
It is not compulsory for organisations to appoint a DPO. It depends upon a number of factors.
The ICO stated a DPO is required if companies:
- Are a public authority; with the exception of courts acting in their judicial capacity)
- Carry out large-scale systematic monitoring of individuals, such as online behaviour tracking; or
- Carry out large-scale processing of special categories of data or data relating to criminal convictions and offences
Any organisation can appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.
10. What are GDPR fundamental rights?
- The right to be informed - Individuals have a right to be told what personal data our organisation collects about them, the lawful basis that applies, how their data will be used, and who else it will be shared with. Companies must be completely transparent in how they are using personal data.
- The right of access - Individuals have the right to obtain a copy of personal information that is held about them. This lets them check how their data is being processed and whether it is lawful.
- The right of rectification - Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure - Also known as 'the right to be forgotten', this refers to an individual's right to have their personal data deleted or removed in certain circumstances.
- The right to restrict processing - This refers to an individual's right to block or suppress the processing of their personal data (e.g. if there is an appeal pending).
- The right to data portability - Individuals are entitled to move, copy or transfer their personal data from one IT environment to another, should they choose to do so (e.g. to "port" their data to another price comparison site).
- The right to object - In certain circumstances, individuals are entitled to object to their personal data being processed. This includes if a company uses personal data for direct marketing, for its legitimate interests, for scientific and historical research, or for the performance of a task in the public interest.
- Rights related to automated decision-making and profiling - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. Individuals are entitled to request human intervention or challenge decisions where automated decisions are made and where the consequence has a legal or significant effect on them.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.