How can organizations comply with GDPR?

They typically appoint a Data Protection Officer (DPO), implement robust data protection measures, conduct risk assessments, document personal data flows, and regularly evaluate compliance. GDPR emphasizes privacy by design, minimizing data collection to only what’s strictly necessary.

What is a data breach under GDPR?

A data breach is any unauthorized or accidental event where personal data is accessed, altered, lost, disclosed, or destroyed. Organizations must report serious breaches to the supervisory authority within 72 hours and notify affected individuals if there’s a high risk.

How does GDPR handle international data transfers?

Data can be transferred outside the EU if the destination country provides an ‘adequate’ level of protection, or via standard contractual clauses, binding corporate rules, or explicit consent. Organizations must ensure personal data remains protected wherever it’s sent.

When does GDPR not apply?

It doesn’t apply to purely personal or household activities, law enforcement tasks, national security matters, truly anonymous data, or data relating to deceased individuals. Organizations can also process data without consent if mandated by law or in emergencies.

GDPR FAQ | Your Guide to EU Data Protection Compliance

Q: What is GDPR and why should you care?

The General Data Protection Regulation (GDPR) is Europe’s data privacy framework that ensures organizations handle personal data responsibly, transparently, and securely. It impacts companies worldwide if they process data belonging to EU citizens.

Q: Who does GDPR apply to?

GDPR applies to any organization processing personal data of EU citizens or residents, regardless of where the organization is located. This includes businesses physically located outside the EU if they offer goods or services to EU citizens.

Q: What are the consequences for non-compliance with GDPR?

Fines can reach up to €20 million or 4% of global revenue, whichever is higher. Additional penalties include orders to halt data processing, public warnings, possible loss of certifications, and compensation claims from individuals.

Q: What is the role of a Data Protection Officer (DPO)?

A DPO monitors GDPR compliance within an organization, advises on data protection issues, and liaises with supervisory authorities. They ensure data handling practices meet GDPR requirements and maintain appropriate records of processing activities.

Q: What information does GDPR protect?

GDPR covers any personal data that can identify an individual—names, addresses, online identifiers, IP addresses, and more. Certain categories like health data, biometric data, and religious or political beliefs receive extra protection as ‘sensitive data.’

Q: What are Data Controllers and Data Processors under GDPR?

A Data Controller decides why and how personal data is processed, bearing primary responsibility for compliance. A Data Processor acts on the controller’s behalf, following their instructions, implementing security measures, and not using data for its own purposes.

What is GDPR and Why Should You Care?

The General Data Protection Regulation (GDPR) is Europe's comprehensive digital privacy framework designed to safeguard your personal information in today's interconnected world. It ensures that organisations handle your data responsibly, transparently, and securely. Even if you're not based in Europe, these rules might still protect you when interacting with European companies or services. The GDPR has set a new standard for data protection globally, influencing privacy laws beyond the EU.

Your Rights Under GDPR

Core Rights

1. Right to Be Informed:

Know who has your data.
Understand how it's used.
Know who it's shared with.

2. Right to Access:

Get copies of your data.
Know how it's being used.
Receive this for free.

3. Right to Rectification:

Correct wrong information.
Update incomplete data.
Ensure accuracy.

4. Right to Erasure:

Request data deletion.
"Right to be forgotten."
Remove online data.

5. Right to Restrict Processing:

Limit how data is used.
Temporarily stop processing.
Keep but not use data.

6. Right to Data Portability:

Get your data in a usable format.
Transfer to another service.
Reuse your data elsewhere.

7. Right to Object:

Stop direct marketing.
Object to certain uses.
Challenge automated decisions.

8. Rights in Relation to Automated Decision Making and Profiling

Challenge decisions made solely by automated processes.
Request human intervention in profiling.

9. Right to Withdraw Consent

Revoke consent at any time.

Who does GDPR apply to?

GDPR applies to any organisation that processes personal data of EU citizens, regardless of where the organisation is located.

Is GDPR only for EU citizen data?

No, GDPR applies to all personal data of EU citizens, regardless of where the data is processed or where the organisation is located.

What are the consequences for non-compliance with GDPR?

Organisation can face:

Fines Up to €20 Million or 4% of Global Revenue: Significant financial penalties for non-compliance.‍
Orders to Stop Processing Data: Injunctions to halt data processing activities.‍
Public Warnings: Public announcements of non-compliance.‍
Loss of Certification: Revocation of data protection certifications.‍
Compensation Claims from Individuals: Potential lawsuits from affected individuals.

