FAQ: Common Questions We’re Asked About GDPR

Few people in the privacy space could have failed to notice that there is a big regulatory change around the corner. GDPR is designed to give individuals more control over how their personal data is used – and give businesses a simpler, clearer environment in which to operate.

But what does it mean for your business?

Scroll through our FAQ for the full lowdown.


1. What does GDPR stand for?
2. When does the GDPR take effect?
3. Why is GDPR important?
4. What are the GDPR requirements?
5. What happens if my company is not in compliance with GDPR?
6. Who does GDPR apply to?
7. How does GDPR impact businesses outside of the EU?
8. How should my business prepare for GDPR?
9. Is GDPR retrospective?
10. Who within my company is responsible for compliance?
11. Should my business hire a Data Protection Officer (DPO) to comply with GDPR?
12. What will preparing for GDPR cost my company?
13. What is the difference between a data processor and a data controller?
14. What type of data is protected under the GDPR?
15. What is the “right to be forgotten”?
16. Who owns personal data under the GDPR?
17. What does privacy by design mean?
18. What is a privacy impact assessment (PIA)?
19. Is there a good summary of GDPR?
20. Where can I find further good reading on the GDPR?

 

1. What does GDPR stand for?

GDPR is short for the ‘General Data Protection Regulation’. The first draft of this new law first appeared back in 2012. After four years of negotiation and debate we now have the end results: a law that looks set to overhaul Europe’s entire data protection framework.

 

2. When does the GDPR take effect?

GDPR comes into force on 25 May 2018. Unlike the piece of legislation it replaces, GDPR is an EU Regulation rather than a Directive. This means that it comes into force automatically across the EU on that date – without each of the member states having to pass a specific law to implement it.

 

3. Why is GDPR important?

The current EU Data Protection Directive dates back to 1995. To put things in perspective, at that time, Google wasn’t even born yet, Amazon was a tiny online bookseller and Mark Zuckerberg was still in high school.

Fast forward to the present, and the majority of purchases are now made online. The average adult has somewhere between 95 and 130 online accounts. Compared to 20 years ago, the ability of organisations to harvest and analyse information about their customers – not to mention, monitor behaviour, is in a completely different league.

So GDPR represents a shake-up of the rules to reflect this reality.

For individuals, GDPR sees the introduction of new rights. Consumers will have greater control over the data organisations hold on them – including a say on when it should be deleted or transferred to other parties.

For businesses, one of the biggest challenges involves ensuring that customers are able to exercise those rights. For many firms, this will involve taking a long hard look at how consent is obtained for certain data processing activities. It also involves an ongoing review of technical and organisational measures to ensure personal data is adequately protected.

 

4. What are the GDPR requirements?

GDPR is a real doorstopper of an Act. All organisations need to consider the legislation in the whole and conduct an analysis of the impact of GDPR on their activities. That said, some of the most significant requirements are as follows…

      • Many organisations will need to appoint a Data Protection Officer. In particular, this applies to those companies who regularly and systematically process personal data or monitor data subjects.
      • Transparency is vital. You are under a duty to be upfront with customers, employees and others about how their data is processed. This means you have to know what you do and why, and be able to convey that in a clear and comprehensive manner.
      • Privacy Impact Assessments will become a fact of life. Where any new or existing data processing activity will result in a high risk to the rights and freedoms of individuals, companies will be required to carry out a systematic review of how best to safeguard those rights.
      • Deletion and portability. You need to able to delete data when no longer necessary, and transfer it elsewhere if requested by the people it refer to. Are your systems designed to make that possible?
      • Privacy by design and default. In other words, safeguards to ensure the protection of personal data needs to be hardwired into your processes and systems.
      • Accountability. Being compliant isn’t enough. You have to show that you are abiding by the rules. This includes maintaining an up-to-date register of data processing activities. In the event of a security breach, it also involves being able to give a full account of what happened and the preventative measures you had in place when reporting that breach.

 

5. What happens if my company is not in compliance with GDPR?

First off, there is a new fine regime to bear in mind. For a serious breach of GDPR (e.g. a major security breach where the organisation had woefully inadequate protective measures in place), the maximum administrative fine is up to 4% of global turnover or EUR 20 million, whichever is higher. For other breaches (e.g. inadequate record keeping or failure to report a breach), regulators will have the power to issue penalties of up to 2% of global turnover or EUR 10 million.

Also, under Article 82 of the Regulation, there’s a direct right of action for data subjects to claim compensation from the data controller or processor. So if data has been incorrectly held or used and the individual has suffered damage, firms could find themselves being hit by legal action.

