Frequently Asked Questions about GDPR and Data Protection
Data Protection and more specifically the GDPR is a legal text that requires businesses and organistions to keep a tight control over the data they own, capture and manage. There are lots of nuances and intricacies that require time and effort to understand.
That’s why we’ve created the non-exhaustive list of FAQs which will help you to understand what exactly your legal obligations and responsibilities are.
This list is ever-evolving as is the overarching legislation that enabled their creation.
General GDPR FAQs
What exactly is the GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
When does the GDPR comes into effect?
The GDPR was approved on April 2016 with a transition period of two years. On May 25th of 2018, this regulation comes into effect.
How does Brexit affect GDPR?
Since Brexit, the UK is no longer regulated domestically by the EU’s General Data Protection Regulation (GDPR), which governs processing of personal data from individuals inside the EU. Instead, the UK now has its own version known as the UK-GDPR (United Kingdom General Data Protection Regulation).The new UK-GDPR took effect on January 31, 2020.
Who does GDPR aim to protect?
This regulation is for the individuals, the data subjects. It focuses on protecting people’s personal data and on a simpler regulatory environment for businesses. The purpose is to ensure that the data subject is the rightful owner of their personal data and its rights are ensured, whenever it is.
What companies will this regulation affect?
Every company that collects, holds and processes personal data by any means and for any purposes, either it is from its customers, employees or partners. Virtually every company, since even the most simple business, makes use of digital payments and uses data for HR purposes.
Will GDPR affect my company? Do I have to comply?
If you answer YES to at least one of these questions, then you should comply with GDPR.
Do your company collect data from its customers?
Do your company collect data from its employees?
Do your company processes digital payments? (Credit cards)
Do your company reach out to customers, partners or employees by email?
Do your company reach out to customers, partners or employees by mail?
Do your company reach out to customers, partners or employees by telephone?
Do your company send products to customers, vendors or partners by post mail?
Where does the GDPR apply?
The Spatial Scope is regulated in Art. 3 GDPR. It states that the General Data Protection Regulation applies to all 28 EU Member States and to companies and organizations outside the EU, as far as the processing of data concerns EU citizens. It does not matter if the person is in the EU in the short or long term. Citizenship or status as a Union citizen does not matter here. This spatial scope of application can’t be subsequently changed by contract. Also, it does not matter what kind of service or products companies or organizations offer. The only decisive factor is whether personal data is collected and processed by EU citizens.
Is GDPR part of the Data Protection Act?
The Data Protection Act 2018 replaces the Data Protection Act 1998, giving an updated framework for UK data protection law. It is not the same as the GDPR, but it sits alongside it. The DPA 2018 gives a framework for how the GDPR should be put into practice in the UK.
For whom does the GDPR apply?
The General Data Protection Regulation applies to individuals and entities of all sizes who process personal data of EU residents, regardless of where the processor is located. These rules also apply to data processors and data processors, including third parties such as cloud providers.
Does the GDPR make any difference between B2B and B2C?
The GDPR does not differentiate between B2B and B2C, it applies equally to both. The background to this is that the General Data Protection Regulation applies to the protection of individuals rather than legal persons.
How will the regulation be enforced?
After May 25th, 2018, organisations that fail to comply with GDPR can be audited and suffer sanctions due to claims from data subjects that feel their personal data rights were or are being violated – or used for different purposes than the ones consented – by that organisation. Moreover, those audits can happen randomly or by complaints, depending on the approach taken by each European Union member, which is responsible for the businesses established on its country and is under the European Commission supervision.
The ICO in the UK is the primary focus of UK GDPR regulation. However, they will still co-operate and collaborate with European supervisory authorities, as they did before GDPR regarding any breaches of GDPR that affect individuals in the UK and other EU and EEA states.
Who is my data protection authority?