How can organisations comply with GDPR?

Organisations in most cases must appoint a Data Protection Officer, implement appropriate technical and organisational measures to protect personal data, and conduct regular data protection impact assessments.

What is the role of a Data Protection Officer (DPO)?

A DPO is responsible for monitoring compliance with GDPR within an organisation and providing advice and guidance on data protection issues.

What information does GDPR protect?

GDPR applies to personal data, which is any information relating to an identified or identifiable individual referred to as PII (Personably Identifiable Information).

‍Personal Information:

Basic Details: Name, address, email, and other contact information.
‍ID Numbers: Passport numbers, social security numbers, and other unique identifiers.
‍Location Data: Information about your physical location, such as GPS data.
‍Online Identifiers: IP addresses, cookie data, and other digital footprints.
‍Photos and Videos: Visual content that could identify you.
‍Email and Social Media Content: Communications and posts on social media platform

Sensitive Information (Extra Protected)

Some types of information receive special protection due to their sensitive nature:

Health and Medical Information: Data related to your health status, medical history, or genetic predispositions.
‍Genetic Data: Information derived from genetic testing or analysis.
‍Biometric Data: Fingerprints, facial recognition data, and other unique biological identifiers.‍
Racial or Ethnic Origin: Information about your racial or ethnic background.‍
Political Opinions: Your political beliefs or affiliations.‍
Religious or Philosophical Beliefs: Information about your religious or philosophical convictions.‍
Sexual Orientation: Your sexual orientation or gender identity.‍
Trade Union Membership: Information about your membership in trade unions or similar organisations.

Understanding Data Breaches

What is a Data Breach?

A data breach occurs when your personal information is:

Accidentally Lost: Misplaced or deleted without proper backup.‍
Stolen: Unauthorised access or theft of data.‍
Accessed by Unauthorised People: Breach of security allowing unauthorised individuals toview or manipulate data.‍
Altered Without Permission: Unauthorised changes to your data.‍
Disclosed Accidentally: Inadvertent release of data to unauthorised parties.‍
Made Public Without Authorization: Unauthorised publication or exposure of data.

What Organisations Must Do

When a breach happens, organisations must:

‍Report Serious Breaches Within 72 Hours: Notify the relevant data protection authority promptly.‍
Tell Affected People Without Undue Delay: Inform individuals whose data has been compromised if there is a high risk to their rights and freedoms.‍
Document All Breaches: Keep records of all breaches, even minor ones, for future reference and compliance.‍
Take Steps to Minimise Harm: Implement measures to reduce the impact of the breach.‍
Fix the Security Problem: Address the vulnerability that led to the breach to prevent future occurrences.

What You Should Expect

If your data is breached:

Clear Communication: Receive clear information about what happened and what data was affected.‍
Understanding of Possible Risks: Be informed about potential risks and consequences.‍
Steps to Protect Yourself: Receive guidance on actions you can take to protect yourself.‍
Details About What the Organization is Doing to Help: Understand the measures the organisation is taking to assist affected individuals.

International Data Transfers

Sending Data Outside Europe

GDPR has strict rules about transferring personal data outside the EU:

Safe Countries: Data can flow freely to countries deemed "adequate" by the EU, meaning they provide a similar level of data protection.‍
Other Countries: Transfers to countries not deemed adequate require special safeguards, such as standard contractual clauses or binding corporate rules. In some cases, specific consent from the data subject may be necessary
‍Common Examples: Using cloud services, online shopping from international stores, social media platforms, and international business operations.

When GDPR Does not apply

Exceptions to Know About

GDPR does not cover:

Personal or Household Activities: Data processing for personal or household purposes.
‍Law Enforcement Activities: Data processing for law enforcement purposes.‍
National Security Matters: Data processing related to national security.‍
Anonymous Data: Data that cannot identify an individual.‍
Deceased Persons' Data: Data concerning deceased individuals.

Special Circumstances

Organisations can process data without consent in certain situations:

Required by Law: When processing is mandated by law.‍
Necessary to Protect Someone's Life: In emergencies where processing is necessary to protect someone's life.‍
Needed for Public Health Emergencies: During public health crises where processing is required.‍
Required for Legal Claims: When processing is necessary for legal claims.‍
In the Public Interest: When processing is in the public interest.

Understanding Consent

What Makes Consent Valid?

