Frequently asked questions
-
The GDPR was approved and adopted by the EU Parliament in April 2016. After 2 years, the regulation took effect and the GDPR came into force on 25th May 2018.
-
Any data which can personally identify an individual – whether by itself or when combined with other pieces of information – is considered personal data. If that information has the potential to cause harm then it is considered a special category of personal data – things like bank details, sexual orientation, or political opinions, for example.
-
The GDPR applies to any companies who process the personal data of subjects residing in the EU, regardless of where the company itself is located.
-
There are two thresholds depending on the kind and severity of the breach. The lower threshold is 2% of annual income or €10 million and the higher threshold is 4% of annual income or €20 million. The fine that a company receives depends on what part of the legislation that they have breached. These rules apply to both controllers and processors.
-
A data protection officer (DPO) needs to be assigned if your company carries out certain types of data processing – if you work as a public body or authority, if you systematically monitor individuals, or if you carry out large scale processing of special categories of personal data.
-
The GDPR began as an EU regulation, which means that it’s enforced by the EU and applies only to member countries. So, once the UK left the EU, the GDPR will no longer apply to the data of UK citizens. However:
- UK organisations still need to comply with the EU Regulation if they ever handle the data of EU citizens. The Government has brought into law the Data Protection Act 2018 which is an almost carbon copy of the GDPR, so being GDPR compliant means you’re also Data Protection Act Compliant.
- The EU Regulation, via the Data Protection, Privacy and Electronic Communication Regulations has been brought into UK law, amended to remove any mention of the EU and now stands as the UK GDPR.
-
No matter the size of your company; how many employees you have, customers you serve, or what your annual turnover is, the GDPR applies to you. That magic 250 employee threshold is only mentioned once in the regulation and that’s in relation to record keeping. The GDPR requires that you keep detailed records of all processing activities – including records of consent, decision making, privacy notices etc. – but with fewer than 250 employees, you don’t need to. However, the rest of the GDPR still applies in full.
Documents & other resources
An Overview of the GDPR
The GDPR was enforced on the 25th of May 2018 and was introduced to unify and strengthen data protection for everyone.
GDPR Checklist
Review the risks to data your organisation faces and assess whether the measures you have in place are up to the task of preventing them.
The Six Lawful Bases for Processing Data
Find out more about the Six Lawful Bases for processing personal data.
GDPR Accountability checklist
Accountability is arguably the most important principle of the GDPR. Accountability is all about demonstrating that you’re complying with the GDPR.
Day to Day good practice for GDPR
If your job involves handling personal information then you have a responsibility to ensure that this data is kept private and confidential.
Data Protection Principles
Everyone who uses personal data must follow strict rules and you’ll learn about these as the principles of data protection.
Rights over your personal data
The GDPR covers personal data about an identifiable, living person. It can be anything from a name, a photo, an email address, a person’s bank details, posts on social media, medical information, etc.
