Frequently asked questions – GDPR
Our GDPR FAQ page explains common questions around the European-wide law that places greater obligations on how organisations handle personal data. It applies to data processing carried out by organisations operating within the EU and came into effect on May 25 2018. The Regulation is a binding legislative act, unlike a Directive which sets out a goal for EU countries to achieve.
Visit our GDPR Compliance Packages page for help with compliance.
Visit the ICO page for an overview on the GDPR.
The GDPR also applies to non-EU organisations that offer goods or services to individuals in the EU, or who monitor the behaviour of EU citizens via social media/commerce platforms. A pertinent question asked by our international clients to our GDPR FAQ experts.
The GDPR applies to “personal data”, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
A common GDPR FAQ – the European Union defines personal data as any information relating to an individual, whether it relates to their private, public or professional life. It can be anything from a name, a photo, an email address, bank details, posts on social media or a computer’s IP address. There are even stricter processing rules for what is known as “special category” data: this includes personal data revealing racial or ethnic origin, religious beliefs and genetic and bio-metric data.
A controller determines the purpose and means of processing personal data, the “how” and the “why”. A processor is responsible for processing personal data on behalf of a controller. Controllers are obliged to ensure their contracts with processors comply with the GDPR, while processors are required to maintain records of processing activities and will be legally liable if they are responsible for a data breach.
The GDPR does not define what constitutes large-scale processing. However, processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects. In many cases it is unlikely that small organisations will be processing on a large scale processing. Examples of large-scale processing include the processing of patient data by a hospital, the processing of personal data for behavioural advertising by a search engine, the tracking of individuals’ travel card use on a transport system and the processing of data (content, traffic, location) by a telephone or internet services provider.
The short answer is no. Consent is one lawful basis for processing and there are five others, all equally legal. Consent won’t always be the easiest or most appropriate. You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
You’ll have to comply with the GDPR regardless of your size, if you process personal data. But size is a factor in a range of areas including the requirement to maintain records of processing.
Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors.
The GDPR sets out the information that you should supply and when individuals should be informed. The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible
- written in clear and plain language, particularly if addressed to a child
- free of charge