Finally, don’t overlook the possible reputational repercussions of non-compliance. Certainly when it comes to sanctions issued by the regulator, this information will be in the public domain. Staying compliant is crucial for any business seeking to maintain their reputation as a safe pair of hands in the digital marketplace.

 

6. Who does GDPR apply to?

 GDPR applies to natural or legal persons, public authorities, agencies or other bodies processing personal data (processing in the course of exclusively personal/household activities is excluded).

How GDPR in detail affects you depends on the nature of your processing activities, but regardless of size and shape of your business, chances are high you are in scope.

If you are not sure whether GDPR applies to you, best is to assume that it does!

 

7. How does GDPR impact businesses outside of the EU?

Businesses based outside the EU need to comply with GDPR if they process, manage or store personal data related to data subjects in EU, or if they process personal data on behalf of EU businesses. So no matter where you are based, if you do business in or with people and organisations in EU, you need to ensure GDPR compliance.

 

8. How should my business prepare for GDPR?

Becoming compliant does not happen overnight. This is especially the case if you need to put new procedures in place – to deal with GDPR’s new transparency and individuals’ rights provisions, for instance…

        • Build awareness. From on-the-ground IT to board level, ensure that decision makers and key staff are aware that the law is changing. All individuals involved in the GDPR-readiness project should be aware of their responsibilities – what they need to do and when. This will help avoid a last minute scramble as the implementation date approaches.
        • Map your data. What personal data do you hold? What is its purpose? Where is it stored? Where did it come from and who do you share it with? For this type of fundamental data audit, having the right tool in place to help you map, visualise and manage your data can make life so much easier. For a closer look at how this can help you, sign up for our free demo.
        • Consider designating a Data Protection Officer. Decide who will take responsibility for compliance and where this role will sit within your organisational structure. For many organisations, this will involve formally designating a Data Protection Officer.
        • Review your security breach prevention procedures. This will involve a security audit to ensure that the data protection measures you have in place are adequate. Make sure you have the right procedures in place to detect, respond to and report breaches in accordance with the Regulation.
        • Review and refresh your consent procedure. Look at how you obtain, record and manage consent. Consider whether any changes will be needed to your existing procedures in good time for GDPR implementation. The same applies to your current privacy notices.
        • Do you facilitate the ability of individuals to exercise their rights? If a customer asks for a copy of the data you hold on them, will you be able to provide it? What happens if someone asks you to delete or transfer their data to another party? Review your infrastructure and procedures to ensure that if you receive such requests, you are able to comply.

Learn more about the areas you should be looking at right now to ensure you stay on the right side of the regulation here.

 

9. Is GDPR retrospective?

You will need to look carefully at all of your existing data processing activities to ensure you are compliant. Let’s say you use customer data for marketing purposes. Do you have specific consent for this? Is that consent clear, prominent, opt-in, documented and easily withdrawn? If not, you will need to alter your existing mechanisms in time for GDPR coming into force.

 

10. Who within my company is responsible for compliance?

Regulator guidance recommends that firms designate a member of staff to oversee compliance. Who this should be will depend on your organisational structure – and demands careful consideration. For instance, rather than automatically placing it in the hands of your all-purpose IT guy, look carefully at that individual’s specific competence in data protection.

Now might be an ideal time for upskilling in this area. It is certainly worth considering a training/CPD course integrating specific GDPR requirements alongside broader information security standards (ISO 27001, for instance) – to ensure your people are up to speed.

 

11. Should my business hire a Data Protection Officer (DPO) to comply with GDPR?

A DPO is someone who is given formal responsibility for data protection and compliance within an organisation. That person could be an employee of the business or an external professional. GDPR introduces new rules that will require many – but not all – businesses to appoint a DPO.

Article 37 of the Regulation states that a DPO must be appointed if:

      • the relevant data processing activity is carried out by a public authority or body
      • the core activities of the business involve regular and systematic monitoring of individuals on a large scale; or
      • the core activities of the relevant business involve processing of sensitive personal data or data relating to criminal convictions, on a large scale.

‘Core activities’ refer to the activities necessary for the business to achieve its main objectives. So the processing of health data by a private medical practice certainly would be a core activity, while supporting activities (payroll, for instance), would not.

A number of factors are to be taken into account when determining whether the activities are ‘large scale’. These include the number of data subjects involved, the volume of data items, the duration of the processing and the geographical extent of the processing.

To help you decide whether you need to appoint a data protection officer, the Guidelines on Data Protection Officers published by the Article 29 Working Party should prove useful.

So if you conclude that your business needs a DPO to stay on the right side of the law, do you have to appoint someone externally? Not necessarily. A DPO can be an existing employee and for many businesses it will be possible to combine this formal role with other duties.

