FAQs concerning the GDPR
The General Data Protection Regulation, or GDPR, becomes law on the 25th of May 2018. Many businesses are asking the same questions about it. The principal goal of the GDPR is to provide a degree of uniformity to the manner in which personal data is dealt with throughout the European Union. The new Regulation also increases the rights of citizens of EU member states, with respect to organisations or companies processing their personal data.
Nonetheless, many business owners appear to be somewhat confused as to what precisely is contained in the GDPR. They have found it a challenge to make sense of the large quantities of information and rumours that have crossed their paths over the last few months. Below is a list of some of the more frequently asked questions, with answers, that many businesses have been asking about the GDPR.
Is the GDPR applicable solely to European companies and organisations?
As the GDPR is a regulation of the European Union, it is understandable that one of the more common misconceptions about it is that only those organisations which are based in EU member states are obliged to comply with it. This assumption is incorrect. The GDPR is in fact applicable to all of the citizens of the nations of the European Union. That is to say that any company or organisation which possesses, and processes, personal data relating to any of these European citizens must comply with the regulation. This is true irrespective of where the company or organisation is based, in Europe or elsewhere.
How is the GDPR affected by Brexit?
On the 23rd of June 2016, the United Kingdom voted by a small majority to leave the European Union. As things stand, the UK is scheduled to leave the EU on the 29th of March 2019. This has provoked a number of questions regarding the GDPR’s relevance to UK-based businesses, however it does not in fact change the reality that businesses in the UK will in all probability have to comply with the GDPR, even following the completion of Brexit. At present, UK nationals still enjoy citizenship of the EU. That is to say that the GDPR is applicable to all British companies which process UK citizens’ personal data. Many UK businesses will continue to process the data of EU citizens after the 29th of March 2019, meaning that the protections of the GDPR will continue to be applicable to them.
Does the GDPR require that all personal data be encrypted when stored?
There has been much speculation that the encryption of personal data is to become a legal requirement under the GDPR. This is not in fact the case. The GDPR makes no direct reference to the security of data, other than to state that businesses must ensure that effective processes and procedures have been put in place. The “processes and procedures” must adequately mitigate against any recognised high risks when processing large quantities of sensitive data. Simply put, the GDPR does not expressly require that encryption must be employed. Encryption is, however, an option that your business may choose when deciding how to best alleviate potential damage resulting from data leaks.
Does the GDPR apply only to electronic data?
The rapid development of Cloud computing has simplified the manner in which companies and organisations may collect and process significant quantities of data. This is an age of big data, when huge amounts of structured and unstructured data may be gathered and then analysed. Despite the impression that we might have given recent IT development, the GDPR does not only apply to electronic data. GDPR provisions are applicable to all personal data that is being processed by a company or organisation. ‘Personal data’ is defined as any piece of data, or grouped pieces of data, that may be used in order to identify any living person. That is to say that hard copy records held by businesses or organisations also fall under the terms of the GDPR, in exactly the same manner as electronic records do. This might prove to be particularly problematic should a system access request (SAR) be made by a data subject. Businesses concerned need to make sure that the said data subject is given a copy of all of the hard copy data that they hold, together with any electronic records.
How does the GDPR impact outsourced data processing?
It must be remembered at all times that any of the questions raised by the introduction of the GDPR may also apply to the 3rd party providers that your business engages to process personal data on its behalf. Be aware that you retain a responsibility as a data controller to make sure that the data processing work being done on your behalf is realised in a manner which is totally GDPR compliant. You should therefore consider including relevant clauses in the written agreements between your business and the 3rd party provider. This will give you peace of mind in knowing that your business is acting in constant compliance with the GDPR.
Is consent necessary at all times for GDPR compliance?
In their preparations for the introduction of the GDPR, the question of consent has been responsible for a great deal of confusion for many businesses. It is widely believed that it is always obligatory to have received explicit consent prior to processing personal data. In reality, consent is but one of the legal reasons why personal data may be a processed by a company or organisation. Some of the alternative reasons are:
- To perform a contract to which the data subject concerned is a party.
- For obligatory legal reasons.
- The processing of the data can be shown to be in the legitimate interest of the data subject and that that interest is greater than any potential detriment.
It is therefore not obligatory in all circumstances to receive consent in order to process personal data. That said, should the processing of personal data be based upon consent, the organisation carrying out the processing must make sure that the consent is:
- Given in a manner that is free and that the subject was informed.
- Used exclusively for the purpose for which the related data was given.
- Obtained via a ‘positive action’; e.g. it is henceforth insufficient to provide a pre-checked tick box.
Evidently, the rules concerning consent are set to become more onerous on the processing party following the introduction of the GDPR. It is worth noting however that there are indeed legitimate reasons for the processing of an individual’s personal data besides consent.
Do all data subjects have the right to be forgotten at all times?
As you may have already heard, under the provisions of the GDPR, data subjects have a right to be forgotten and any EU citizen can ask that their personal data that you hold and process be deleted. This is not an absolute right however, and a business (subject to certain circumstances) may not always be obliged to comply with such a request. Following receipt of a request to be forgotten from the data subject, you have to take a look at the data being held, and verify whether or not there is any legitimate legal reason for your business to continue the processing of it. An obvious example of such a reason is circumstances where the data is still required for use in a continuing legal dispute. Should there be a valid legal reason for continuing to process the data your business may reject the request.
Does a Data Protection Impact Assessment have to be performed at all times?
Risks associated with the processing of sensitive personal data should be evaluated by use of a “Data Protection Impact Assessment”, or DPIA. Examples of sensitive data include health details or information about the data subject’s sexuality. The DPIA is used as one part of the risk identification process, and is only obligatory when employed for that reason. Any identified risk has to then be mitigated against. In circumstances where no obvious mitigation can be taken a business should refer to the Data Protection Authority (DPA) for advice prior to any processing of the data. It is anticipated that such situations will, however, be quite rare.
From the date on which the GDPR comes into effect (the 25th May 2018) businesses involved in processing high quantities of personal data belonging to citizens of EU member states must comply with it. National authorities will retain some autonomy when it comes to the fixing of fines for non-compliance, however it is anticipated that there will be constant dialogue among authorities so as to work towards a level of consistency. The highest possible fine has been fixed at €20 million, or 4% of the offending company’s annual turnover, whichever is greater. It seems improbable that such a level of fine will ever be imposed however.
Irrespective of the size of the fine, your business needs to start complying with the new Regulation from its introduction. Non-compliance is not simply damaging financially with regard to the fines it may attract, it might also damage your company’s name. Damage to reputation often leads to a loss of custom, and as a consequence, a decline in revenue.
The FAQs covered in this article will hopefully have been helpful to you in your quest of gaining a more vivid picture of the General Data Protection Regulation, and its impact upon your business. You must understand the fine print of the GDPR, and make sure that your employees are also aware of what is expected of them. GDPR compliance is a team effort. It requires staff members on all levels to play their part.