General Data Protection Regulation (GDPR)

FAQs about GDPR 

Does GDPR still exist after Brexit? 

Yes. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). 

What is the GDPR?  

The EU’s General Data Protection Regulation (GDPR) brings data protection legislation into line with new, previously unforeseen ways that data is now used. The UK relies on the Data Protection Act 2018 to implement this legislation. GDPR introduces tougher fines for non-compliance and breaches, and gives more people say over what organisations can do with their data. 

Why was the GDPR created?  

The reasoning behind GDPR is twofold. Firstly, to give people more control over how their personal data is used; the previous legislation was enacted before wide use of the internet and platforms like Facebook discovered the value of their users’ personal data. Secondly, it gives organisations a simpler, clearer legal environment in which to operate. 

Who does the GDPR apply to?  

‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. The data controller can be any organisation, from a private company to a government department or a charity. A processor could be the same organisation or an IT firm doing the actual data processing eg: an event booking site. 

What is personal data?  

Information about people is classified as either Personal Data or Sensitive Personal Data. 

  • Personal Data is a piece or a combination of stored information that relates to a person (the Data Subject) that could identify them. This could be the person's name and/or address, for example. 
  • Sensitive Personal Data is more private information, for example data related to: 
  • Physical or mental health  
  • Ethnic group 
  • Political opinions  
  • Religious or philosophical beliefs  
  • Sexual orientation 

How do I obtain consent under the GDPR?  

 Consent must be an active, affirmative action by an individual user, for example an opt-in box to tick. A passive acceptance, for example pre-ticked boxes or opt-outs, is not permitted. Controllers must keep a record of how and when an individual gave consent. Individuals may withdraw their consent whenever they want.  

Consent is one possible lawful basis for processing data but it is not the only one. 

When can people access the data an organisation holds about them?  

People have the right to access any information an organisation holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. People can ask for access at “reasonable intervals”, and controllers must generally respond within one month. GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it; and they must be clear in explaining these things to people. 

What’s the right to be forgotten?  

Individuals also have the right to request that their data is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’. Under this rule, they can also request that their data is erased if they have withdrawn their consent for their data to be collected, or object to the way it is being processed. 

What happens if your organisation suffers a data breach? 

If your organisation suffers a data breach it’s your organisation’s responsibility to inform the Information Commissioner’s Office (ICO) of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it. However, even before calling the ICO, you should tell the people affected by the data breach. 

The deadline is tight and means that you probably won’t know every detail of a breach after discovering it. However, your initial contact with the ICO should outline the nature of the data that is affected, roughly how many people are affected and what the consequences could mean for them. You should also inform the ICO of the measures you’ve already taken or what actions you intend to take. 

IMPORTANT!

Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or 10 million Euros, whichever is higher. 

If you don’t follow the basic principles for processing data, such as having a legal basis for doing so or ignore individuals’ rights over their data, you risk facing even higher fines of up to 20 million Euros or 4% of your annual turnover, whichever is greater. However, it’s important to note that fines must remain “proportionate” to the breach. If you demonstrate that you worked hard to ensure your organisation is compliant with GDPR, the ICO is unlikely to issue such high fines. 

Do organisations need a data protection officer? 

Any public body carrying out data processing needs to employ a data protection officer, as do organisations whose core activities involve data processing that requires they regularly monitor individuals “on a large scale”. The data protection officer’s job is to inform and advise the organisation about meeting GDPR requirements, as well as monitoring compliance. They’ll also act as the ICO’s primary point of contact and will be expected to cooperate with the authority.  

Smaller organisations, including small charities and community groups, can have a Data Protection Advisor instead of employing a Data Protection Officer. 

What is a data breach?  

A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. 

You will need to have the right procedures in place to detect, investigate and report a personal data breach. GDPR introduces a duty to report certain types of data breaches to the ICO and in some cases to individuals concerned. 

You need to be able to demonstrate you have appropriate technical and organisational measures in place to protect against a data breach. 

Are there any practical tips to help compliance? 

Privacy by design  

  • Privacy by design means building data protection into all your new projects and services. It has always been good practice, but GDPR makes privacy by design an express legal requirement. To achieve this, data protection impact assessments should be undertaken where new technology is being deployed, where profiling may significantly affect individuals or sensitive categories of data will be processed on a large scale. 
  • Clarify who will be responsible for carrying out impact assessments, when you will use them and how you will record them. 
  • The Information Commissioners Office (ICO) has guidance on privacy by design and data protection impact assessments.  

Build in extra protection for children 

  • Many charities support children and young people and GDPR brings in special protection for children’s personal data. 
  • GDPR says that children under 16 cannot give consent so you may have to seek consent from a parent or guardian.  
  • You will need to be able to verify that a person giving consent on behalf of a child is allowed to do so and any privacy statements will need to be written in a language that children can understand. 

 Review how you get consent to use personal data 

  • If you rely on consent as your lawful basis for processing personal data, then you need to regularly review how you seek and manage consent. Under GDPR consent must be freely given, specific and easily withdrawn. You can’t rely on pre-ticked boxes, silence or inactivity to gain consent; instead, people must positively opt-in. 

Check your processes meet individuals’ rights 

  • GDPR gives people more rights over their data. For example, GDPR gives someone the right to request to have their personal data deleted. 
  • Ensure you are able to easily find the relevant data and know who would be responsible for making sure that happened. 

Identify and document your ‘lawful basis’ for processing data 

  • To legally process data under GDPR you must have a ‘lawful basis’ to do so. 
  • For example it is a lawful basis to process personal data to deliver a contract you have with an individual. 
  • There are a number of different criteria that give you lawful basis to process. Crucially, different lawful bases give different rights to individuals. 
  • For example, if you rely on consent as a lawful basis, individuals have stronger rights to have their data deleted. 
  • The Information Commissioners Office guide to lawful basis can be viewed: A guide to lawful basis | ICO 

Update your privacy notices 

  • You must always tell people in a concise, easy to understand way how you intend to use their data. 
  • Privacy notices are the most common way to do this. 
  • You may already have privacy notices on your website for example, but they need to be kept up to date. 
  • Under GDPR privacy notices must give additional information such as how long you will keep data for and what lawful basis you have to process data. 

Where can i find further information? 

The Information Commissioners Office have a guide for small organisations: Advice for small organisations | ICO 

How can I contact the Information Commissioners Office? 

Organisation support category

Running your organisation