EU General Data Protection Regulation (GDPR) - FAQ

What is the GDPR?

The EU General Data Protection Regulation (GDPR) is a binding legislative act concerning the protection of personal data and individual rights. The GDPR replaces the Data Protection Directive 95/46/EC.

It was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations approach data privacy. The GDPR requires companies to implement reasonable ways to protect their data, such as encryption, to protect it against data loss or exposure.

The enforcement date of the GDPR is 25 May 2018.

 

Who is affected by it?

The GDPR applies to all organizations located within the EU, or outside of the EU, processing and holding the personal data of EU citizens, in order to: offer goods or services, or monitor their behavior within the EU.

 

How can file encryption help towards compliance?

As Recital 83 in the GDPR states:

”In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”

Organizations have to make sure that their personal data is stored securely, whether on-premise or cloud-based, in order to prevent costly data breaches. Files that have been encrypted will be rendered useless when breached.

 

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million – whichever is greater. This is the maximum fine that can be imposed for the most serious infringements. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.

 

How does the GDPR handle personal data breaches?

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.

 

What are my main responsibilities under the GDPR?

If your organization handles personal data, the Information Commissioner’s Office (ICO) states that you are expected to put into place comprehensive but proportionate governance measures. These measures should minimize the risk of breaches and uphold the protection of personal data. The exact responsibilities that apply are different for every organization, depending on its size, industry and what kind of data is being stored.

 

Is my website GDPR compliant?

According to vpnMentor as little as 34% of websites in the EU are currently GDPR compliant. “Most of the websites either have old privacy policies, and in some cases no privacy policy at all, and are in no way ready for the stricter privacy guidelines.”

In order to determine which websites collect data, and therefore need to update their privacy policy, vpnMentor based their research on sites that use MailChimp to collect user Email addresses. They have collected as many 100 websites per country, and looked at their privacy policy, if they had one, to determine if it was GDPR compliant.

 

How will Brexit impact the GDPR? Will it apply to businesses in the UK?

If your business is located in the UK, it will also have to comply with the EU regulation. The UK has stated that it will comply with the GDPR, and that its compliance will not be affected by Brexit.

 

Where can I find more reliable information on the GDPR?

Read and download the complete Regulations

EU’s GDPR dedicated website

Summary of the articles