The GDPR Frequently Asked Questions
It’s a new European Union Regulation (Regulation (EU) 2016/679) concerned with the protection and free movement of personal data and the rights of individuals, including children. It replaces:
- The EU Data Protection Directive (95/46/EC) from 1995.
- The UK Data Protection Act 1998, which was enacted to bring British law in line with the above Directive.
A regulation is a binding legislative act, unlike a directive which sets out a goal for EU countries to achieve.
In January 2012, The European Commission in Brussels proposed a reform of the EU’s 1995 data protection rules to “make Europe fit for the digital age.”
New technologies and globalisation have had a profound impact on how information is collected, accessed and used. Furthermore, the 27 EU member States had interpreted the 1995 directive differently, resulting in divergences in enforcement.
It was viewed that one law would eliminate the existing fragmentation. You might hear the term ‘one-stop-shop’; in the context of the GDPR, this is a reference to the single law.
The overarching aim of the reform was to better protect the rights we all have as individuals in relation to our personal data.
These rights span our lives at home, at work, as consumers, as patients, in legal matters and the Internet.
Yes, the GDPR does contain new provisions for children. In the UK, this will probably be defined as anyone under 13. The main thrust of this part of the regulation is on commercial internet services such as social networking.
If your organisation collects children’s personal data, you will need to:
- Have a system to verify individuals’ ages.
- Have a process for obtaining the consent of a parent or guardian.
- Explain, in ways children will understand, how their personal information will be managed. One way to do this is with a privacy notice. You might also want to consider animations, videos, etc.
You can access the ICO’s guidance on privacy notices here: ICO – Your privacy notice checklist
Further reading on children’s rights under the GDPR can be reached here: ICO Children’s Personal Data – just scroll down to the bottom of the webpage.
Yes, post Brexit the GDPR still applies to the UK. On the 24th of October 2016, the Secretary of State Karen Bradley MP said:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Elizabeth Denham, the ICO’s Information Commissioner commented: “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.
“We’ll be working with government to stay at the centre of these conversations about the long-term future of UK data protection law and to provide our advice and counsel where appropriate.”
At any rate, the European Commission previously stated:
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit.
If your organisation handles personal data, the Information Commissioner’s Office (ICO) states:
“You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
“Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
The European Union defines personal data as:
“Any information relating to an individual, whether it relates to his or her private, professional or public life.
“It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”
You might also hear the term ‘sensitive personal data’. This is a reference to special categories of personal data, more on which is covered in the next FAQ: ‘I believe there are special categories of personal data, known as sensitive data?’
Yes, special categories of personal data which “uniquely identify a person” are classed in the GDPR as sensitive data. For example, genetic and bio-metric information.
For full details of special categories of personal data, see Article 9 of the GDPR, a link to which is below.
If you’re familiar with the rules of the Data Protection Act, the good news is that the new regulation is broadly similar to them, although there are wider grounds in relation to healthcare and health research.
Personal data relating to criminal convictions is not classed as sensitive data, but the GDPR does introduce extra safeguards in relation to processing it. These can be found in Article 10 of the regulation.
You can access all of the articles in this link: The European Union’s Summary of Articles contained in the GDPR.
The ICO has published some helpful guidance on special categories of personal data, which you’ll find half way down the page on this link: ICO Lawful Processing – Conditions for special categories of data.
Article 5 of the GDPR states that personal data shall be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and confined to what is necessary
- Accurate and kept up to date
- Held for no longer than necessary
- Processed in a manner that ensures appropriate security, i.e. guards against:
- Unauthorised or unlawful processing
- Accidental loss, destruction or damage
Organisations are required to demonstrate compliance with the above principles.
Yes, to process personal data under the GDPR you must have a legal basis to do so, and document it. Under the Data Protection Act, this is known as ‘conditions for processing’.
The ICO has published some good guidance which you can reach here: Lawful processing of personal data under the GDPR.
Not necessarily. The ICO advises that under the GDPR, you must appoint a Data Protection Officer (DPO) if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Undertake large scale systematic monitoring of individuals;
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single Data Protection Officer to act for a group of companies or for a group of public authorities, taking into consideration their size and structure.
Any organisation can appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and expertise to discharge your duties.
The minimum tasks of a DPO are defined in Article 39 of the GDPR:
- To educate the organisation and its employees regarding their data protection obligations and the rights of individuals.
- To monitor compliance with the GDPR.
- To act as the first point of contact for supervisory authorities and individuals whose personal data is processed (e.g. staff, patients, service-users, customers).
If you employ a Data Protection Officer, you must ensure he or she:
- Reports to the highest level of management in your organisation, e.g. board level.
- Operates independently and is not dismissed or penalised for doing their job.
- Is given sufficient resources to meet the requirements of the GDPR.
The ICO states: “The GDPR does not specify the precise credentials a data protection officer is expected to have.
“It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.”
It sets out the tasks of the Data Protection Officer.
For full details on Article 39 and a summary of all articles in the GDPR, see this link: European Union Summary of Articles Contained in the GDPR.
The GDPR strengthens the rights that currently exist under the Data Protection Act as well as giving new rights.
Here they are in brief, with links to further reading – and some good resources – on the Information Commissioner’s Office website.
The right to be informed
Organisations need to be clear on how they use personal data, typically through a privacy notice. You can access the ICO’s privacy notice checklist here.
The right of access
Under the GDPR, individuals are entitled to know what information is held about them and how it’s processed. The ICO has published guidelines on the right of access here.
The right to rectification
Individuals are entitled to have their personal data corrected if it’s inaccurate or incomplete. You can access the ICO’s guidance on the right to rectification here.
The right to erasure – also known as the right to be forgotten
Individuals have the right to request the removal of personal data where there is no compelling reason for its continued processing. Find the ICO’s guidance on the right to be forgotten here.
