GDPR FAQs for employees and employers : 50 most common questions

Share on facebook
Share on twitter
Share on linkedin
Share on email
GDPR FAQ

Stay up to date

Stay up to date with the latest threat reports, articles & mistakes to avoid.

Simple, yet important content.
No salesy pitches and all that, promise!

GDPR stands for General Data Protection Regulation, is a European Union privacy law that comes into effect on May 25, 2018.

The General Data Protection Regulation (i.e. GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU) or the UK. It strengthens the rights of EU and UK individuals by giving more transparency and control over their personal data.

The GDPR compliance is a set of guidelines and obligations that are mandated on businesses that store or process EU residents data. For non-compliance with GDPR, it allows the EU’s Data Protection Authorities to issue fines of up to €20 million ($24.1 million) or 4% of annual global turnover (whichever is higher). 

The GDPR was introduced to protect the personal data and strengthen the privacy rights of EU citizens. The GDPR gives users control over their data and provides transparency to protect the rights of individuals.

A GDPR compliant entity is the one that implements the requirements of data privacy and integrates the accountability principle to take responsibility for what it does with personal data and how it complies with the GDPR principles.

The GDPR applies to any business that:

  1. Processes personal data while offering goods and services in the EU (whether paid or for free), or
  2. Monitors the behaviour of people in the EU

The following nine-step checklist can be considered to achieve and maintain GDPR compliance:

  1. Get leadership support and establish accountability
  2. Identify the scope of data processing 
  3. Conduct data mapping exercise 
  4. Undertake a comprehensive GDPR penetration testing and data protection impact assessment
  5. Develop operational policies, procedures and processes
  6. Secure personal data through procedural and technical measures
  7. Ensure employees are trained and competent
  8. Check your procedures to ensure the accommodations of the rights of individuals.
  9. Monitor and audit compliance

The GDPR data is the one that is protected by the regulation. It is divided into two categories:

  1. Personal Information: means any information relating to an identified or identifiable natural person for example name, contact, address, social security number, driver’s license, employment information, email address, IP address etc.
  2. Special category data: means personal data that needs more protection because it is sensitive for example race, ethnic origin, political opinion, genetic data, health data etc.

There is a total of eight rights that can be practised by EU residents under GDPR:

  1. Right to be informed
  2. Right of access
  3. Right of rectification
  4. Right to erasure (also known as the right to be forgotten)
  5. Right to restrict processing
  6. Right to object
  7. Right to data portability
  8. Rights in relation to automated decision making and profiling

Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

The GDPR sets out seven principles for the lawful processing of personal data. These principles are:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

To comply with the GDPR, The following nine-step checklist can be considered:

  1. Get leadership support and establish accountability
  2. Identify the scope of data processing 
  3. Conduct data mapping exercise 
  4. Undertake a comprehensive data protection impact assessment
  5. Develop operational policies, procedures and processes
  6. Secure personal data through procedural and technical measures
  7. Ensure employees are trained and competent
  8. Check your procedures to ensure the accommodations of the rights of individuals.
  9. Monitor and audit compliance

A US company will be subject to GDPR if its data processing activities surrounding personal data of EU residents, only if that processing serves one of two purposes:

  1. Offering goods or services
  2. Monitoring a data subject’s behaviour as it occurs within the European Union

A US company will be held liable under GDPR if any of the following conditions are true:

  1. It processes the data of EU residents regularly.
  2. The rights and freedoms of those data subjects may be at risk.
  3. It processes information related to special data categories, including health status, racial or ethnic origins, sexual orientation, or religious beliefs.
  4. It targets EU residents with their marketing.

There is a total of eight rights that can be practised by individuals under GDPR:

  1. Right to be informed
  2. Right of access
  3. Right of rectification
  4. Right to erasure (also known as the right to be forgotten)
  5. Right to restrict processing
  6. Right to object
  7. Right to data portability
  8. Rights in relation to automated decision making and profiling

Personal data under GDPR includes information relating to natural persons:

  1. Who can be identified or who are identifiable, directly from the information in question; or
  2. Who can be indirectly identified from that information in combination with other information?

Personal data may also include special categories of personal data or criminal conviction and offences data.

GDPR fields are a way of allowing you to collect, store and track consent from your contacts while recording the name of the field and consent text. Using these fields on your forms will help make your organisation compliant with the General Data Protection Regulation legislation.

GDPR compliant means a company is responsible for data privacy requirements and integrates the accountability principle to take control of what it does with personal data and how it complies with the GDPR principles.

The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations that process EU residents data need to be compliant.

GDPR protects the personal data of natural persons regardless of their citizenship status as long as they are within the territorial boundaries of the EU and are the subject of the offering of goods and services within the EU.

The GDPR compliance means a business is following all the guidelines and obligations mandated by GDPR on its data processing activities.

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

With the GDPR, Europe is signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence.

Discuss your concerns today

GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies hefty fines and penalties.

GDPR is a regulation that was enacted by the EU authorities as a whole, but it is enforced by the individual supervisory authorities of each country within the EU. Each country has already designated a specific authority within it to enforce the GDPR.

