GDPR FAQs
What is the GDPR?
The Data Protection Act (DPA) 2018 sets out the data protection framework in the UK, alongside the General Data Protection Regulation (GDPR) which came into force in May 2018 and aims to give control of personal data back to individuals by addressing modern concerns about data protection in the digital age.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Does the GDPR only apply to EU organisations?
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU who offer goods or services to individuals in the EU.
My firm employs fewer than 250 people. Am I exempt from the GDPR?
You’ll have to comply with the GDPR regardless of your size, if you process personal data.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO in certain circumstances.
Public authorities will have to appoint a Data Protection Officer. Organisations whose core activities include large scale monitoring, or large scale processing of special category data, will also have to appoint a DPO.
What is large-scale processing?
The GDPR does not define what constitutes large-scale processing. However, processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects. In many cases it is unlikely that small organisations will be processing on a large scale processing.
Does my organisation need to register with the ICO under the GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
What are the 6 principles of the GDPR?
The six principles that underpin the GDPR are that data is:
What are the Rights of the Individual?
The rights have been strengthened with new rights in relationship to:
What does ‘personal data’ mean?
Personal data refers to any information that can identify a living individual - either on its own, or if it is combined with other information you hold, or if it is combined with other information that is likely to come into your possession.
What does ‘data subject’ mean?
The data subject is the individual that can be identified by the personal data.
What does ‘processing’ mean?
If you hold, record or obtain personal data on a computer system or in a structured paper filing system, you will normally be considered to be processing personal data.
What does ‘data processor’ mean?
A data processor is any person that processes data on behalf of the data controller (other than an employee of the data controller)
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
What does ‘data controller’ mean?
A data controller decides how and why data is used
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The Data Protection Act (DPA) 2018 sets out the data protection framework in the UK, alongside the General Data Protection Regulation (GDPR) which came into force in May 2018 and aims to give control of personal data back to individuals by addressing modern concerns about data protection in the digital age.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Does the GDPR only apply to EU organisations?
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU who offer goods or services to individuals in the EU.
My firm employs fewer than 250 people. Am I exempt from the GDPR?
You’ll have to comply with the GDPR regardless of your size, if you process personal data.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO in certain circumstances.
Public authorities will have to appoint a Data Protection Officer. Organisations whose core activities include large scale monitoring, or large scale processing of special category data, will also have to appoint a DPO.
What is large-scale processing?
The GDPR does not define what constitutes large-scale processing. However, processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects. In many cases it is unlikely that small organisations will be processing on a large scale processing.
Does my organisation need to register with the ICO under the GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
What are the 6 principles of the GDPR?
The six principles that underpin the GDPR are that data is:
- Processed lawfully, fairly and transparently
- Only collected and used for particular lawful purposes
- Adequate, relevant and not used excessively for that purpose
- Accurate and up to date
- Stored no longer than necessary
- Kept secure, and its integrity and confidentiality are protected
What are the Rights of the Individual?
The rights have been strengthened with new rights in relationship to:
- Right to Access – the right of the individual to be given information about how their data is being processed and why. Organisations can no longer charge for subject access requests and the information must be provided within one month
- Right to Erasure – the right to have personal data deleted
- Data portability – the right of the individual to have their data transferred to another data controller
What does ‘personal data’ mean?
Personal data refers to any information that can identify a living individual - either on its own, or if it is combined with other information you hold, or if it is combined with other information that is likely to come into your possession.
What does ‘data subject’ mean?
The data subject is the individual that can be identified by the personal data.
What does ‘processing’ mean?
If you hold, record or obtain personal data on a computer system or in a structured paper filing system, you will normally be considered to be processing personal data.
What does ‘data processor’ mean?
A data processor is any person that processes data on behalf of the data controller (other than an employee of the data controller)
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
What does ‘data controller’ mean?
A data controller decides how and why data is used
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.