Every European Union and the EFTA member assigns a national organisation/commission/agency/bureau/authority that is in responsible for GDPR enforcement inside each country’s border by providing information and support, but also auditing and issuing sanctions and fines. Their status was formalized by the Data Protection Directive. Here you find the list of all the websites for each and every National Authority in EU:
Czech: Republic https://www.uoou.cz/
The Netherlands: https://autoriteitpersoonsgegevens.nl/
United Kingdom: https://ico.org.uk/
Whatever violation happens, the authority from the country where the company involved is established physically or legally is responsible. For example, anyone who sells internationally as an online retailer may already have heard something about the new one-stop shop. This allows EU citizens to always turn to their own data protection authority for complaints – the data protection authority in their country. Note that this applies regardless of where the privacy violation happened.
The above part was generic GDPR frequently asked questions on authorities. We’ll dive deeper now into specific questions for data subject.
How is a GDPR gap analysis performed?
A GDPR gap analysis is important, simply because you can’t solve a problem that you didn’t know existed! This is a process of identifying areas and systems within your organisation which may be at risk of a breach and need ‘tightening up’. You should instruct a data protection expert to do this, because it is one of the most important steps on your journey towards compliance, not to mention a complex and time-consuming process for the uninitiated.
What is the data protection impact assessment in GDPR?
One of the characteristics of GDPR is increased accountability. There is a requirement under GDPR for businesses to undertake data protection impact assessments when putting any processes in place that use new technology that is likely to result in a high risk to data subjects.
How do you report a personal data breach?
A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Data processors must notify the data controller without undue delay after becoming aware of a personal data breach.
Data controllers must notify the supervisory authority (the ICO (Information Commissioner’s Office) in the UK) without undue delay when they become aware of personal data breaches that are likely to result in a risk to data subjects’ rights and freedoms.
Where feasible, this must be done within 72 hours. Failure to do so could leave you facing administrative fines of up to €10 million or 2% of annual global turnover – whichever is greater.
Data controllers must also notify data subjects without undue delay if there is a high risk to their rights and freedoms. Note that, if the breached data is anonymised or encrypted to the extent that it is no longer possible to identify data subjects, there is no risk, and no notification is required.
According to Article 33, data controllers must provide the following information to the supervisory authority:
- A description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned, and the categories and approximate number of personal data records concerned;
- The name and contact details of your DPO or other contact point from whom more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures you have taken, or propose to take, to deal with the breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If you don’t have all the information to hand within 72 hours, don’t worry: the GDPR allows you to provide the information in phases, although you must provide an explanation for the delay.
You can notify the ICO either by calling its helpline or by completing an online reporting form.
What rights does the GDPR grant for the EU Residents?
Initially, the only way companies can have access and control over any data is by consent. Then, the subject of that data have three main rights granted:
Right to access: Every EU resident has the right to know what personal data any company is holding and/or processing, by request.
Right to erasure: Every EU resident has the right to require the deletion of all the data – which it has granted access – held or processed by any company.
Right to data portability: If a data subject wants to change to a new service provider, it can ask for the former to send all its personal data its data to the new one in a standard, machine-readable format.
What is consent for data processing?
While collecting data, the company has to make it clear the purpose it is doing so. Any activities performed with that data has to be described on the terms of the consent, which has to be accepted by the data subject will be the legal basis for any processing.
The consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). Consent for children must be given by the child’s parent or custodian, and verifiable.
What is the extent of consent?
Data controllers must be able to prove “consent” (opt-in), and consent may be withdrawn whenever the data subject asks for.
Do I always need consent?
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
It’s your responsibility to identify a lawful basis for processing under the GDPR.
What is special category data?
There is a sub-category of personal data which is known as ‘special category’ data. This is personal data about an individual’s:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Physical or mental health
- Sex life or sexual orientation
- Biometrics (if used for identification purposes)
Examples of the types of special category data that an employer may process include:
- Sickness records, pre-employment medical questionnaires/examination notes, and drug or alcohol tests
- Equal opportunities monitoring forms
- Payroll information, if you operate check-off for trade union members
- Pension scheme or private health insurance records, which might contain details about a person’s sexual orientation, if a partner is a beneficiary
The GDPR places more restrictions on the processing of special category data than on other personal data, because it is particularly sensitive.
