Frequently asked questions

What is the GDPR?

It stands for the General Data Protection Regulation. By 25 May 2018, all organisations using personal data will have to be compliant with it.

What type of information is considered to be personal data?

The GDPR categorises personal data as any information relating to an identifiable natural person. This broad definition includes information such as name, email and location. It also includes online identifiers such as IP addresses and online behaviour.

What kind of changes will the GDPR bring to Europe's privacy law?

1. Individuals will have significant new rights, such as the right to be forgotten. 2. Consent will be harder to obtain and can be withdrawn at any time. 3. Organisations will become responsible for data security, and must report breaches. 4. Privacy notices will need to contain specific disclosures. 5. Transfers of data to organisations outside the EU will incur specific requirements. 6. Organisations outside the EU will have to abide by the law if they collect and process personal data from within the EU.

How do I obtain consent?

Consent needs to be explicit, opt-in and freely given. This means the popular, opt-out based consent of today will no longer be acceptable.

Our organisation is based outside of the European Union. Do we need to comply?

Yes. If you offer goods or services to EU residents, then you must comply with the GDPR.

We don't charge for the services we offer. Do we need to comply?

Yes. The GDPR applies to organisations that offer goods or services to EU residents irrespective of whether a payment is required or if the organisation is monitoring the behaviour of EU residents.

We process personal data manually instead of using automated means. Do we need to comply?

If the manual data processing contributes toward a database, then you must comply. If the processing is once-off and doesn't enter a structured and accessible database, then the GDPR may not apply.

Are there any compliance exemptions for businesses or specific industries?

EU Member States can make derogations for national security, defense, public security, criminal and ethics investigations and prevention, public interest and the enforcement of civil law. You'll need to ask your supervisory authority for a list of derogations.

What happens if I don't comply?

You may be fined up to €20m or 4% of your worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.

How aggressive will regulators be about fining organisations that don't meet the May 2018 deadline?

The truth is we don't know. The EU is still issuing guidance on provisions so there remains some uncertainty about how they'll be enforced. What this means is, initially, you'll need to make value judgements on whether your processing is lawful. For example, allowing an employee to take a laptop on holiday or selling your business and transfering your books could be technically non-compliant but unavoidable and in need of a risk assessment. The Information Commissioner's Office (the UK supervisory authority) has insisted it will be a proportionate, rational regulator , and that it won't aggressively go after businesses to levy fines except as a last resort. But their budget is funded by fines. And they issued ¾ million pounds in mid-2017 despite the new Data Protection Law being enacted. So it'll be best to err on the side of caution.

Will Brexit negotiations affect the UK's GDPR compliance?

In January 2017, Theresa May said the UK would retain the GDPR and convert in into UK law. In August 2017, the UK Department for Digital, Culture, Media & Sport released a Statement of Intent indicating that the GDPR would be translated into a new Data Protection Bill for the UK. Furthermore, UK organisations that offer goods or services to EU residents would need to comply.

Is there any leeway, in terms of the May 2018 deadline, for organisations of different sizes/budgets?

The Irish Data Protection Commissioner, Helen Dixon, has indicated a willingness to apply the full fine as the case may call for it, and when asked if there'll be any leeway to ease companies into the new regulation, she answered "No. There's not going to be any amnesty or first or second chances." The Information Commissioner's Office Head of International Strategy and Intelligence, Steve Wood, says, "Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principles."

Will organisations with a history of poor data protection be examined any harder or made examples of?

Conglomerates and companies working with sensitive personal data such as health and biometric data would do best to ensure they comply with the GDPR. Industries with a history of poor data protection practices, such as digital direct marketing and social media organisations that hold large quantities of personal data, should make sure their consent practices comply and that they can guarantee their data subjects' rights under the GDPR.

Are there any benefits to being compliant or is it just another burden on business?

There are very concrete benefits. Compliance is an opportunity to redefine your organisation's governance, policies and data management practices. By educating your employees and clients in data protection and privacy you'll strengthen your brand as being responsible and trustworthy.. During the assessments, data mapping and gap analysis you'll undertake in order to become compliant, you'll have an opportunity to not only review and improve your data security, but also have a better understanding of how you're using personal data and how you might be able to use it more effectively.

Is anyone offering GDPR compliance guidance for businesses/organisations?

All the supervisory authorities are issuing advice and offering guidance, as are independent organisations such as the IAPP and the Data Protection Forum. Data Privacy professionals, IT consultancies and law firms have also begun to offer services related to GDPR compliance.

Does my business/organisation need a data protection officer (DPO)?

You must appoint a DPO if you represent a public authority or are a business/organisation that undertakes regular and systematic monitoring of data subjects or processes sensitive personal data.

Who can use GDPR365?

Data protection officers, consultants and businesses/organisations needing to become compliant. GDPR365 is a comprehensive service that simplifies and manages a data protection programme.