The General Data Protection Regulation (GDPR) is due to become law in May 2018, and already there are many GDPR frequently asked questions. The introduction of the GDPR is intended to provide a level of uniformity to the way personal data is handled, across the EU. It also improves the rights of EU citizens, with the regards to the processing of their personal data, by businesses and organisations.
But, there has been much confusion regarding what is included in the GDPR. Businesses have found it difficult to navigate through the masses of information and rumours that have accumulated over recent months. To help you recognise fact from fiction, when it comes to the GDPR, here are the answers to some of the questions that you may be asking.
Does the GDPR only apply to EU businesses and organisations?
Because the GDPR is an EU regulation, it’s easy to understand why there is a common misconception that only businesses and organisations that are based within the EU have to comply. This is not the case. The GDPR applies to all citizens of the EU. This means that any business or organisation which holds, and processes, the personal data of these citizens has to comply. This is the case no matter where in the world the business or organisation is based.
What about Brexit – how does this affect the GDPR?
As you will be aware, Brexit is definitely going ahead. This means that the UK will be leaving the EU. This does not make any difference to the fact that businesses in the UK will more than likely be required to comply with the GDPR, even after the exit is complete. As things stand at the moment, UK citizens are still citizens of the EU. This means that the GDPR applies to all businesses in the UK that process the personal data of UK citizens. Once Brexit happens, it’s likely that many UK businesses will still process the data of EU citizens (people who are living in other parts of the EU). If this is the case, the GDPR will still apply to them.
Does all personal data need to be encrypted when stored, under the GDPR?
We have heard many people mention the encryption of personal data, as a requirement of the GDPR. In fact, the GDPR does not directly refer to the security of data, except to say that businesses and organisations should have effective processes and procedures in place. These processes and procedures should be sufficient to mitigate against identified high risks, when it comes to the processing of large amounts of sensitive personal data. What all of this means is that the GDPR does not stipulate that encryption must be used. But, your business or organisation may choose to use encryption in order to alleviate the risk of damage caused by data leaks.
GDPR frequently asked questions – do they only apply to electronic data?
The growth of Cloud computing has made it a lot easier for businesses and organisations to gather and process large amounts of data. We live in the era of big data, when large quantities of both structured and unstructured data can be obtained and analysed. This does not mean that the GDPR only applies to electronic data. The GDPR applies to all personal data which is processed by a business or organisation. Personal data is any piece of data, or group of pieces of data, that can be used to identify a natural person; a natural person is anyone who is living. This means that any hard copy records which are held by a business or organisation are subject to the GDPR, in the same way that electronic records are. This can be especially problematic if a system access request (SAR) is received by a business or organisation. It needs to ensure that the data subject receives a copy of all hard copy data that is held, as well as any electronic records.
How is outsourced data processing affected by the GDPR?
When it comes to GDPR frequently asked questions, the answers may not just apply to your business; they may also apply to any third party provider that processes personal data for you. Do not forget that you still have a responsibility as a data controller to ensure that the data processing work that is carried out on your behalf is done so in a way which complies with the GDPR. This means that you should think about including relevant clauses in the contracts between you and the third party provider. Doing so means that you can be sure that your business or organisation is compliant with the GDPR at all times.
Is consent always required in order to comply with the GDPR?
This is one area which has caused much confusion, when it comes to the introduction of the GDPR. Many people believe that it’s always necessary to have explicit consent in order to process personal data. In fact, this is only one of the legal reasons why personal data can be a processed by a business or organisation. Here are some of the other reasons that exist.
- To carry out a contract to which the data subject is party.
- For legally mandatory reasons.
- Processing the data is in the legitimate interest of the data subject and that interest outweighs any potential detriment.
You can see that it is not always necessary to have consent to process personal data. However, if the processing of personal data is based on consent, your business or organisation must ensure that consent is:
- Given freely and fully informed.
- Only used for the specific purpose for which it was given.
- Given as the result of a positive action being taken. For instance, it’s no longer sufficient to simply provide a pre-checked tick box.
As you can see, the rules surrounding consent are more stringent under the GDPR. But, you should remember that consent is only one of several legitimate reasons for processing personal data.
Does the right to be forgotten always apply?
You may have heard that data subjects now have the right to be forgotten, under the GDPR. It’s certainly the case that any EU citizen can ask you to delete the personal data you hold and process. This does not mean that you always have to comply with the request. You need to examine the data that you are holding, and determine whether there is any legally valid reason for you to continue processing it, after a request to be forgotten has been received. For instance, the data could be required for use in ongoing legal action. If there is a valid legal reason for you to continue processing the data you can refuse the request for the data to be deleted.
Is a Data Protection Impact Assessment always required?
A Data Protection Impact Assessment (DPIA) is used to help determine risks associated with the processing of sensitive personal data, such as data related to health or sexual orientation. The assessment is used as part of the risk identification process, and is only necessary when used for this purpose. Risks that are identified must be mitigated against. If no mitigation is apparent then the business or organisation should seek advice from the Data Protection Authority (DPA), before the data is processed. It’s expected that this sort of situation will be the exception rather than the norm.
Once the GDPR becomes a reality, on 25 May 2018, any business or organisation that is involved in the large scale processing of the personal data of EU citizens will be expected to comply. There will be some leeway for national authorities to set the level of fines for non-compliance, although it’s expected that there will be liaison between authorities in order to sustain a level of continuity. The maximum possible fine has been set at 20 million Euros, or 4% of annual turnover, whichever is higher. In reality it’s unlikely that this level of fine will be imposed.
But, no matter what level of fine you could be facing, it’s important that your business or organisation is compliant from the outset. Lack of compliance is not only potentially damaging financially, it could also damage your reputation. This type of reputational damage could lead to the loss of customers, and a decrease in revenue.
Hopefully, the GDPR frequently asked questions that have been covered in this article have helped you to gain a clearer picture of the GDPR, and how it will affect your business or organisation. It’s important that you understand the details of the GDPR, and that you ensure that the people within your business also have an understanding about what actions they need to take. GDPR compliance is the responsibility of everyone that is any way connected with the processing of data in a business or organisation. It’s not just the responsibility of the management team, the Data Protection Officer (DPO) or the IT team.