What does ‘processing’ personal data mean?
‘Processing’ personal data means any activity that involves the use of personal data (e.g. obtaining, recording or holding the data, amending, retrieving, using, disclosing, sharing, erasing or destroying). It also includes sending or transferring personal data to third parties.
These can all be processing:
- You forward an email about an employee you’re dealing with to a colleague
- You delete old emails
- You use your electronic security card to open a door, creating a swipe record
- You install and use CCTV
- You record telephone calls
Does my organisation need to register with the ICO under the GDPR?
Every organisation or sole trader that processes personal data must register with the ICO (Information Commissioner’s Office) – unless all the processing they carry out is exempt – and pay an annual fee.
The fee you pay depends on your size and turnover:
- Tier 1: micro organisations (with a maximum annual turnover of £632,000 or no more than 10 employees) must pay £40 per year.
- Tier 2: small and medium-sized organisations (with a maximum annual turnover of £36 million or no more than 250 employees) must pay £60 per year.
- Tier 3: large organisations (those that do not meet the criteria for tiers 1 or 2) must pay £2,900.
Some exemptions apply.
What quick measures should my company take?
Initially, look for professional advice. It does not need to be a lawyer, there are plenty of other professionals specialized in the GDPR that can help you comply.
What is the Records of Processing Activities? (ROPA)
For GDPR compliance, one of the main requirements is that every company shall maintain a detailed description of every activity that somehow processes personal data. These descriptions are called “records” and will provide an overview of all data processing activities within your organisation. It enables the company to understand what kind of data categories are being processed, by whom and for which purposes. It is called records of processing activities (ROPA).
What are the checklists for GDPR compliance?
There is no one-size-fits-all approach to GDPR, as each organisation handles data differently, but the ICO has lots of helpful resources – including a data protection self-assessment toolkit, with a series of checklists for data controllers and data processors, data sharing and subject access and more – which businesses can use as a starting point.
Can GDPR compliance be automated?
It would be very difficult, if not impossible, to automate GDPR compliance. There are so many variables at each stage of the process. We always recommend that organisations seek tailored advice to ensure their own processes are compliant; after all, each businesses has its own organisational structure, personnel and systems.
What is a Data Protection Officer (DPO)?
A Data Protection Officer is the professional responsible for the data protection activities and measures inside the company. He/she holds the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
We are able to help you, by acting as your external DPO.
What is the data controller role in GDPR?
Under GDPR, both data controllers and data processors have new obligations. The ICO defines data controllers as “the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.” They are the organisations who decide how personal data is processed, and what it is used for. If there is more than one person taking on this activity, using the same data for the same purpose, they are referred to as ‘joint controllers’. UK data controllers must also make sure that the data processors they instruct are also compliant. If data controller breaches their obligations, they may face action from an authority such as the ICO.
Generally, if you are a data processor, you will be working under a data controller’s instructions, but you will have your own responsibilities too. If you have any questions on your compliance responsibility, please contact us.
What is a virtual DPO?
It is an external Data Protection Officer that provide online assistance to a company. It can be one or a group of people with different specialties offering the service as a unit. In this approach, a specific person should be nominated as the lead of the DPO function.
At Cybata, we can act as your external DPO, giving you the specific support and guidance you need relating to matters of Data Protection and GDPR.
Which organisations must appoint a DPO (data protection officer) under the GDPR?
A DPO must be appointed:
- Where the processing is carried out by a public authority or body;
- Where the organisation’s core activities require regular and systematic monitoring of data subjects on a large scale; or
- Where core activities involve large-scale processing of special category data or data relating to criminal convictions or offences.
