GDPR – 20 questions you were too scared to ask

You have probably heard the phrase GDPR mentioned in your office or workplace in the last few months, and like many you might have wondered what on earth GDPR is! If that is the case, don’t worry, you are not alone, a recent survey showed that over 85% of office workers didn’t know what GDPR stands for, and that over 55% of business owners and directors are still not aware of GDPR and how it impacts their organisation. Hopefully this blog will help by answering the most frequently asked questions about GDPR, some of which you may have felt embarrassed to ask.


What does GDPR stand for?

GDPR stands for General Data Protection Regulation.


What is GDPR?

GDPR is updated Data Protection legislation for the European Union, which will supersede the current Data Protection Act in the UK. This regulation was created to provide a set of standardised data protection laws across the EU. The regulation aims to make it easier for EU citizens to understand how their personal data is being used, raise any complaints, and also make changes, wherever their data may be located. It introduces some new provisions, including enhanced accountability and new procedures for handling data breaches and Subject Access Requests (SARs).

The rules affect both “Data Controllers” – those who determine why and how data is collected and used – and “Data Processors” – who usually act on behalf of the Controller.


What is meant by Personal Data?

‘Personal Data’ means any information that can be used to identify a person (known as the ‘Data Subject’). This could be through any one of a number of identifiers including name, identification number, location data, email address, phone number, IP Address or postal address.


What is meant by Sensitive Data?

‘Sensitive Personal Data’ is referred to in the GDPR as “special categories of personal data”. The special categories specifically include genetic data and biometric data such as fingerprints, iris scans and DNA samples.


When does GDPR come into effect?

GDPR came into effect on 25th May 2018 and is now law.


Does Brexit affect GDPR?

Quite simply, no. The Government has stressed that it wants to maintain the unhindered flow of data between the UK and the EU after Brexit. We are still a part of the EU, until March 2019.  This means the EU GDPR will still be enforceable to UK businesses until we leave the EU. After Brexit, the new UK Data Protection Bill [HL] 2017-19 would, among other things, bring the GDPR into UK law and, according to the Government, “ensure that the UK is prepared for the future after we have left the EU”.


Who does GDPR Apply to?

The European Union’s General Data Protection Regulation (EU GDPR) affects every organisation that handles the data of a living individual within the European Union.


Does GDPR affect small businesses and Sole Traders?

Yes – The GDPR affects all domestic and international businesses operating in the EU – regardless of their size.


What rights do individuals have under GDPR?

The GDPR provides the following rights for all individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Full details of the new rights of individuals have been published by the Information Commissioners Office.


What are the Fines and Penalties under GDPR?

There are two tiers of administrative fines that can be levied: 

1)           Up to €10 million, or 2% annual global turnover – whichever is higher.
2)            Up to €20 million, or 4% annual global turnover – whichever is higher.

The fines are based on the specific articles of the Regulation that the organisation has breached. Infringements of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.

Not all infringements of the GDPR will lead to these serious fines though…

Other than the power to impose fines, the UK’s Supervisory Authority – the Information Commissioner’s Office (ICO) – has a range of additional corrective powers and sanctions available to enforce the GDPR. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries. These are detailed in full in Article 58 of the GDPR.

The GDPR also gives individuals the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR. In certain cases, not-for-profit bodies can bring representative action on behalf of individuals. This opens the door for mass claims in cases of large-scale infringements. 


What does Lawful Basis for processing data mean?

You must have a valid lawful basis in order to process personal data under GDPR. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. The 6 Lawful Bases are detailed in Article 6 of the GDPR – at least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)


What is Data Flow Mapping?

As part of a GDPR Compliance project, organisations will need to map out their data and information flows in order to fully assess their privacy risks. This identifies the type of data, what format it’s in, how and where it’s collected, who owns the data, how it flows through the organisation, who has access to it on its journey, how and when it gets disposed of or deleted, and who is ultimately accountable for it.  This is also an essential first step for completing a Data Protection Impact Assessment (DPIA), which is mandatory for certain types of data processing under GDPR.


What is a Data Protection Impact Assessment?

Data protection impact assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks arising out of the processing of personal data, and to minimise these risks as far and as early as possible. They’re particularly relevant when a new data processing process, system or technology is being introduced.

DPIAs are important in helping organisations demonstrate accountability, and provide evidence that the appropriate measures have been taken to ensure compliance with the GDPR.

The GDPR mandates that a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”.

Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.


What is Consent in GDPR?

Consent is one lawful basis for processing data. Genuine consent should put individuals in control, build customer trust and engagement, and enhance your reputation.

The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires individual (‘granular’) consent options for distinct processing operations. Consent should also be separate from any other terms and conditions and should not be a precondition of signing up to a service. 

You must keep clear records to demonstrate consent. The GDPR gives a specific right to individuals to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.

You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent. 


How does GDPR effect Marketing?

The implications for marketing under GDPR are significant and wide-reaching and will change the way marketers communicate with their customers. Although the GDPR (Recital 47) says direct marketing can be a legitimate use of personal information, it is important to remember that there are also other rules that apply – for example the Privacy and Electronic Communication Regulations 2003 (PECR). PECR restricts the circumstances in which you can market people and other organisations by phone, text, email or other electronic means. So you have to comply with both the new data protection laws and PECR going forwards.


When do I have to report Data Loss or Data Breaches?

The GDPR introduces a duty on all organisations to report certain types of personal data breach or loss to the relevant supervisory authority – the ICO in the UK. You must do this within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will aid with decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.

You must also keep a record of any personal data breaches, regardless of whether you are required to notify. These may be required for future audits or when investigating any subsequent data breaches.


What is a Subject Access Request (SAR)?

GDPR entitles individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation. An individual may exercise this right by submitting a ‘Subject Access Request’ (SAR).

You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is clearly unfounded or excessive, particularly if it is repetitive. 

Information must be provided without delay and at the latest within one month of receipt of the SAR.


Do I need a Data Protection Officer (DPO) for GDPR?

Under the GDPR, you must appoint a DPO if you:

  • Are a public authority
  • Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.

Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to meet your obligations under the GDPR. 


Is my company GDPR Compliant?

Take our GDPR Readiness Questionnaire to see how close to compliance your organisation is.


How do I become GDPR Compliant?

There are various guides and “Steps to Compliance” available on the Internet. However the best way to work towards compliance, and to maintain compliance beyond 25th May, is to follow a pre-defined framework and methodology to determine where your business is today, where it needs to be to be deemed “GDPR compliant”, and to build and follow a structured remediation plan to address the gaps and any non-conformity you have identified. GDPR123’s GDPR Compliance Framework is designed to do just that, helping organisations put in place the right policies, procedures and controls to achieve and maintain GDPR Compliance.


Need help/advice with becoming GDPR compliant?

Call 0203 457 4683 or Contact Us now for a free consultation.