GDPR Frequently Asked Questions
What are the main requirements of General Data Protection Regulation (GDPR)?
The main data protection requirements of GDPR are as follows:
- Requiring consent of subjects for data processing
- Safely handling the transfer of data across borders
- Anonymising collected data to protect privacy
- Providing notifications of any data breach
- Requiring some companies to appoint a data protection officer (DPO) to monitor and oversee GDPR compliance
What are the 7 principles of GDPR?
GDPR is underpinned by specific data protection principles to help drive compliance. They outline the obligations that organisations must comply with when processing personal data. The seven principles of GDPR are:
- Lawfulness, fairness, and transparency – organisations must be clear about why they are collecting data and how it will be used
- Purpose limitation – organisations must have a specific reason for collecting and processing personal information
- Data minimisation – organisations should only store the minimum amount of data that is required for their purposes
- Accuracy – organisations should regularly review information to ensure accuracy and delete or amend inaccurate information
- Storage limitation – organisations should have a review process to deal with cleansing of databases and deleting unused data
- Integrity and confidentiality – organisations should ensure all appropriate measures are in place to secure personal data
- Accountability – organisations must take responsibility for the data they hold and should be able to provide evidence of steps they’ve taken to demonstrate compliance
Do I have to be GDPR compliant?
Yes, If your organisation is based in the European Union, or if your organisation deals with the personal data of individuals who are located in the EU, then you will need to be compliant.
If processing personal data is not an integral part of the business, and the activities of your business do not create any risks for individuals’ personal data, then your organisation may be exempt from GDPR obligations, however this is decided on a case by case basis.
What are the fines for breaching GDPR compliance?
GDPR fines include two tiers of violations, depending on the severity of the violations. For less severe violations, penalties could result in a fine of up to 10 million or 2% of the organisations annual turnover.
The maximum penalty for non-compliance is up to 20 million or 4% of the annual turnover, whichever is greater.
Not all GDPR infractions lead to fines. The UK’s Information Commissioner’s Office (ICO) can also take the following actions:
- Issue warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data
- Suspending data transfers to third countries
I have a small business–am I exempt from GDPR?
No, you are not exempt from GDPR. Any business that regularly processes data must still comply with the GDPR.
However, since small businesses have fewer resources and are less of a risk for data protection law, the ICO may be more lenient about non-compliance.
It’s also important to note that if your business is contracting with a larger company, they may have their own requirements to ensure compliance. If the company conducts large-scale processing, you also may be subject to the harsher end of GDPR’s regulation.
What are the rules for subject access requests under GDPR?
Under GDPR, A subject access request allows individuals to obtain records of their personal information from organisations. Individuals can make a subject access request verbally or in writing.
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
Can I charge a fee for subject access requests?
Generally, you cannot charge a fee for complying with a subject access request. You can charge a “reasonable fee” for any admin costs associated with complying with the request if:
- It is unfounded or excessive, or
- An individual requests further copies of their data
How long do I have to comply with a subject access request?
You must comply with a request within a month of receipt of the request. If the corresponding day falls on a weekend or holiday, you have until the next working day to respond.
The time to respond can be extended for a further two months if the request is complex, or if you have received multiple requests from an individual. You must inform them within one month of the request about the extension and why it is necessary.
If you are collecting data directly from someone, you must provide them with your privacy notice at the moment that you do so.
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language
- Delivered in a timely manner
- Provided free of charge
- The identity and contact details of the organisation, its representative, and its Data Protection Officer
- The purpose of processing an individual’s personal data and its legal basis
- The legitimate interests of the organisation (or third party, where applicable)
- Any recipient of an individual’s data
- The details regarding any transfer of personal data to a third country and the safeguards taken
- The retention period or criteria used to determine the retention period of the data
- The existence of each data subject’s rights
- The right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
- The existence of an automated decision-making system, including profiling, and information about how this system has been set up.