For EU directives, decisions and regulations, your reference needs to include ‘Legislation name – including the type of legislation and its number’ (year) Official Journal issue, page numbers.

For Example, to cite GDPR you will write as: “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1”.

GDPR protects the collection and processing of personal information of individuals who live in the European Union (EU) or the UK. It strengthens the rights of EU and UK individuals by giving more transparency and control over their personal data.

The United Kingdom General Data Protection Regulation (UK-GDPR) is essentially the same law as the European GDPR, only changed to accommodate domestic areas of law. It was drafted from the EU GDPR law text and revised so as to read the United Kingdom instead of Union and domestic law rather than EU law.

Cyphere offers a variety of data privacy services to consult on GDPR Compliance including:

  1. Data Protection Impact Assessments (PIA)
  2. Assessing vendor risk
  3. Technical GDPR/DPA/Privacy Assessments
  4. Privacy-By-Design and Privacy-By-Default Reviews

You can schedule a call with a member of our team and we can discuss all that is required to comply with GDPR.

The GDPR states “appropriate technical and organizational measures” to safeguard personal data. It means the scope includes the use of encryption as it’s one of the safest methods to protect information at rest and in transit.

The Data Protection Act 2018 (DPA 2018) continues to apply. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.

Cyphere helps you to prepare your organisation for GDPR. The outcome of the initial assessment will provide you with a clear understanding of what you need to do to become compliant as well as an assessment of the key risks you are exposed to.

To take SMEs into account, GDPR includes an exemption on record-keeping for businesses with less than 250 employees. 

However, it’s important to note that this does not make the business exempt from all other aspects and they are still required to comply with the rest of GDPR if they process personal data.

One of the key principles of GDPR is that the processing of personal data is only continued for the time period required for the processing. Therefore, you cannot keep the data indefinitely.

There has to be an agreed retention period for all personal data processing aligned with the legal basis set forth under GDPR.

Under the GDPR, appointing a DPO is mandatory under three circumstances:

  1. The organisation is a public authority or body.
  2. The organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
  3. The organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.

SMEs (small and medium-sized enterprises) are not exempt from the DPO requirements, should any or all of the above apply to them.

A data controller determines the purposes for which and the means by which personal data is processed.

If your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.

The data processor processes personal data only on behalf of the controller.

The data processor does not own the data that they process, nor do they control it. Read data controller, data processor and their differences.

Under GDPR, third-party are entities other than data subjects, data controllers and data processors who, under the direct authority of the controller or processor, are authorised to process personal data.

Supervisory authorities are public institutions responsible for monitoring and the implementation of the regulation in the specific EU member country.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever you process personal data:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

When a personal data breach has occurred, you need to establish the likelihood of the risk to people’s rights and freedoms. If a risk is likely, you must notify the ICO; if a risk is unlikely, you don’t have to report it. Read our article will help you to decide whether or not you need to report the breach.

For especially severe violations GDPR fines up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. 

For less severe violations GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.

A privacy notice is a document that organisations give to individuals to explain how their personal data is processed. It has two aims: to promote transparency and to give individuals more control over the way their data is collected and used.

A company is mandated to have  all of the listed documentation, policies and procedures if it wants to be fully GDPR compliant:

  1. Personal Data Protection Policy (Article 24)
  2. Privacy Notice (Articles 12, 13, and 14)
  3. Employee Privacy Notice (Articles 12, 13 and 14)
  4. Data Retention Policy (Articles 5, 13, 17, and 30)
  5. Data Retention Schedule (Article 30)
  6. Data Subject Consent Form (Articles 6, 7, and 9)
  7. Supplier Data Processing Agreement (Articles 28, 32, and 82)
  8. DPIA Register (Article 35)
  9. Data Breach Response and Notification Procedure (Articles 4, 33, and 34)
  10. Data Breach Register (Article 33)
  11. Data Breach Notification Form to the Supervisory Authority (Article 33)
  12. Data Breach Notification Form to Data Subjects (Article 34)
  13. Data Protection Officer Job Description (Articles 37, 38, and 39)
  14. Inventory of Processing Activities (Article 30)
  15. Standard Contractual Clauses for the Transfer of Personal Data to Controllers (Article 46)
  16. Standard Contractual Clauses for the Transfer of Personal Data to Processors (Article 46)

Recital 38 states that people under a certain age (which is at member states’ discretion but must be between 13 and 16) are considered children, and their consent must meet the GDPR’s child consent requirements. This includes the stipulation that consent is given by someone with “parental responsibility”.

If your website collects any personal data (including IP addresses) and uses cookies and has contact forms or newsletters, your website will have to be GDPR compliant.

Article 32 clearly states that “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing“. For more info, refer to our GDPR pen testing services.

Pen testing identifies gaps and assesses the weaknesses that may not be compliant with the GDPR as per the policies and procedures. Therefore, it is important to ensure people, process and technology are working proactively and comply with the GDPR regulations.

GDPR security assessment should be conducted once a year or prior to product or service launches, mergers and acquisitions or other significant changes to the system state (infrastructure refresh, code changes, launches).

Discuss your concerns today

BOOK A CALL