Top 10 frequently asked questions
Click on each question for the answer.
What is GDPR?
The European General Data Protection Regulation (GDPR) standardises data protection law across all 28 EU countries and 3 EEA states, and imposes strict new rules on controlling and processing personally identifiable information. GDPR came into effect on 25th May 2018.
Who does GDPR apply to?
GDPR applies to all EU businesses and organisations that process personal data. It also applies to non-EU businesses and organisations who process personal data pertaining to EU citizens.
Who is the Information Commissioner?
Also known as the ICO, the Information Commissioner's Office is the Regulator for data protection in the UK. The ICO investigates businesses and organisations who have had a reported data breach, or who have a complaint made against them by a member of the general public.
What sanctions can the ICO impose?
The ICO has a number of ways to take action against businesses for breaches in GDPR. Such sanctions include;
- A Monetary Fine against the company or organisation of up to £17 million or 4% annual turnover, whichever is greater.
- A Monetary Fine of up to £500,000 against an employee for breaches in data protection legislation.
- Prosecutution of those who commit offences under GDPR.
- Service of enforcement notices.
- Audits of businesses or organisations.
What is personal data?
Personal data is any information from which someone can be identified, such as names, addresses, phone numbers, driving licence numbers etc. There is also a second category of personal data known as 'special categories of personal data', which includes information relating to an individual’s race, religion, ethnicity, sexual orientation, biometric data etc.
Who is a Data Subject?
A 'Data Subject' is an individual who is the subject of personal data.
This does not extend to deceased individuals.
What is the difference between a data controller and data processor?
A Data Controller is a business or organisation that determines the purposes and means of the processing of personal data. A Data Processor is a business or organisation that processes personal data on behalf of a data controller.
Example: An employer is a data controller for its employee's personal data. The employer instructs a third-party payroll company to process the employee's wages. Thus, the payroll company is acting as a data processor.
What does GDPR require businesses and organisations to do?
Businesses and organisations must adhere to Article 5 of the GDPR which states personal data must be;
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
What rights do data subjects have under the GDPR?
The GDPR sets out 8 fundamental rights a data subject has;
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
What effect, if any, will Brexit have on GDPR?
When the UK exits the EU, the EU GDPR will no longer be law in the UK. The UK government intends to write the GDPR into UK law. However, the Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply.
When the UK leaves the EU, it will be classified as a ‘third country'. Therefore, any processing of personal data from the EU will be unlawful unless businesses and organisations implement appropriate safeguards. The UK government have advised that businesses and organisations can continue to freely transfer personal data throughout the EU post-Brexit.