GDPR Frequently Asked Questions

The General Data Protection Regulation (GDPR) is due to become law in May 2018, and already there are many GDPR frequently asked questions. The introduction of the GDPR is intended to provide a level of uniformity to the way personal data is handled, across the EU. It also improves the rights of EU citizens, with the regards to the processing of their personal data, by businesses and organisations.

But, there has been much confusion regarding what is included in the GDPR. Businesses have found it difficult to navigate through the masses of information and rumours that have accumulated over recent months. To help you recognise fact from fiction, when it comes to the GDPR, here are the answers to some of the questions that you may be asking.

Does the GDPR only apply to EU businesses and organisations?

Because the GDPR is an EU regulation, it’s easy to understand why there is a common misconception that only businesses and organisations that are based within the EU have to comply. This is not the case. The GDPR applies to all citizens of the EU. This means that any business or organisation which holds, and processes, the personal data of these citizens has to comply. This is the case no matter where in the world the business or organisation is based.

What about Brexit – how does this affect the GDPR?

As you will be aware, Brexit is definitely going ahead. This means that the UK will be leaving the EU. This does not make any difference to the fact that businesses in the UK will more than likely be required to comply with the GDPR, even after the exit is complete. As things stand at the moment, UK citizens are still citizens of the EU. This means that the GDPR applies to all businesses in the UK that process the personal data of UK citizens. Once Brexit happens, it’s likely that many UK businesses will still process the data of EU citizens (people who are living in other parts of the EU). If this is the case, the GDPR will still apply to them.

Does all personal data need to be encrypted when stored, under the GDPR?

We have heard many people mention the encryption of personal data, as a requirement of the GDPR. In fact, the GDPR does not directly refer to the security of data, except to say that businesses and organisations should have effective processes and procedures in place. These processes and procedures should be sufficient to mitigate against identified high risks, when it comes to the processing of large amounts of sensitive personal data. What all of this means is that the GDPR does not stipulate that encryption must be used. But, your business or organisation may choose to use encryption in order to alleviate the risk of damage caused by data leaks.

GDPR frequently asked questions – do they only apply to electronic data?

The growth of Cloud computing has made it a lot easier for businesses and organisations to gather and process large amounts of data. We live in the era of big data, when large quantities of both structured and unstructured data can be obtained and analysed. This does not mean that the GDPR only applies to electronic data. The GDPR applies to all personal data which is processed by a business or organisation. Personal data is any piece of data, or group of pieces of data, that can be used to identify a natural person; a natural person is anyone who is living. This means that any hard copy records which are held by a business or organisation are subject to the GDPR, in the same way that electronic records are. This can be especially problematic if a system access request (SAR) is received by a business or organisation. It needs to ensure that the data subject receives a copy of all hard copy data that is held, as well as any electronic records.

How is outsourced data processing affected by the GDPR?

When it comes to GDPR frequently asked questions, the answers may not just apply to your business; they may also apply to any third party provider that processes personal data for you. Do not forget that you still have a responsibility as a data controller to ensure that the data processing work that is carried out on your behalf is done so in a way which complies with the GDPR. This means that you should think about including relevant clauses in the contracts between you and the third party provider. Doing so means that you can be sure that your business or organisation is compliant with the GDPR at all times.

Is consent always required in order to comply with the GDPR?

This is one area which has caused much confusion, when it comes to the introduction of the GDPR. Many people believe that it’s always necessary to have explicit consent in order to process personal data. In fact, this is only one of the legal reasons why personal data can be a processed by a business or organisation. Here are some of the other reasons that exist.

  • To carry out a contract to which the data subject is party.
  • For legally mandatory reasons.
  • Processing the data is in the legitimate interest of the data subject and that interest outweighs any potential detriment.

You can see that it is not always necessary to have consent to process personal data. However, if the processing of personal data is based on consent, your business or organisation must ensure that consent is:

  • Given freely and fully informed.
  • Only used for the specific purpose for which it was given.
  • Given as the result of a positive action being taken. For instance, it’s no longer sufficient to simply provide a pre-checked tick box.

As you can see, the rules surrounding consent are more stringent under the GDPR. But, you should remember that consent is only one of several legitimate reasons for processing personal data.

Does the right to be forgotten always apply?

You may have heard that data subjects now have the right to be forgotten, under the GDPR. It’s certainly the case that any EU citizen can ask you to delete the personal data you hold and process. This does not mean that you always have to comply with the request. You need to examine the data that you are holding, and determine whether there is any legally valid reason for you to continue processing it, after a request to be forgotten has been received. For instance, the data could be required for use in ongoing legal action. If there is a valid legal reason for you to continue processing the data you can refuse the request for the data to be deleted.

Is a Data Protection Impact Assessment always required?

