GDPR - Your questions and answers

11 Sep

GDPR – Your questions and answers

The ICO Commissioner Elizabeth Denham stated "make no mistake - The General Data Protection Regulation is a game changer for everyone". However, with less than a year remaining to prepare, the GDPR is still not on many boardroom agendas. With fines of up to 20M Euros or 4% of global turnover and potential reputational damage, what is the sector missing?

As a business, here are some questions you should be asking….

Will it affect me?

The GDPR applies to all organisations in the EU but it also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.  It applies to all companies processing and holding personal data of data subjects residing in the European Union, regardless of the company’s location.

What constitutes personal data?:

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly to identify the person.  It can be anything from a name, a photo or an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Do data processors need explicit or unambiguous data subject consent; and what is the difference?

Companies will no longer be able to utilise long illegible terms and conditions full of legalese to cover consent from data subjects, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.  Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Consent must be easy to withdraw as to give it.

Explicit consent is only required for processing sensitive personal data.

How does the GDPR affect policy surrounding data breaches?

Organisations must notify the supervisory authority within 72 hours of discovering a security breach and to affected individuals without undue delay.

What about Data Subjects under the age of 16?

Parental consent will be required to process the personal data of children under the age of 16 for online services, member states may legislate for a lower age of consent but this will not be below the age of 13.

Personal data, what can be improved?

·    Know what data you have, and why you have it

·    The formats in which data is provided should be interoperable. This is to avoid a situation where users would be tied to possibly expensive proprietary viewer programmes for the data they obtained

·    Treat data as an asset and know who is responsible for each type of data you control

·    Controllers should not continue to store data that are no longer needed just for the purpose of being able to comply with a possible future porting request.

If you haven't started your preparations yet, start today as 23rd May is fast approaching!


Taken from