GDPR: Need to know
The who, what, why and when of the new legislation
Who does it apply to?
All companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What about Brexit?
The government has made it clear GDPR will still apply to the UK regardless of Brexit.
What counts as personal data?
Any information connected to a ‘data subject’, which can be used to directly or indirectly identify the person. It could be a name, an email address, bank details, medical information, a computer IP address and so on.
What are the penalties for non-compliance?
For the most serious infringements, organisations could be fined €20m or 4% of global turnover – whichever is greater. There is a tiered approach to fines.
What’s the difference between a data controller and a data processor?
A data controller controls how data is used and what it will be used for. A processor processes personal data on behalf of the controller. Both can be liable in case of non-compliance.
What new rights do data subjects have?
There’s a range, including the right to access, which means individuals can request to know how their information is being held and processed, and the right to be forgotten, which means people can ask a data controller to erase the information held on them. Requests must be dealt with within a set timeframe.
What is privacy by design?
This concept, which is being implemented into the legislation, basically means designing systems to include robust data protection from the outset, rather than as an add-on. GDPR also requires data controllers to hold and process only the information deemed as absolutely necessary.
What if there’s a breach?
Under the GDPR, breach notification will be mandatory where a data breach is likely to result in a risk for the rights and freedoms of individuals. Notification must happen within 72 hours of becoming aware of the breach.
Main GDPR feature
Your GDPR checklist