GDPR is now less than a month away, so we thought it would be useful to answer some of the questions we get asked lots by those unsure how to tackle the game changing data legislation. Below are Adlantic’s top seven GDPR Frequently Asked Questions.
1. What is GDPR?
The European General Data Protection Regulation (GDPR) is built around two key principles.
- Protecting natural persons, whatever their nationality or place of residence, in relation to processing their data¹
- Simplifying regulations for international businesses with a unifying regulation that stands across the European Union (EU).
It’s important to bear in mind that the GDPR will apply to any business that processes the personal data of EU citizens which means that it could also apply to companies based outside of the EU.
2. Does the GDPR only apply to EU organisations?
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The government has confirmed that Brexit will not affect the GDPR start date, or its immediate running.
It’s also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
3. What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
4. My firm employs fewer than 250 people. Am I exempt from the GDPR?
No. You’ll have to comply with the GDPR regardless of your size, if you process personal data. It’s recognised that small businesses have fewer resources and pose less of a risk to data protection, so there may be more leniency by the ICO in relation to any non-compliance.
However, you’ll still want to ensure you’re compliant with the principles of the GDPR. This is because your business must still comply if it’s involved in regular processing (which includes collecting, storing and using) of personal data. It’s easier to follow the GDPR and get compliant, than to spend time figuring out how you can avoid complying, especially if you’re working without legal guidance.
5. When does the right to data portability apply?
The right to data portability only applies:
- To personal data an individual has provided to a controller.
- Where the processing is based on the individual’s consent or for the performance of a contract.
- When processing is carried out by automated means.
6. Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO if you:
- Are a public authority (except for courts acting in their judicial capacity).
- Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking).
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, considering their structure and size. Any organisation can appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
7. How do we know if we’re a processor or controller?
A controller determines the purposes and means of processing personal data. A processor, on the other hand, is responsible for processing personal data on behalf of a controller.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
¹Recital 14 states “the protection afforded by this Regulation should apply to Natural Persons, whatever their nationality or place of residence, in relation to processing their data”.