Consent must be:

Freely Given: Without coercion or pressure.‍
Specific: Clearly stating the purpose of data processing.‍
Informed: Ensuring the individual understands what they are consenting to.‍
Unambiguous: Clear action required to indicate consent.‍
Easy to Withdraw: Consent can be withdrawn at any time without penalty.

Types of Consent

Organisations can process data without consent in certain situations:

1. Express Consent:

Ticking a box.
Signing a form.
Clicking 'agree' (when properly designed).
Written confirmation.‍

2. Special Categories:

Explicit consent needed for sensitive data.
Clear statement of agreement.
Specific purpose stated.
Extra documentation required.

Managing Consent

You can:

Withdraw Consent at Any Time: Revoke consent without penalty‍
Get Confirmation of What You've Consented To: Receive confirmation of your consent.‍
Choose Which Things to Consent To: Select specific purposes for data use.‍
Change Your Mind Without Penalty: Modify or withdraw consent as needed.

Legitimate Interests

When Consent Isn't Needed

Organisations can use data without consent if:

They Have a Legitimate Reason: The organisation has a valid interest in processing the data.‍
They've Assessed the Impact on You: The organisation has evaluated the potential impact on the individual.‍
Your Rights Don't Override Their Interests: The organisation's interests are not overridden by the individual's rights.

Common Examples:

‍Fraud prevention.
Network security.
Employee data management.
Direct marketing (with opt-out).
Client relationship management.

Industry-Specific Applications

Healthcare

Special considerations for healthcare include:

Medical Records: Protecting sensitive health information.‍
Health Research: Ensuring data used in research is anonymised or consented.‍
Insurance Data: Handling health insurance claims securely.‍
Genetic Information: Protecting genetic data with extra care.‍
Clinical Trials: Ensuring participant data is secure and anonymise.

Financial Services

Banks and financial institutions must:

Protect Transaction Data: Secure financial transactions and records.‍
Secure Financial Records: Safeguard account information and financial history.‍
Handle Credit Information Carefully: Protect credit scores and reports.‍
Manage Investment Details: Secure investment data and portfolios.‍
Protect Payment Information: Safeguard payment card details and online transactions.

Education

Educational institutions need to:

Protect Student Records: Secure academic records and personal data of students.‍
Handle Academic Data: Manage grades, attendance, and other educational information securely.‍
Manage Parent/Guardian Information: Protect contact and personal data of parents or guardians.‍
Secure Special Needs Data: Handle sensitive information about students with special needs.‍
Control Access to Educational History: Limit access to educational records.

Online Services

Digital businesses must:

Handle User Profiles Properly: Secure user account information and settings.‍
Protect Browsing Data: Safeguard browsing history and online activities.‍
Manage Cookie Consent: Obtain consent for cookies and track user preferences.‍
Secure Payment Details: Protect payment information and transaction data.‍
Protect Communication Data: Secure emails, chats, and other forms of communication.

What are the rights of individuals under GDPR?

Individuals have the right to access their personal data, the right to have their personal data erased, the right to object to the processing of their personal data, and the right to have their personal data corrected.

Data Processors and Controllers

What are Data Controllers and Data Processors?

Under GDPR, the data controller determines the purposes for which and the means by which personal data is processed.

So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.

If your organisation does not determine the 'why' or 'how' of the data processing, it is not a data controller but a data processor.

GDPR defines a data processor as an organisation that processes personal data on behalf of another organisation. A typical activity of processors is for example to offer IT solutions, including cloud storage.

A processor cannot pass the data on to another organisation. It must retain and control it in respect of the GDPR data controller, i.e. the organisation that controls and specifies the use, access, retention and processing of said data.

Also an organisation can be a data processor, a data controller or both.

Understanding the Roles

Data Controllers:

Decide why and how to use your data.
Set the purposes for data use.
Choose the methods of processing.
Bear primary responsibility for compliance.

Data Processors:

Handle data for controllers.
Follow strict instructions.
Must keep data secure.
Cannot make independent decisions about data processing.

Examples in Daily Life:

Your employer (controller) using a payroll service (processor).
An online shop (controller) using a delivery company (processor).
A doctor's office (controller) using cloud storage (processor).

Are public agencies covered under the GDPR?

If the country has adopted GDPR with no changes, Public agencies are also required to meet the GDPR requirements on data compliance. However it should be noted that country specific variations may allow exemptions to be applied for certain public bodies and for certain information gathering activities, such as the police, or intelligence agencies.

How does GDPR relate to other data protection laws?

GDPR replaced the 1995 EU Data Protection Directive.

European Union GDPR ‍

European Union GDPR
‍