With less and less time to implement the necessary changes, we have put together 5 most frequently asked GDPR related questions from our clients to help your business prepare for the effects of GDPR.
1. Is my business exempt from GDPR provisions?
The GDPR has a broader territorial scope than currently applicable data protection laws and applies to:
Organisations based in the EU that process personal data in connection with their activities. It does not matter where the processing of personal data takes place
Organisations that are based outside of the EU but that offer goods and/or services to EU data subjects or monitor the behaviour of EU data subjects
Data controllers established outside of the EU but based in a place where member state law applies through public international law
“Personal Data” is defined as any information relating to an identified or identifiable natural person (“data subject”)
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
As you can see, the scope of the GDPR is broad enough to capture any business within the UK that processes at least some types of personal data, from names, email addresses and phone numbers to special categories of data, including racial or ethnic origin, political opinions, physical or mental health or conditions and others.
Our usual answer to this question is that most businesses fall within the scope of the GDPR and need to make sure they have the necessary procedures and documents in place in order to show their compliance.
2. What do I need to know about GDPR?
The rules are complex, so please contact us to discuss how we can help your business to be GDPR compliant before the deadline in May.
We are also running a free webinar on 21 March this year from 12.15pm until 1 pm which you are welcome to attend and you will receive a copy of the slides with extensive information on GDPR. Please contact us for more information.
For general GDPR related information, the ICO website is quite useful, although the bulk of the compliance means that you will need to have a number of documents drafted to assess and prove your compliance. Such documents are not available from the ICO website but the lawyers at LawBite will be more than happy to help.
3. Is my company a data controller or a data processor?
It is often the case that businesses are both data controllers and data processors in relation to different categories of personal data.
Data controllers normally make decisions about personal data and determine the means and purposes of the processing of personal data, whereas data processors hold and process personal data on behalf of data controllers (often their customers) and act strictly on the data controllers’ instructions.
With GDPR coming into force data processors will have a number of obligations, including having appropriate technical and security measures in place, getting prior approval from the data controllers when using other companies acting as sub-processors of personal data, being fully liable for such sub-processors and may receive fines and penalties for non-compliance.
It is a GDPR requirement to have a data processing agreement (or addendum) or at least add data processing provisions to existing contracts to make sure that that the respective responsibilities of both the controller and the processor are recorded.
Data controllers have extensive obligations under the GDPR and many current documents and processes compliant with the current legislation need to be revised to suit the requirements of the GDPR.
4. What rights do data subjects have under the GDPR?
Data subjects have the rights including access to their personal data, rectification, erasure (“right to be forgotten”), restriction of processing, portability, objection to processing and automated decision making, including profiling, right to withdraw consent, right to make a complaint to a local data protection authority and some other rights.
In terms of access rights, a fee is no longer payable and the information must be supplied within 30 days as opposed to the current 40 days rule.
When personal data is collected from a data subject directly, the data controller must provide the following information:
Its identity and contact details
Details of its data protection officer, if applicable
The purposes of the processing of the personal data collected
The legal basis for the processing
If relying on legitimate interests as a legal basis, identification of such legitimate interests
Any potential transfers outside of the jurisdiction and the legal mechanism used
Data retention periods
Information on automated decision-making, including profiling
List the data subject’s rights
5. What are the consequences of non-compliance with GDPR provisions?
The consequences of a company not complying with GDPR rules include:
An investigation by the authorities (ICO)
A maximum fine of 10 million Euros or 2% of annual turnover worldwide, whichever is greater, for breaches of (mainly) record keeping, contracting and security clauses
A maximum fine of up to 20 million Euros or 4% of annual turnover worldwide, whichever is greater, for breaches of (mainly) basic principles, data subject access requests, transfer to third countries and non-compliance with an ICO order
Management time for cooperating with the authorities
Damage to reputation
We hope that you have found this information useful and please get in touch if you need any help with understanding GDPR requirements and having the necessary documentation in place to help your organisation become GDPR compliant. To consult with Alla your GDPR needs, please submit an enquiry for a
free 15-minute consultation or call our friendly team today on 020 7148 1066.