Everything you wanted to know about GDPR but were afraid to ask!


What is GDPR?

The General Data Protection Regulation is a law enacted in the European Union (EU) in order to protect the privacy of its citizens. The objective of the regulation is to give back to citizens control of their data, to simplify a fragmented regulatory environment and to support the creation of a Digital Single Market in the EU.

To whom does it apply?

GDPR applies to any person or organisation that collects data on any citizen of the European Union (EU). It also applies to countries in the European Economic Area (currently Norway, Liechtenstein and Iceland).

What kind of data is subject to GDPR?

The following is an exhaustive but not complete list:

  • Name
  • Age
  • Gender
  • Physical and Electronic addresses
  • Financial information
  • Performance at work
  • Information on Health
  • Personal preferences
  • Information on behavior
  • Biometric information
  • Location data
  • Processing that leads to discrimination of individuals (like buying patterns)
  • Data collected as part of monitoring public areas
  • Political opinions
  • Trade union membership
  • Criminal convictions

What does compliance actually mean?

This is a big list and deserves a page of its own.

See: Things to Watch Out For!

When does GDPR take effect?

The regulation takes effect from the 25th of May,2018.

Is it true that fines are steep?

Fines can be up to 20M Euros or 4% of global revenue, whichever is higher. However, this is the maximum limit. Actual fines will be proportional to the infringement. For minor infringements a reprimand may be issued instead of a fine.

See Also: Things to Watch Out For!

What is the difference between Data Controller and Data Processor?

A data controller is a person or organisation that determines the purpose and means of collecting data. A data processor is a person or organisation that processes the data. For example, if you have an IT services company manage your user database, then you are the controller and the services company is the processor. Many a time the controller and processor are the same entity.

Is it mandatory to appoint a Data Protection Officer (DPO)?

A DPO needs to be appointed if:

  1. Private data is collected or processed by a public institution.
  2. Private data is processed regularly or on a large scale and is interlinked with core operations.
  3. Data about ethnicity, political opinions, religious beliefs, trade union membership, genetic or biometric data, data relating to health, sexual orientation etc. are processed on a large scale.

It is possible for many organisations to share a DPO as long as the DPO has the ability and autonomy to discharge his/her duties and is easily accessible by each organisation.

Data Protection Authority

How to designate one if a company operates in more than one country?

The guidelines recommend selecting a supervisory authority using the following criteria:

  • Location of the Group’s European Economic Area (EEA) headquarters.
  • If the Group is not headquartered in the EEA then the location in the EEA of the Group entity with delegated data protection responsibilities.
  • The location of the Group which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and to enforce the binding corporate rules.
  • The Country where most of the decisions, in terms of the purposes and the means of the data processing, are taken.
  • EEA Member States from which most of the transfers outside the EEA will take place.

Is there a list of supervisory authorities?

Yes. A list of data protection bodies is published here.