What is crucial though, is that the DPO has a sound working knowledge of data protection law and best practice. Equally, your DPO must be able to report directly to the highest management level without interference. This certainly isn’t a junior or ‘tick-box’ role.

 

12. What will preparing for GDPR cost my company?

Much depends on where you currently are in terms of data protection. Do you already strive to follow best practice in areas such as mapping, processing, transparency and security? If so, absorbing the new requirements of GDPR need not be a costly ordeal.

How much you will need to invest in new technology and processes will depend on the complexity, volume and sensitivity of the personal data you hold – and whether your current technology allows you to both safeguard the data adequately, as well as respecting data subject rights.

Should this be seen as a burden? Not necessarily. As well as shielding you from the possibility of sanctions, investing in compliance can help you position yourself as a data protection ‘champion’. Something that could potentially provide a valuable competitive edge.

 

13. What is the difference between a data processor and a data controller?

The data controller is the person (or company) who “calls the shots”; i.e. the one who decides which personal data is collected and the purposes of the processing. The data processor is the person (or company) who processes that data on behalf of the data controller. Examples of typical data processor services include third party data storage, data analytics or marketing.

Compared to the current system, GDPR places new obligations on data processors. (Read more here). These processors can now face fines for non-compliance and claims for compensation from data subjects for GDPR breaches.

GDPR also stipulates that processors may only process personal data where there is a written contract clearly stating the scope and limits of the processing activity.

 

14. What type of data is protected under the GDPR?

The definition of personal data is very broad. More or less any data or set of data that, by you or someone else, can be referred to a physical personal who is alive, is considered personal data.

If you are not sure whether certain data qualifies as personal data, assume that it does!

This following is examples of personal data:

      • Identity information (e.g. name, address, telephone number, credit card number)
      • Health and genetic records and dataBiometric data
      • Racial or ethnic data
      • Data on political opinions
      • Data on sexual orientation
      • Web data (e.g. location data, IP address, cookies and RFID tags)

 

15. What is the “right to be forgotten”?

Simply put, the right to be forgotten means that individuals will have a right to have their personal data erased, if there are no legitimate reason for you to keep it. For instance, if you process data regarding your customers based on their consent, you will have to erase the data if they withdraw such consent.

 

16. Who owns personal data under the GDPR?

Is it the business that collect and process the data, or the individual to whom it refers?
Well, the GDPR does not deal with the question of data ownership, but it does make clear that data subjects should be in control of how their data is processed.

 

17. What does privacy by design mean?

Whether you are starting a new analytics project, updating your dispatch process or building a new marketing database, GDPR demands that you have data privacy in mind right from the outset. This is called privacy by design. Rather than thinking about it later as a bolt-on, you are effectively hardwiring data protection into your processes, tools and projects at the earliest possible stage.

Here is the logic to this approach; you can identify and deal with privacy issues before they blow up into major problems, saving cost and hassle to the business, while safeguarding individuals’ rights.

 

18. What is a privacy impact assessment (PIA)?

Linked to the idea of privacy by design, a PIA gives you a framework for identifying, assessing and reviewing privacy risks. Under GDPR, you are required to carry out a PIA for any processing activity that represents a “high risk” to the rights and freedoms of data subjects.

The Regulation makes specific reference to particular high risk activities, among them, the introduction of new tech into the business, the evaluation of data harvested through automated processing and the processing of sensitive data (e.g. medical records).

Beyond this, the activities that typically demand a PIA within a business might include the following:

      • A new product launch
      • A new mobile app for customers
      • A new IT system for staff to store and access customer account info
      • CCTV surveillance
      • Evaluation of social media profiles to isolate customers within a particular demographic
      • A data sharing initiative with another organisation
      • The introduction of staff-monitoring technology (e.g. internet usage)

GDPR stipulates that a PIA should include the following…

      • A description of the processing activities and the purposes of such processing,
      • It should assess the necessity and proportionality of the processing,
      • It should assess the risks to the rights and freedoms of data subjects,
      • It should set out the measures you intend to implement to address those risks and ensure GDPR compliance.

 

19. Is there a good summary of GDPR?

The Article 29 Working Party newsroom is definitely worth bookmarking. Here you will find the latest guidelines on all of the key aspects of the legislation, from DPOs to data portability.

 

20. Where can I find further good reading on the GDPR?

From kick-starting your readiness project through to identifying the opportunities offered by this game-changing legislation, our resource page and blog provides plenty of info and food for thought.

 

Do you have any other questions? Don’t hesitate to get in touch and we will keep building the FAQ.

 

WATCH A 5 MIN DEMO

Get Access