A Data Protection Impact Assessment (DPIA) is used to help determine risks associated with the processing of sensitive personal data, such as data related to health or sexual orientation. The assessment is used as part of the risk identification process, and is only necessary when used for this purpose. Risks that are identified must be mitigated against. If no mitigation is apparent then the business or organisation should seek advice from the Data Protection Authority (DPA), before the data is processed. It’s expected that this sort of situation will be the exception rather than the norm.

Once the GDPR becomes a reality, on 25 May 2018, any business or organisation that is involved in the large scale processing of the personal data of EU citizens will be expected to comply. There will be some leeway for national authorities to set the level of fines for non-compliance, although it’s expected that there will be liaison between authorities in order to sustain a level of continuity. The maximum possible fine has been set at 20 million Euros, or 4% of annual turnover, whichever is higher. In reality it’s unlikely that this level of fine will be imposed.

But, no matter what level of fine you could be facing, it’s important that your business or organisation is compliant from the outset. Lack of compliance is not only potentially damaging financially, it could also damage your reputation. This type of reputational damage could lead to the loss of customers, and a decrease in revenue.

Hopefully, the GDPR frequently asked questions that have been covered in this article have helped you to gain a clearer picture of the GDPR, and how it will affect your business or organisation. It’s important that you understand the details of the GDPR, and that you ensure that the people within your business also have an understanding about what actions they need to take. GDPR compliance is the responsibility of everyone that is any way connected with the processing of data in a business or organisation. It’s not just the responsibility of the management team, the Data Protection Officer (DPO) or the IT team.

Who Does GDPR Apply to?

As the General Data Protection Regulations (GDPR) has just become law, there is still some confusion surrounding this legislation. If you are not living in a European Union (EU) country, you may think the GDPR has nothing to do with your personal data. Many organizations think that they are not affected because of their size or location. Many are in for a surprise, and not necessarily a good one.

Here are the individuals, companies, enterprises that will be affected by rulings of the GDPR.

Ask yourself:

  1. Am I a citizen of a European Union country not presently living in an EU state? GDPR was created to safeguard the personal data of all EU citizens. Your location does not affect your citizenship.
  2. Am I am individual presently living in an EU country although I am not an EU citizen? If you are residing in an EU country, your right to protection of your personal data collected by EU businesses within the EU country is protected.
  3. Does my company process personal data of any European Union citizen? If you store, process, or transmit data of EU residents then your company must comply with GDPR.
  4. Does my company or do I engage in economic activity? GDPR does not apply to those who process personal data of EU citizens if it is exclusive to household or personal activities. Otherwise, according to Article 4 paragraph 18, you and/or your company must comply with GDPR regulations.

Does GDPR Apply to Individuals?

The simple answer to this question is both yes and no. The main purpose of GDPR is to protect the personal data of data subjects—those from whom personal data was collected by a business or an organization.

However the mandate of GDPR is to protect the privacy of all European Union (EU) citizens. So, if we are talking about the personal data of someone of European Union origin, whether they live in an EU State or not, their personal data and rights surrounding that data are protected. It behoves all companies who collect personal data from an EU citizen to furnish him with information regarding his personal data rights.

If you are under the age of sixteen and an EU citizen or someone living in an EU country, then GDPR requires that companies or organizations wishing to collect your personal data must have your parents’ written and informed consent to process your personal data.

Does GDPR Apply to non-European Union Citizens?

The intent of GDPR is to protect the personal data of all EU citizens. Thus, if you are a non-EU citizen GDPR does not specifically apply to your data and your data rights. However if you are a non-EU citizen but presently living in an EU state, your rights are protected concerning data collected by EU companies and organizations.

However, in many instance the personal data information presented by a company to its EU employees and/or clients and/or tradespeople is also being given to it non-EU contacts as well. While you cannot make a request regarding your personal data through GDPR channels, many companies are honouring these requests and processing them for their non-EU employees and clients. The companies do not want to be seen as discriminating between EU and non-EU citizens.

Another scenario would be if your company collects data of a non-EU citizen who is, at the time, living in an EU Member State, then his rights are protected under the GDPR as long as he resides in an EU State.

Does GDPR Apply to EU Citizens Living Abroad?

GDPR protects the personal data and the rights of data subjects as long as they are EU citizens, no matter where they are living.

GDPR Article 3 explains that any company in the world that employs or does business with EU citizens must comply with GDPR regulations. So a company that hires or does business with any EU citizen must appoint a Data Controller whose job it is to supervise data collection by Data Processors. The Data Controller will explain the data protection rights of all EU citizens the company hires or does business with.

Many companies are convinced they have not hired or done business with EU citizens. If the company has no locations in EU States but processes data of EU citizens or even non-EU citizens presently living in an EU state then their company must comply with GDPR regulations.

