I have found that many blog posts and articles seem to assume that you are a GDPR expert. As I am currently researching the General Protection Data Regulation, I am coming across websites which are unclear as to the very basics of the regulation, and therefore I thought it would be useful to write some answers to GDPR FAQ to refer back to when reading some more complex documents.
I chose these questions to ground more complex GDPR issues.
If you want to learn more about GDPR terms, take a look at our four part GDPR Glossary.
What is GDPR?
GDPR is the General Data Protection Regulation and is a result of the EU’s efforts to update data protection to fit the 21st century lifestyle. This is specifically regarding personal data.
When is GDPR coming into effect?
GDPR does not require any legislation to be passed by Parliament. It is an EU regulation meaning it will be in force from the 25th May 2018.
Considering Brexit, do I still have to continue with GDPR enforcement preparations?
The UK is still a member of the European Union; therefore, the regulation is binding. However, irrespective of whether the UK retains GDPR post-Brexit, if you process data about individuals in the content of selling goods or services in other EU countries, then you will need to comply with the GDPR. It is not possible to predict what the government will implement post-Brexit. Yet they have indicated it will implement an equivalent or alternative legal mechanism. This means that even if your activities are limited to the UK, you will still need to be GDPR compliant. It is most likely that the UK will introduce legislation which will largely follow the GDPR as it provides a clear baseline against which UK businesses can seek continued access to the EU digital market.
Will GDPR affect me?
The likelihood is GDPR will affect you. GDPR will apply to both organisations located in the EU, and oganisations which are located outside of the EU. This is if the organisation offers goods and services to and/or monitors the behaviour of EU citizens.
Do I have to comply with GDPR?
Yes, compliance with GDPR is essential. An organisation can be fined up to 4% of the annual global turnover or €20 million. The largest fine could be imposed for the most serious infringements, such as not having customer consent to process data. However, there is also a tiered approach for less serious breaches. For example, if you breach Article 28 and not have your records in order, you can be fined 2% of your annual global turnover. These rules apply to both controllers and processors. To understand these terms, please see the four-part GDPR series here. In short, GDPR compliance is hugely important.
But, what is personal data?
Personal data is defined as: any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This includes name, identification number, location data or online identifier. Please see our four-part GDPR glossary series for more definitions of frequently seen terms.
What type of data subject consent do I need?
The GDPR will strengthen the conditions for consent. So, your company will no longer be allowed to use long illegible terms and conditions, as any request for consent will need to be given in an easily accessible form. You will need to attach the purpose of the data to that consent. Everything needs to be unambiguous. It is recommended that a company should use clear and plain English. You should provide somewhere where it will be easy to withdraw consent as it is to give it. It is important to note the difference where you will need ‘explicit’ and ‘unambiguous’ data subject consent. Explicit consent is only required when processing sensitive personal data – nothing short of an “opt-in” will be compliant. Conversely, for non-sensitive data, you can use ‘unambiguous’ consent.
Do I need to employ a Data Protection Officer?
There are three situations where a Data Protection Officer needs to be appointed:
- Public authorities
- Organisations that engage in large scale systematic monitoring
- Organisations that engage in large scale processing of sensitive personal data
How will GDPR affect the immediate consequences of a data breach?
GDPR is primarily proposed to relate to notification of companies that have been breached. Data breaches which can also affect an individual must be notified to the Data Protection Officer within 72 hours and immediately to the affected individuals.
Looking for more GDPR FAQ?
I can’t claim to have all the answers. In between a lot of the GDPR hype there are some incredibly useful resources that have been published on the regulation. Here’s where to go if you’re looking for more in-depth reading alongside this GDPR FAQ:
– Our handy GDPR Glossary. It’s in four parts so check back for updates.
– The full regulation. It’s 88 pages long and has 99 articles.
– The ICO’s guide to GDPR is essential for both consumers and businesses.
– EU GDPR is full of information on the regulation.
– The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.
Please feel free to comment any additional GDPR FAQ which you think should be included above. I hope you will find this useful to refer to when assessing how you will be affected by GDPR or reading more complex documents or legislation.