GDPR Explained
Businesses of all sizes need to understand and prepare for the GDPR. This blog is designed to help explainkey GDPR facts and the key steps organisations can take to become GDPR compliant.
Popular GDPR FAQs
1. Who does the GDPR apply to?
‘Date Controllers’ and ‘Data Processors’ need to abide by the GDPR if they manage the data of EU citizens.
2. Who does the GDPR affect?
Businesses and organisations within the EU, as well as those outside of the EU that offer goods or services to, or monitor the behaviour of EU individuals/data subjects.
3. What is the difference between a regulation and a directive?
GDPR is a regulation – a binding legislative act. It must be applied in its entirety across the EU. A directive is a legislative act that sets out a goal for achievement.
4. Are the fines really be enforced?
Yes. Each Member State will have individual discretion on criminal sanctions for GDPR infringements.
5. What constitutes personal data?
Any information relating to a natural person or ‘data subject’ that directly or indirectly identifies that person. It can be anything from a name, email address, bank details, medical information, or a computer IP address.
6. What consent must be given to process personal data?
Consent must be provided by an individual/data subject for the processing of their personal data. The request for consent must be in an intelligible and easily accessible form, with the purpose for data processing attached. Inactivity or pre-ticked boxes will no longer constitute consent for the processing of data. Organisations that demonstrate active consent will have a record of how and when this was provided. If an individual removes consent, you must show evidence that you no longer process their related data.
7. How can we show we are accountable?
Many organisations have measures in place due to the Data Protection Act (DPA). Others must examine and address current practice for GDPR compliance to show how they adhere. For example, demonstrating the procedures that are in place to protect the data they hold.
8. Why is a Data Protection Impact Assessment (DPIA) needed?
To reduce a project’s privacy risks. This assessment identifies the risks to address to help mitigate these at an early stage.
9. Do I have to report all personal data breaches?
Yes, it is mandatory to report a personal data breach that may result in a risk to people’s rights and freedoms.
10. What’s the most effective way for my organisation to achieve GDPR compliance?
The most effective way to demonstrate you have taken steps to comply with GDPR is to obtain relevant certifications such ISO27001 or the more affordable IASME Governance (Information Assurance for SMEs)
Here to help
Should you need any questions about GDPR facts, we are here to help.
We’ve been an IASME Certification Body since 2016 and helped many organisations achieveISO27001 and IASME Governance (Information Assurance for SMEs) certifications.
Assure Technical keep cyber security simple. Our objective is to provide expertise with a personal touch – no cut corners, no jargon, no waffle, just straight-talking security solutions.