GDPR
GDPR 2018: FAQs
SOZO's collection of Frequently Asked Question's (FAQ's) to help answer the questions you may have been asking about GDPR 2018.
Do I need a Data Protection Officer (DPO)?
ICO states that under the GDPR, you must appoint a Data Protection Officer (DPO) only if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
I would take “large scale” as companies around the €100 million turnover mark but it’s not known for sure. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. If you appoint someone to help manage data protection, but are not a DPO and you have not employed a DPO, do not call them a DPO otherwise they will be subject to the regulations and duties set by GDPR for any DPO. Call them a Data Protection Assistant for example.
GDPR is an company wide issue, it should be the CEO or MD who takes a leading role in ensuring GDPR is taken seriously across an organisation. For smaller sized businesses that don’t have a DPO, then someone should be charged with implementing the guidelines but make sure everyone is aware of the regulations and policies.
Don’t just leave it to one person to tick boxes. If companies are fined for not being compliant, the CEO will have a highest responsibility, and therefore needs to prepare the company for GDPR.
What happens after May 25th 2018, and how will it be policed?
It will apply automatically in all EU member states from 25th May 2018. It came into force on 24 May 2016, after all parts of the EU agreed to the final text. Businesses and organisations have until 25 May 2018 until the law actually applies to them.
Where do Cloud Backup Solutions play a part in GDPR?
Cloud is no different to an external hard-drive. With each scenario, you must ask yourself the 4 key questions: what personal data do we have, where is it located (iPad, hard-drive, cloud etc), how are we using it and do we have consent or a different lawful basis to be holding and processing the data in that way.
If you are a “controller” of EU citizens personal data and are sharing it with a data “processor”, who’s maybe also sharing it with sub-processor’s for instance, if at some point in that journey your data is going somewhere and they’re not GDPR compliant, you’ll get a fine and the regulator will go after them too. If it’s a chain of 6 companies looking after the data – everybody is accountable.
This provides an opportunity for competitive advantage if you can show the way all data handled is GDPR compliant, business opportunities are present to steal a mark on less prepared competitors.
What about GDPR and Business-to-Business (B2B)?
If dealing with personal data, GDPR regulations still apply.
Related articles:
Does my site need to have unticked checkbox options by default for any kind of opt-in?
Yes, if consent is required for the lawful processing of personal data. Consent must be active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs. GDPR gives 6 scenarios for the lawful processing of personal data – legal obligation, public interest, vital interests, contractual, legitimate interests and consent.
You must be able to demonstrate how the data subject has consented to the processing which means recording how, when and who gave consent. If you cannot prove how you obtained consent the likelihood is that you will be fined. This applies to pre-GDPR personal data too. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in May 2018.
Related articles:
What about data and customer details that have been previously collected prior to any/e4?
You need to send out a fresh prompting for your customers to opt-in if consent has not been collected in a GDPR compliant manner.. See the section ‘What to do with old or archived data’ for in-depth information GDPR 2018: What to do now/Where do I start?!.
Note: Get your solicitor or legal team to check your Privacy policies and terms and conditions.
What about cookies? Do we need any changes in the messages about storing cookies?
Consent does not necessarily have to be explicit ‘opt-in’ consent. Implied consent can also be valid. If you are relying on implied consent, you need to be confident that your users fully understand that their actions will result in cookies being set. However, in some circumstances (for example, collecting sensitive personal data such as health details) it is likely that explicit opt-in consent is more appropriate.
For more advice on obtaining consent, including the rules on browser settings, see the ICO’s cookies guidance.
Note: Get your solicitor or legal team to check your Privacy policies and terms and conditions.
What are the charges faced for not being GDPR compliant and having a data breach?
Tier 1
A data breach that puts data – deemed by the authorities as highly important – at risk, will be fined up to 20 million Euros or 4% of the previous year’s global annual turnover, dependent on which is greater.
Tier 2
All other data breaches could lead to a fine of up to 10 million Euros or 2% of the previous year’s global annual turnover, dependent on which is greater.
It is your responsibility to Inform your data protection authority of a data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it. The Information Commissioner’s Office is the UK authority. Failing to notify a breach when required to do so can result in a significant fine.
Looking for a digital agency to become your long-term partner to help your business succeed online?
Well say hello then!