General Data Protection Regulation (GDPR) is a new kind of regulation that controls the way people’s data is handled. It’s become necessary because in our connected world, we all need to have our rights protected. Find out the answers to the most commonly asked GDPR questions here.
Q1. What is GDPR?
A1. It’s a set of laws that have been created by the European Union to protect all EU citizens. It does this by regulating the way an individual’s personal data is processed. If it’s processed in a commercial or professional sense, then GDPR has to be followed.
Q2. What’s new about it?
A2. GDPR applies to any company that processes the data of EU citizens, even if the company is located outside the EU. GDPR also features heavy penalties for breaching the regulations, with fines of up to 4% of a company’s annual global turnover or €20 million, whichever is greater. There’s also a strong emphasis on using realistic consent for opting in, so companies can’t hide behind jargon or long, unreadable terms and conditions.
GDPR gives individuals eight fundamental rights. They are:
1. The right to be informed
2. The right of access
3. The right of rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights of automated decision making and profiling
Q3. When do I have to start following GDPR?
A3. GDPR comes into force on 25 May 2018. It was approved by the EU back in 2016, so companies have had two years to prepare. If companies breach the rules after 25 May 2018, they are liable for heavy fines.
Q4. Do I still have to follow the old rules as well?
A4. No. GDPR replaces the old Data Protection Directive 95/46/EC entirely with a new set of rules for everyone in the EU.
Q5. What’s the GDPR definition of personal data?
A5. It means any information about an identified or identifiable living person. It includes pieces of information that would identify someone when collected together, and also counts data about someone that has been encrypted or used with a pseudonym, if that data can still be used to identify someone later on.
Q6. What would lead to my company being fined?
A6. The 4% of turnover or €20 million limit is for the most serious breaches, like processing data without consent. Other breaches will attract different levels of penalty, such as a fine of 2% of global turnover for not keeping the proper records.
Q7. Who does GDPR apply to?
A7. Any organisation processing personal data as part of the activities of one of its branches established in the EU, and any company from outside the EU that offers goods and services to, or monitors the behavior of, EU citizens.
Q8. Does company information come under GDPR?
A8. No. GDPR only applies to information about individual people. Where a company is only run by one person, then GDPR may apply if the company data can be used to identify that person.
Q9. Do I need to appoint a Data Protection Officer in my company?
A9. Only if you are a public authority, or an organisation that engages in large-scale monitoring, or processing of sensitive personal data.
Q10. Because it’s an EU law, will GDPR still apply after Brexit?
A10. If the UK decides to create its own data protection legislation after Brexit, then it’s likely to follow the same or similar rules. Until we know whether the UK will pursue its own legislation, then your company has to stick to GDPR – and if you operate in any other EU countries, or hope to, then you must comply anyway.
GDPR is going to change the way many companies work with data. Make sure you get ready before it comes into force on May 25 this year. Worried about GDPR? Find the answers you need now.