The right to restrict processing
Individuals’ rights to block or suppress processing of their personal data. Here’s the ICO’s explanation on individuals’ rights to restrict processing.
The right to data portability
This allows individuals to transfer or copy their personal data from one IT environment to another, safely and securely. Here’s more reading on the right to data portability from the ICO.
The right to object
Individuals have the right to object to the use of their personal information in certain circumstances. You must offer a way for individuals to object online if you process personal data for the purposes of:
- The performance of a legal task or your organisation’s legitimate interests
- Direct marketing
Rights in relation to automated decision making and profiling
In specific circumstances, individuals have the right not be the subject of a decision which:
- Has a legal bearing on them and;
- Which is based on automated processing
Here’s the ICO’s advice on rights relating to automated decision making and profiling.
It’s about demonstrating your compliance with the GDPR. To show compliance, you must:
- Implement appropriate technical and organisational measures.
- Maintain documents on your processing activities.
- If applicable, appoint a Data Protection Officer.
There are other things you can do to demonstrate compliance too. You’ll find them from page 28 (which addresses the large topic of accountability and governance) on a download available from the ICO, which you can access here: Overview of the General Data Protection Regulation (GDPR).
It’s how you consider data protection before implementing a process, be it technical or organisational.
If you’re familiar with the UK’s Data Protection Act, you’ll probably know that the Information Commissioner’s Office has long championed this.
Yes. If you hold information on individuals, then you must make it plain how their data is processed. The regulation states that this should be clear, easy to access and free of charge.
If the privacy notice applies to children, you’ll need to write it in a way they will understand.
The ICO has created a handy privacy notice checklist you can access here.
It depends on the nature of your organisation, but you might find it helpful to do so anyway.A data protection impact assessment or DPIA, also known as privacy impact assessment or PIA, is a tool to help:
- Organisations comply with their data protection obligations and;
- Meet individuals’ expectations of privacy
The ICO has published a PDF on Data Protection Impact Assessments/Privacy Impact Assessments which you can download here.
The biggest change is the removal of the £10.00 subject access fee. You will also have less time to comply with a subject access request.
The regulation also introduces a new ‘best practice recommendation’ encouraging organisations to provide remote access to a secure, self-service system providing individuals with direct access to their information.
For detailed guidance on subject access requests and the GDPR, see pages 15 and 16 of the ICO’s Overview of the General Data Protection Regulation, which you can download here.
The GDPR is introducing a duty on all organisations to report certain types of data breaches to the “relevant supervisory authority” and in some instances to the individuals themselves.
Here’s more reading from the ICO: Overview of the GDPR breach notifications.
This particular FAQ will be updated as more information is released. See also FAQ Article 29 Data Protection Working Party.
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million.
This is the maximum fine that can be imposed for the most serious infringements e.g. insufficient customer consent to process data or contravening the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (Article 28), not informing the supervising authority and data subject (individual) about a breach or not conducting an impact assessment.
It should be noted that these rules apply to both controllers and processors – meaning ‘clouds’ will not be immune to GDPR enforcement.
It’s a group made up of a representative from the data protection authority of each EU member state. The working party gives expert advice regarding data protection, and will be behind further updates on the GDPR.
According to its work-plan, the group will produce guidelines on the notification of personal data breaches in 2017. These FAQs will be updated as more information is released.
The European Commission states: “A controller determines the purposes, conditions and means of the processing of personal data. A processor processes personal data on behalf of the controller.”
The ICO published advice on the roles of data controllers and data processors within the context of the Data Protection Act. These are broadly the same under the GDPR.
Yes, they are similar to the exemptions from the rights and duties which applied under the Data Protection Act. For example, safeguarding national security, investigating criminal offences and public health matters.
So that the principles of the GDPR are not undermined, there are restrictions on the transfer of personal data outside the EU, i.e. to third countries or international organisations.
The GDPR Recitals are notes that precede the articles and reference implicit control requirements. Helpfully, SecureDataService in Germany lists the articles and their associated recitals. You can click on any of the recitals to read more:
The recitals can be particularly useful in terms of interpreting the GDPR, and can help establish what a particular directive or regulation means.
Organisations with ISO 27001 certification (Information Security Management System) are likely to have many of the requirements of the GDPR in place already, but may need to make some adjustments.
On the 1st of November 2016, the ISO27k Forum released guidance: Mapping between GDPR (the EU General Data Protection Regulation).
You can visit the ISO27k Forum website here.
Many organisations preparing to implement the GDPR will already be compliant with other standards which have a crossover with it.
Compliance with the National Institute of Standards and Technology will help. A scoping activity will identify any areas that need further work to adhere to GDPR requirements.
PCI-DSS 3.2 is another major standard coming into force in 2018 and is said to provide much of what the GDPR sets out to achieve.
This is possibly an oversimplification, but some views are that you could take the 12 Payment Card Industry requirements and replace the phrase “cardholder data” with “personal data”, bringing the the PCI standard into alignment with the GDPR.
This approach will address the required technical controls, however further steps are needed to address the GDPR requirements for disclosure, consent, etc.
Help implementing the GDPR and safeguarding personal data
We are Perspective Risk
Information security is crucial to every aspect of your business – operational efficiency, profitability, business continuity, customer confidence, brand loyalty, protection against fraud and meeting regulatory requirements.
Our penetration testing, pen testing, pen tests and cyber security testing has proven time and time again to be an effective security assessment of business IT infrastructure.
Perspective Risk provides in-depth security assessments, risk management and compliance solutions to help you keep your confidential information safe and your critical systems secure. We’re innovative, flexible and supportive, helping you through any information security issues to deliver real business benefits and excellent value.