Understanding the GDPR, and interactions with PECR and the Data Protection Act, can be complex. Here are some of our most common GDPR FAQs. Please do get in touch if your question is not answered below.
The General Data Protection Regulation (the GDPR) and the Data Protection Act 2018 (DPA 2018) are law. They became enforceable on 25 May 2018.
The GPDR applies to how organisations in the EU process personal information. In addition to this, it also applies to how organisations outside the EU process personal information. For example, if they offer goods or services to people in the EU or monitor the behaviour of people in the EU. This includes companies outside the EU that profile or carry out online tracking of individuals in the EU.
The Data Protection Act 2018 needs to be read alongside the GDPR. It covers matters not covered under GDPR, such as exemptions and enforcement. It came into force at the same time as the GDPR.
The short answer is no. At the end of the transition period, the UK will introduce the UK GDPR. This largely mirrors the main provisions of the GDPR. This is to ensure that the strict standards imposed by the GDPR will be maintained. Learn more about the impact of Brexit on our blog.
The Information Commissioner’s Office (ICO) regulates data protection compliance. If they receive a complaint about your organisation, they will carry out an investigation. This may result in you taking action to rectify any areas of concern. They may also impose a hefty penalty. The ICO may also publish information about your failings on their website which could damage your reputation.
If you are unsure if your organisation is compliant, make use of our free online audit tool. The answers you provide to the questions will be used to generate a report for you. This will highlight areas needing attention.
The ICO require all staff processing personal data to have data protection training. This ensures they are clear about their responsibilities, and understand what they can and cannot do when processing personal information. Annual refresher training should also be carried out.
All organisations which process personal data need to register with the ICO and pay a fee. However, there are parameters for exemption. An easy way to find out whether or not your organisation is exempt is to visit the ICO website and use their online self–assessment tool https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
Under the GDPR it is a legal requirement for certain organisations to appoint a Data Protection Officer (DPO). This includes public bodies and organisations whose core activities involve:
- the regular and systematic monitoring of individuals on a large scale or
- processing of personal data relating to criminal convictions and offences
- special category data on a large scale
An easy way to find out whether your organisation needs to appoint a DPO is to visit the ICO website and use their online self-assessment tool https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo/
Under the GDPR individuals have numerous rights. One of these is a right of access, also known as a Subject Access Request (SAR). This means that an individual has the right to contact an organisation and request a copy of all the personal data the held about them. The request must be processed within one month and is free of charge. In some circumstances, responding to SARs can be straight forward. However, depending on the volume and type of data, SARs can also be time consuming and complex, as there are strict rules which must be adhered to.
A Data Protection Impact Assessment (DPIA) is a formal procedure. It must be followed when an organisation is planning a new project which is likely to result in a high risk to individuals. This includes when an organisation is proposing changes to the way in which it processes personal data, or introduces new systems for processing personal data. For example, introducing the use of CCTV, profiling, or fingerprint recognition.
An individual could be prosecuted and fined under the DPA 2018 if they unlawfully process personal data. For example, if a member of staff unlawfully obtains, discloses, sells or offers to sell personal information they could face criminal charges.
The PECR set out the law in relation to marketing by email, text, telephone and fax. The definition of consent under the PECR is the same as under the GDPR. This is important if your organisation is relying on consent in order to send out marketing material.
Under the GDPR, there is a two-tier system for fines. The maximum penalty under the first tier is €10 million or 2% of global turnover, whichever is greater. The maximum penalty under the second tier is €20 million or 4% of global turnover, whichever is greater.
Which tier will be used?
Whether the first tier or the second tier is used depends on the type of breach. The first tier is used when organisations do not adhere to certain responsibilities under the GDPR, including (amongst other things) failing to:
- implement appropriate security measures to safeguard personal data
- introduce data protection policies and procedures
- enter into GDPR compliant contracts,
- appoint a Data Protection Officer (if required)
- carry out Data Protection Impact Assessments (if required)
- report a personal data breach (if required)
The second tier is used for more serious breaches such as not:
- complying with the Data Protection Principles
- having a legal basis for processing personal information
- obtaining valid consent
- responding appropriately when an individual wishes to exercise their rights under the GDPR
Transferring personal data outside the EU without adequate safeguards in place will also use the second tier.