If your company offers goods and/or services to anyone who is an EU citizen or any non-EU citizen who is presently residing in an EU state, then your company must comply with GDPR regulations. Some locations not in EU states are under GDPR jurisdiction because of public international law.

Does GDPR Apply to American Citizens?

According to GDPR Article 3, if your company collects personal data from anyone inside an EU country, then your company is subject to GDPR rules. So if you are an America citizen living in an EU state then you are protected by GDPR. This is true only if you are living in the EU when data was collected.

Does GDPR Apply to EU Citizens in the US?

This issue is called ‘extraterritoriality’. Basically, GDPR applies to data transferred outside EU States. So, if an EU citizen requests that their data be transferred electronically to a business in the United States, then the data is protected by all the rights ensured under GDPR.

In addition, if an EU citizen is living and working in the United States, then any data collected by an American company or organization is protected by the GDPR regulations. This American company would have to comply with GDPR rules whether it had any locations in such EU States as France or Germany.

Enforcing GDPR non-compliance in non EU States will be complicated but enforceable. Extraterritoriality will apply to websites that collect the data of EU citizens including social media, e-commerce, any online products or services.

Does GDPR Apply to Small Businesses?

The easy answer to this is yes. GDPR applies to all businesses of any size. For example; Any company of any size with any number of employees that has a web presence and markets goods and/or services over the Internet will have potential dealings with EU citizens. Thus, that company is affected by GDPR legislation and must comply with GDPR regulations. Size is not a factor. Nor is the type of business a concern.

GDPR demands that all small and medium-sized enterprises to comply. However, there are some exceptions if your company employs fewer than 250 employees. GDPR notes that many small and medium-sized companies do not pose as great a risk to the personal data of EU citizens.

GDPR Article 30 states that companies with fewer than 250 employees do not need to keep processing records unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data…or personal data relating to criminal convictions and offences.”

Does GDPR Apply to Company Data?

The GDPR applies to any company or organization located in an EU state. However, it also applies to enterprises that offer goods and services or who monitor the behaviour of any EU client or employee. Any company that processes data of EU citizens, no matter where it is located, is subject to GDPR guidelines and penalties.

Does GDPR Apply to HR Data?

Human Resources may be the area of your business most affected by GDPR. That department handles all sorts of personal data. Much of it is sensitive. This data, under GDPR guidelines must be processed with specific care, security and transparency.

In HR before GDPR less concern existed around what was collected, how it was used, how secure personal data files were, how data was stored and when and how it was erased. HR now must reconsider collecting of personal data, processing of personal data of its employees, how the data is used, stored and retained.

GDPR requires that your company have a designated Data Controller who must provide all data subjects with information about personal data processing. This information must be presented at the time of data collection in a clear, simple, concise, easy-to-understand and transparent manner.

HR will also be involved in other new employee duties under GDPR. Data Protection Officers must be appointed by every business that processes data of EU citizens. Data Controllers and Data Processors are also required. These may not necessarily be new hires. These duties could be assigned to existing employees but a clear outline of their duties and remuneration for such must be handled by Human Resources.

The duties of Data Protection Officers are outlined by GDPR article 37. They apply to companies that do significant systemic monitoring and/or processing of sensitive personal data.

Moreover, data subjects must be informed of their rights regarding that personal data. They must have access to their data file. They have the right to request changes, modifications, additions, corrections and deletions. They have the right to request that their file be transferred electronically to another business. They have the right to request their file be erased.

Your HR department is obligated to inform all EU citizens about their personal data file. Your company must also have a process for receiving data subject requests and for dealing with these.

Employee consent has changed under GDPR. Regulations state that consent must be “freely give, specific, informed and unambiguous.” GDPR clearly states that entering an employee contract must not hinge on employee consent to personal data processing.

GDPR regulations state: “If for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data.”

Data may be collected electronically. It may also be organized in data sets. Profiling of data may occur in your department. This information must be given to all EU citizens who are employed by your company. Employees or candidates for hiring must be asked for their consent to collect, use, store and erase personal data.

Processing personal data is allowed under GDPR only to the extent it is used for the original purpose for which it was collected.

If the data is to be used for a different purpose later on, a new consent form outlining the repurposing of this data must be signed by the employee.

Data Controllers have the responsibility for ensuring that only that personal data necessary for a stated and agreed-upon purpose is processed. GDPR states that data collected, used, and stored must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

HR must collect only enough data for their stated purpose and also has a responsibility to ensure personal data is correct and current. Any data that is inaccurate or outdated should be deleted or modified. Moreover, your company’s Data Controller must take “every reasonable step” to comply with this GDPR principle.

HR can no longer retain personal data files when they no longer require the personal data for its stated reason for collection. Under GDPR guidelines HR should now conduct a regular review of personal data and have a clearly outlined process for removing personal data files from storage and erasing them in a secure and methodical process.