Organisations that are not obliged to appoint a DPO can nevertheless do so if they wish. The role has the same legal status whether the appointment is voluntary or mandatory. See Articles 37, 38 and 39.
What is a Data Processing Agreement? When is it needed?
When the processing activities are outsourced, which means it is performed by other than the controller’s company -, there must be set a contract between the parties called the Data Processing Agreement. The agreement must set out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller.
What does “Secure by Design” mean in relation to Data Protection and GDPR?
A process inside the company or a software developed or purchased by the company will be “secure by design” when, in the process of its development, data protection was taken as a key aspect and requisite, and all the data that goes through it can be tracked, the processing is understandable and under control and has tools that grant the rights of access, deletion and portability for data subjects.
How are CCTV Security System affected by the GDPR?
Recordings of videos are under GDPR regulations because it can be used to track and identify persons. It is important to have a clear purpose for that matter, as well as consent from the persons being recorded.
Data captured as part of the CCTV system must be included in your ROPA and Data Processing Agreement.
How will Employee E-MAIL Inbox be affected by GDPR?
Each email account of each employee is private and contains personal data. For the company to have deliberate access to it, the employee must give explicit consent. When an employee leaves the company, the company can either forward incoming messages to a particular address appointed by that user or ask for permission (consent) to access that those new messages.
What are the GDPR’s data processing principles?
Unlike the Data Protection Act 1998’s eight data protection principles, the GDPR has six data processing principles. Personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
What lawful bases for processing should we use, and do we always need consent?
Processing is lawful only if, and to the extent that, one of the following applies:
- The data subject has given their unambiguous consent to the processing of their personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child. (This basis does not apply to processing carried out by public authorities in the performance of their tasks.)
You do not need consent if you rely on one of the other bases for processing.
In fact, consent is arguably the weakest lawful basis for processing because it can be withdrawn at any time. When consent is withdrawn, your organisation will be obliged to erase the individual’s data if they request you to – unless you can demonstrate a lawful reason to retain it.
It is therefore always worth determining whether another lawful basis for processing can apply.
In many cases, organisations will be able to rely on ‘legitimate interests’. As the most flexible of the six lawful bases for processing, it could theoretically apply to any type of processing carried out for any reasonable purpose, although the onus will be on you to balance your legitimate interests against the interests, rights and freedoms of the data subjects.
Whichever lawful basis for processing you deem appropriate for each processing activity, your organisation must keep a record of it.
What is the difference between Personal and Sensitive Data?
Personal data is referred to any information related to the data subject, that can be used to directly or indirectly reveal his/her identity.
Sensitive data is referred to the information related to the data subject’s fundamental rights, intimacy, and free will. Examples of these are health records, religious beliefs, political opinion, biometric data or genetic data.
What are the Penalties for GDPR non-compliance?
There are two levels of GDPR fine:
Lower level of GDPR penalties
Fines of up to £8.7 million under the UK GDPR, €10 million under the EU GDPR or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25 – 39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Higher level of GDPR penalties
Fines of up to £17.5 million under the UK GDPR, €20 million under the EU GDPR or 4% of annual global turnover can be issued for infringements of articles:
- 5 (data processing principles);
- 6 (lawfulness of processing);
- 7 (conditions for consent);
- 9 (processing of special categories of data);
- 12 – 22 (data subjects’ rights); and
- 44 – 49 (data transfers to third countries or international organisations).
How are GDPR fines calculated?
GDPR fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
Any fine you might receive will depend on:
- The type of infringement, how severe it was and how long it lasted;
- Whether it was deliberate or accidental;
- The action you took to reduce the damage to individuals (data subjects);
- Your security measures;
- Whether this is your first GDPR infringement;
- How cooperative you were when fixing the issue;
- The types of personal data involved;
- Whether you notified the supervisory authority yourself; and
- Whether you adhere to any approved codes of conduct or certification schemes.