When does GDPR come into effect?
May 25, 2018
My company is small do I have to comply with GDPR?
Probably yes! You may have heard that the GDPR has an exemption for companies with fewer than 250 employees BUT there is a caveat! The GDPR still applies to businesses under 250 employees if that small company carries out processing that is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data
Does GDPR only apply to EU companies?
No! The GDPR is far reaching in territorial scope and, in addition to companies established in the EU, companies with no presence in the EU are still subject to the Regulation if they process personal data in connection with offering goods and services to individuals in the EU or if they monitor, including online tracking, behavior in the EU.
Does Brexit mean GDPR won’t apply to the UK?
Until the UK’s formal exit from the EU GDPR applies. After a formal exit, the UK will have to implement its own law and the UK government has indicated that it will implement a GDPR equivalent.
Does the GDPR apply to anonymized data?
No. The Regulation does not apply to data that “does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.”
What fines can be assessed under GDPR?
The Regulation details what administrative fines can be incurred for violating articles of the GDPR. The maximum fines depend on the “category” of the violation: For less serious violations the maximum fine is €10 million or 2% of total annual global turnover of the preceding year (whichever is higher); for more serious violations the maximum fine goes up to €20 million or 4% of total annual global turnover.
What is personal data?
Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is sensitive data?
Sensitive personal data is data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
Are sensitive data and special categories of data different?
No, these two labels are used interchangeably and describe the same type of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
What is the difference between a data controller and a data processor?
If the processing of personal data. A processor processes personal data on behalf of the controller.
What is the difference between a regulation and a directive?
A regulation is binding law that applies directly to all EU member countries automatically. A directive sets out a legislative goal that all EU member countries must achieve through their own national legislation. The GDPR is a regulation and it replaces a directive.
My company has self-certified to the EU-US Privacy Shield Framework are we GDPR compliant?
Answer: This is a complex question. The Privacy Shield addresses one aspect of the broad regulation. Self-certification to the EU-US Privacy Shield Framework fulfils the cross-border transfer requirements of the GDPR but it does not equate to complete compliance with the Regulation.
Disclaimer: The information provided by the Insights Association is for informational purposes only and not for the purpose of providing legal advice. Please contact your attorney to obtain advice on specific issues or questions.