Under the new GDPR guidelines personal data must be protected against anyone who is not unauthorized to access it. Personal data of EU citizens must be protected from being using appropriately—i.e., for a purpose not stated at the time of its collection.

Your company’s Data Controller must look critically at the present level of security to ensure it is adequate to provide these protections. Moreover, security measures must be checked regularly to ensure they remain appropriate.

If a breach in personal data occurs, HR and your Data Controller need to have a clear process for analyzing these breaches and for reporting them to GDPR authorities if they are deemed reportable.

High profile data breaches of HR data can be extremely serious to your company not just in severe fines but also in professional embarrassment and bad image for the company.

Your company must demonstrate GDPR compliance. Self-reporting procedures must be in place. All employees need to be aware of GDPR rules and how the company complies with these regulations.

How can HR ensure GDPR compliance?

HR teams must understand the complexities of GDPR and the implications for the company in general and HR specifically. HR needs to give the document a thorough reading and review its present policies of collecting, using, storing and deleting data.

A good first step is to examine current data protection policies and practices when it comes to safeguarding employee personal data, contracts, HR handbooks and employment policies.

Next HR should ensure full transparency concerning what is collected, processed and retained.

HR should ensure they have employee consent for all personal data collections. This consent needs to be signed and stored. HR should note that present employee consent form is unlikely to be acceptable under GDPR. Why has HR collected data to date? Will there be changes under the GDPR? A test about the legitimacy of data processing is: Does the employer have a legal need for the data that is presently being collected. Does any of this data, or the method of its collection, unfairly affect the rights of EU citizens who are employees?

Should HR identify employees and clients who are EU citizens and thus under GDPR protection?

HR should devise a process for informing all employees and clients of their rights and decide upon a method of training employees on GDPR refers to present data protection policies.

HR needs to appoint someone who will co-ordinate compliance with GDPR reforms and monitor activity. Increased burden to self-report should be examined in the light of having a clear procedure in place for doing so.

Does GDPR Apply to Marketing Data?

If you are involved in marketing data anywhere in the world, then chances are GDPR regulations apply to your company. Here’s why:

If your company collects and uses personal data of any citizen of any of the twenty-eight European Union countries then GDPR guidelines apply to you. If your business is involved in mobile marketing then it has a global base of buyers and potential buyer which includes, in all probability, some EU citizens. Thus, the new law applies to your business.

Does GDPR Apply to US Companies?

The quick answer here is: probably yes. GDPR applies to American enterprises if they process personal data of EU citizens. Before you say, “No, my company does not handle EU data” then consider these three possibilities:

Article 44 discusses international data transfers. If your company deals with data from EU citizens through electronic transfer of personal data of employees, potential hires, clients to whom you offer goods or services then your American-based company is subject to GDPR regulations.

Article 3 paragraph 1 applies to your company’s Data Controller and Data Processors. Whether data is collected inside EU states or not, if the data belong to an EU citizen then your company is liable to GDPR rules and penalties.

Article 3 paragraph 2 concerns processing of personal data of EU data subjects by a Controller or Data Processor who is not in EU states. If this data in related to offering goods or services to an EU citizen, anywhere in the world, then your company is subject to GDPR regulations and penalties. If your company monitors the behavior of an EU citizen then your company profiles EU citizens and is subject to GDPR regulations.

Does GDPR apply to non-European Companies?

The General Data Protection Regulation (GDPR) is not a European Union (EU) established regulation. However, if your company does not have a location in EU states, then it is a non-European company. However, that does not mean your company is not affected by GDPR. The impact of this legislation in our global economy has far-reaching effects well beyond EU countries or even the European continent.

GDPR targets how businesses and public sector companies handle the personal data of the 75 million European Union citizens. Those business people who are not located in European Union states have mistakenly assumed that GDPR has no bearing upon their company if they are non-European business enterprises. If your company collects any data from an EU citizen then your company, no matter where it is located, is affected by GDPR guidelines and fines.

Under Article 3 of GDPR, territorial scope is an issue. Companies outside the EU jurisdiction may be liable to GDPR rules and penalties. If your company processes personal data of EU citizens even though your business and/or the EU citizens are not in EU area your company is subject to GDPR rules.

If you are a non-EU company or a company that has no sites on Europe, that processes personal data of EU citizens related to your offering services or goods and/or monitoring the habits of EU citizens whose behavior takes place in an EU country then your non-EU company must comply with the GDPR. If EU law applies in the country where your offices are located then GDPR applies to your non-EU company.


Related GDRP Articles

GDPR Compliance Checklist

GDPR for US Companies

GDPR for Small Business

GDPR Email Requirements

GDPR Training

GDPR EU Representative