GDPR FAQs

The General Data Protection Regulation 2018 is the EU regulation introduced in 2018 to cover data protection and privacy for all of the countries and individuals within the European Union.

Currently, Britain remains in the EU, so GDPR certainly applies. UK data protection law post-Brexit is likely to be very aligned with that of the EU, so compliance regulations are unlikely to change much, if at all.

GDPR was introduced to bring data protection laws in the European Union up to date with the current digital landscape, with its predecessor, the Data Protection Directive, dating back to 1995. The directive also allowed more customisation by EU member states, whereas a regulation makes data protection compliance more unified.

In theory, it isn’t, but best practice according to the ICO would be to have re-confirmed all consents for holding personal data that were gained before GDPR.

GDPR compliance means managing your usage of personal data in accordance with the regulations contained within GDPR.

The ICO has created GDPR compliance checklists to help companies ascertain themselves whether they are compliant with GDPR.

The extent and nature of Brexit remains unclear, but UK data protection law will remain in place and the government will apply GDPR principles when leaving the EU, so very little is likely to change in terms of compliance. For companies dealing with data from EU citizens, GDPR will still apply.

No, information about somebody who is deceased is not covered by GDPR because it is not classed as personal data.

There are no specific limitations for how long data should be kept under GDPR, but the guidance is that it should be kept no longer than is necessary.

GDPR didn’t replace the Data Protection Act, which was renewed in 2018 and covers areas not already covered by GDPR, including national security and immigration matters.

ICO is the Information Commissioner’s Office, an independent authority that upholds information rights to protect data privacy for individuals. GDPR is the General Data Protection Regulation, written under EU law to standardise data protection and privacy

Also known as the right for erasure, it is the right under GDPR for an individual to request that a company deletes all personal information a company has about them.

Any business that holds personal data about a resident of the European Union needs to comply with GDPR, whether the processing of that data takes place in the EU or not. Any business that offers free or paid goods or services to EU residents needs to comply.

Data controllers (businesses that determine the purpose for which personal data is processed) need to register with ICO and pay a data protection fee, unless they are exempt (which applies to members of the House of Lords, elected representatives and prospective representatives).

The best way to check that you are GDPR compliant is to complete a Data Protection Impact Assessment from the ICO and, if needed, contact ICO for more information and advice afterwards.

Once a GDPR data request has been made, organisations have to respond no later than one calendar month from the receipt of the request. For more complex requests or multiple requests, the limit is three calendar months.

The main purpose of GDPR is to standardise and update the data protection laws across the European Union, which were previously dated and inconsistent.

The maximum fine for a data breach under GDPR is 4% of annual turnover or €20m if that is a greater amount.

Although it is not an absolute right and only applies in certain circumstances, individuals can make a request to have their personal data erased under GDPR and businesses need to respond to you within a month.

Some of the rights under GDPR are absolute, like the right to stop a company’s data being used for direct marketing, but others, like the right to be forgotten, are not absolute and only apply in certain circumstances.

Any information that can distinguish someone from other people is an identifier and therefore a name is certainly personal data.

An email address is an identifier that could be used to identify somebody so it counts as personal data under GDPR

PII stands for Personally Identifiable Information and includes names, email addresses and any other kind of information a company might hold about you that could be used to identify you.

Within companies, the responsibility for GDPR compliance lies with anyone whose role involves the use of personal data, all the way up to the highest level. A Data Protection Officer must be appointed under GDPR.

Some of the rights under GDPR are absolute, like the right to stop a company’s data being used for direct marketing, but others, like the right to be forgotten, are not absolute and only apply in certain circumstances.

GDPR protects personal information, which can include names, email addresses, location data, identification numbers, online identifiers and anything that can be used to identify a person.

Private individuals who have jobs that involve collecting sensitive personal data about clients from the EU will still need to comply with the regulations whether they are freelancers or solo practitioners like therapists or counsellors.

Whenever the UK does leave the EU, in theory, GDPR will not apply, but in practice, all companies still holding data of EU citizens will have to comply. In addition, the UK data protection law is already very much in line with GDPR and will remain aligned after Brexit.

Under GDPR, personal data is anything that could be used to identify a person, including names, IP addresses, email addresses, telephone numbers, etc.

Within companies, the responsibility for GDPR compliance lies with anyone whose role involves the use of personal data, all the way up to the highest level. A Data Protection Officer must be appointed under GDPR.

An email address is an identifier that could be used to identify somebody so it counts as personal data under GDPR

The 7 principles of GDPR are lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

There are many changes that have come in as part of GDPR, but amongst the key aspects include new penalties of up to 4% of annual turnover (or €20m if that is greater); an increased focus on consent; expanded rights of access for individuals and the right to be forgotten.

All countries within the EU are subject to GDPR, but it also affects any business that holds personal information about people who live in the EU.

Personally Identifiable Information under GDPR means any information that could be used to identify a person when contained within data, so could include: names; email addresses; online identifiers, etc.

Citizens have the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights related to automated decision-making, including profiling.