10 Top Frequently Asked Questions About GDPR
The General Data Protection Regulation (GDPR) ushered in a new era in the protection of personal data in 2018. Any company deemed non-compliant faces potentially hefty fines.
This regulation harmonised data privacy laws across Europe and give EU residents greater protection over how their personal data is used.
Although the initial buzz of the GDPR has faded, this is still a developing area. Is it time for a refresh on what GDPR means for your business? Maybe you still aren't 100% sure what measures you should be taking to ensure your company doesn't come under fire.
If this is the case, then look no further!
Answers to 10 top frequently asked questions about GDPR:
1. What is the GDPR?
GDPR stands for the General Data Protection Regulation. GDPR came into effect on 25th May 2018 as the new European Union Regulation, replacing the Data Protection Directive (DPD) and The UK Data Protection Act 1998.
After many years of debate it was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals. Its main aim is to ease the flow of personal data and increase privacy and rights for EU residents across all member states.
2. When did the GDPR come into effect?
The Regulation came into effect on the 25th May 2018 and brought with it significant changes to current data protection laws.
3. Who does the GDPR apply to?
Any organisation which processes and holds the personal data of EU citizens is obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states.
4. What responsibilities do companies have under the GDPR?
Under the GDPR, organisations have to meet six data protection principles whenever they process personal data - including ensuring that their use of personal data is lawful, fair and transparent. Those who do collect it are obliged to protect it from misuse and exploitation.
If a data breach does happen, if information gets lost or stolen for example, organisations are required under the GDPR to report certain types of breaches to the relevant supervisory authority within 72 hours of them becoming aware of it.
5. What kind of information does the GDPR apply to?
Much like the Data Protection Act 1998, GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
According to eugdpr.org, this definition "provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people."
The ICO provides a full list of identifiers that could be used to distinguish an individual.
Crucially, organisations need to take extra care when processing special category (sensitive) data - for example, personal information about someone's race or ethnic origin, political or religious beliefs, biometric data, health, sex life or sexual orientation.
6. What specific rules should businesses be following in order to ensure compliance?
GDPR Article 5 states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and lawful purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept only for as long as it is needed and no longer
- Protected in a manner that ensures its security and integrity
7. What are the penalties for failing to comply with the GDPR?
The GDPR introduced a tiered approach to fines, meaning that the severity of the breach determines the fine imposed.
The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest. For less serious violations, such as having improper records, there is a maximum of 2% of their annual global turnover, or €10 million.
While the early promise of bumper fines has not yet materialised, there have been a number of fines already issued under GDPR over the last year. In July, the ICO made clear its intention to fine British Airways £183 million, the largest and most high-profile fine for GDPR violations so far.
8. What effect, if any, does Brexit have on GDPR?
If a company processes data about individuals in the context of selling goods or services to citizens in other EU countries then it will need to comply with the GDPR, regardless as to whether or not the UK retains the GDPR post-Brexit. If activities are limited to the UK, then the position after the initial exit period is less clear.
9. Should all organisations have a Data Protection Officer (DPO)?
It is not compulsory for organisations to appoint a DPO, it depends upon a number of factors. According to the ICO, a company should appoint a DPO if they:
- are a public authority (with the exception of courts acting in their judicial capacity)
- carry out large scale systematic monitoring of individuals, such as, online behaviour tracking; or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences
Any organisation can appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.
10. What individual's fundamental rights under the GDPR?
- The right to be informed - Individuals have a right to be told what personal data our organisation collects about them, the lawful basis that applies, how their data will be used, and who else it will be shared with. Companies must be completely transparent in how they are using personal data.
- The right of access - Individuals have the right to obtain a copy of personal information that is held about them. This lets them check how their data is being processed and whether it is lawful.
- The right of rectification - Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure - Also known as 'the right to be forgotten', this refers to an individual's right to have their personal data deleted or removed in certain circumstances.
- The right to restrict processing - This refers to an individual's right to block or suppress processing of their personal data (e.g. if there is an appeal pending).
- The right to data portability - Individuals are entitled to move, copy or transfer their personal data from one IT environment to another, should they choose to do so (e.g. to "port" their data to another price comparison site).
- The right to object - In certain circumstances, individuals are entitled to object to their personal data being processed. This includes if a company uses personal data for direct marketing, for its legitimate interests, for scientific and historical research, or for the performance of a task in the public interest.
- Rights related to automated decision making and profiling - The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. Individuals are entitled to request human intervention or challenge decisions where automated decisions are made and where the consequence has a legal or significant effect on them.
Want to know more about the GDPR?
As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library?
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!