GDPR - what is it exactly?
Many organisations will be acutely aware of the General Data Protection Regulations (GDPR) will completely change the way personal information are handled by organisations.
The regulations will have far-reaching consequences for how organisations acquire, store and use personal data, and they come into full effect this coming May, 2018 - in other words, in under six months’ time!
For this reason, we have put together a list of 13 most frequently asked questions about the topic of GDPR and its impact on the organisations. These will help to bring you up to speed on some of the key points ahead of the big change.
1. What is GDPR?
GDPR stands for General Data Protection Regulation. It is a new European regulation that covers data protection and is aimed at improving and unifying the way personal data is currently protected. The Regulation will take effect on 25th of May 2018 and it will replace the current European Data Protection Directive.
2. What is considered to be personal data?
The concept of ‘personal data’ is very broadly defined. In general, it means any type of information that relates to an identified or identifiable ‘natural person’ that allows the ‘natural person’ to be easily identified based on the data such as their IP address, ID number or their physical/physiological/genetic/mental/economic/cultural features or attributes.
3. Who does GDPR apply to?
The GDPR applies to data controllers and data processors - in other words to every organisation that processes, stores, or transmits personal data of EU residents.
What’s the difference between data processor and data controller?
The main difference between the two is that controller decides how and for what purpose personal data is processed while the processor acts on the controller’s behalf but both have obligations under GDPR.
4. Does GDPR apply only to EU-based companies?
The GDPR applies to processing of personal data of EU citizens. This means that it not only applies to EU based organisations, but that it also applies to organisations that are based outside of the EU that offer goods or services to EU citizens or any organisation that processes the data of EU citizens. In other words, the vast majority of organisations.
5. What if I don’t follow GDPR? What are the penalties?
When GDPR is enforced, organisations that breach the regulations may be fined either between 2% to 4% of their annual global turnover or up €20 million, whichever is higher. Frequent breaches of the regulations and failure to address the issue can even result in higher fines of up to €40 million.
6. Will the fines really be enforced? How?
We won’t know until the GDPR actually comes into force. It will be up to the national data protection authorities in each jurisdiction to enforce the new rules. It is important to be mindful of the fact that organisations can be sued privately as well, which means that non-compliance can be costly, even if a company doesn’t get fined by their Relevant Data Protection Authority.
6. Do I need to appoint a DPO?
GDPR also calls for some types and sizes of organisations to appoint a nominated Data Protection Officer. Take a loot at the below decision tree created by DPO Network Europe to find the answer.
7. Will GDPR affect UK after Brexit?
Regardless of Brexit, organisations based in the UK that will be handling data related to EU citizens will still be affected by GDPR. What’s more, the UK's Data Protection Bill and the GDPR go hand in hand as this new Bill will implement the GDPR and may even impose higher standards so even if the UK is not in the EU anymore, it will have similar or greater obligations as the GDPR.
8. What core business areas will be affected by GDPR?
GDPR will affect any areas of a business that handle personal data, for example HR, sales, marketing, membership/customer services, IT, finance or legal. There is no distinction or exception between public and private either. Every organisation which has personal data is within the scope. And, let’s not forget that the personal data of employees is also affected by GDPR and will need to be acquired, stored, managed and to the same standards as any ‘natural person’.
9. What are the individual's rights under GDPR?
As the regulation was created to strengthen the privacy right of EU citizens, it gives greater rights such as to access, erasure or rectification of any data referring to them, along with the right to object to direct marketing, profiling and processing of their data.
What’s more, GDPR requires organisations to provide individuals with fair and transparent information about the processing of their personal data.
To be more specific, individuals will have the following rights under GDPR:
The right to be informed.
The right of access.
The right to rectification.
The right to erasure (also referred to as the ‘right to be forgotten’)
The right to restrict processing.
The right to data portability.
The right to object.
Rights in relation to automated decision making and profiling.
10. Does GDPR refer to cold calling?
GDPR doesn’t directly impact telesales (this is still an opt-out methodology), so prospects still can be contacted over the phone even without having to opt in to marketing communication. However, EU ePrivacy Regulation that has already been drafted is expected to follow closely on the heels of GDPR, and will regulate the area of telesales. ePrivacy is significantly more stringent than GDPR in terms of cold calling which will no longer be allowed under that Regulation.
11. Is GDPR retrospective?
GDPR isn’t retrospective as the EU adopted a 2-year long transition period which was intended to allow organisations to prepare for the Regulation. This means that the GDPR has actually been in force since 2016 and we have been in that ‘transition period’ for the past 18 months. When the GDPR deadline rolls around on May 24th 2018 all affected organisations are expected to have review and revised every aspect of their existing data processing activities to ensure they are compliant with the Regulations.