Compliance FAQ: Answers to your GDPR questions

Oro provides content designed to educate and help audiences on their compliance journey.

The General Data Protection Regulation (GDPR) has transformed the data protection landscape, and understanding its implications is crucial for organizations around the world. However, it can feel overwhelming for organizations to navigate this regulation, and questions abound. 

Below are some of the most common questions we hear from midsized companies when they’re embarking upon GDPR compliance.

Short summary

• A question-by-question walkthrough of some of the most FAQs surrounding GDPR
• Additional resources for deeper dives into larger GDPR questions
• Resources for navigation GDPR compliance

13 FAQs about GDPR

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs the processing of personal data of European Union (EU) and the European Economic Area (EEA) data subjects. Its main goal is to protect individuals’ privacy rights and provide them with control over their personal data.

General Data Protection Regulation (GDPR) is designed to protect the fundamental rights and freedoms of individuals residing in the EU in relation to the processing of their personal data. It was designed to address the rapidly evolving digital landscape and the need for stronger data protection laws.

The applicability of the General Data Protection Regulation (GDPR) is not determined solely by a company’s physical location. It applies to the processing of personal data of EU residents by any organizations (including U.S. and Canadian organizations), regardless of where data processing occurs.

Even if a company is located outside of the EU or EEA, it may still be subject to GDPR if it processes the personal data of individuals or organizations located within those regions. This can occur when a company offers goods or services to individuals in the EU/EEA or monitors their behavior, such as through online tracking or profiling.

What are the 7 GDPR principles?

The 7 GDPR principles are:

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

These requirements apply to all types of personal data and play a crucial role in ensuring data privacy and GDPR compliance. They are designed to safeguard personal data, protect the rights of individuals, and ensure that their personal data is handled responsibly.

What are GDPR fundamental rights? 

GDPR fundamental rights include:

• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights related to automated decision-making and profiling

These rights empower individuals to have more control over their personal data and ensure that organizations handle personal data responsibly and in accordance with GDPR guidelines. Organizations must be transparent about how they use personal data and must provide individuals with access to personal data.

Who can issue GDPR fines, and what are the penalties?

GDPR fines can be issued by national data protection authorities, with penalties up to €20 million or 4% of annual global turnover, whichever is higher. These fines serve as a stark reminder to organizations of the importance of GDPR compliance and the potential consequences of non-compliance. Organizations must take steps to ensure that they are compliant with GDPR regulations or risk fines, loss of reputation, or other regulatory sanctions.

---

---

What are GDPR limitations?

The General Data Protection Regulation (GDPR) does not apply to certain situations or entities. Here are some instances where GDPR may not apply:

Non-EU/EEA countries 

GDPR does not apply to businesses that do not operate within the European Union (EU). It specifically covers companies within the EU, as well as those outside the EU that have establishments or employees within the EU, or provide goods and services to data subjects in the EU. However, companies that have no connection to the EU, either in their operations or client base, are not subject to GDPR’s requirements.

Government and law enforcement activities

GDPR does not apply to personal data processing carried out for purely governmental or law enforcement purposes. National security activities, defense, and public safety fall outside the scope of GDPR. 

Individual use for purely personal activities

GDPR primarily applies to data processing activities carried out by organizations or entities in a professional or commercial capacity. It generally does not cover personal or household activities conducted by individuals for personal purposes.

Does GDPR affect US-based companies?

While GDPR does not directly apply to the United States, it may still impact U.S.-based organizations that handle the personal data of individuals within the EU/EEA. GDPR has extraterritorial reach, meaning that if a U.S. company offers goods or services to individuals in the EU/EEA or monitors their behavior, it may be subject to GDPR’s requirements.

To comply with GDPR, U.S.-based organizations may need to implement measures such as obtaining appropriate consent for data processing, ensuring data security, respecting individuals’ rights, and complying with data breach notification obligations, among other provisions. Many organizations have taken steps to align their practices with GDPR to facilitate international data transfers and maintain good data protection practices.

It’s important to note that the United States has its own data protection laws at the federal and state levels, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA), which regulate specific sectors or aspects of data protection. However, these laws are separate from GDPR and have their own scope and requirements.

How does Brexit affect GDPR?

On January 31, 2020, the UK (i.e., England, Scotland, Wales, Northern Ireland, and the Channel Isles) officially left the European Union, a process known as Brexit. Following Brexit, a transition period took place during which the UK continued to adhere to EU laws and regulations, including GDPR. However, as of January 1, 2021, the transition period ended, and the UK implemented its own data protection legislation called the UK GDPR.

The UK GDPR largely mirrors the EU GDPR in terms of principles and rights. It incorporates GDPR’s standards for data protection and provides a similar level of protection for individuals’ personal data. Organizations operating in the UK are required to comply with the UK GDPR for processing personal data within the UK.

However, it’s important to note that the EU GDPR still applies to organizations within the UK that process the personal data of individuals located in the EU. This means that if a UK-based organization handles the personal data of individuals in the EU, they must comply with both the UK GDPR and the EU GDPR simultaneously.

What rules should businesses follow to ensure compliance with GDPR?

To ensure compliance with GDPR, businesses should:

• Follow the regulation’s principles
• Implement appropriate security measures
• Maintain documentation of their compliance efforts
• Keep records of data protection policies
• Conduct data protection impact assessments
• Provide data protection training for staff
• Assign a data protection officer as necessary

By adhering to these guidelines, businesses can avoid costly fines and reputational damage.

What kind of information does GDPR apply to?

The GDPR applies to a wide range of personal data, including:

• names
• addresses
• email addresses
• other information that can be used to identify someone

Organizations should be cautious when processing sensitive personal data, as it is subject to additional safeguards under the GDPR. By understanding the types of customer data covered by GDPR, organizations can better protect the personal information of their customers and clients.

What responsibilities do companies have under the GDPR?

Companies have various responsibilities under GDPR, including adhering to data protection principles, reporting breaches, and appointing a Data Protection Officer (DPO) if necessary. Organizations must ensure that they are processing personal data lawfully, fairly, and transparently and that they are taking the necessary steps to protect the data from misuse and exploitation.

The data controller must also ensure that they are collecting data for specified, explicit, and legitimate purposes.

Does everyone need a Data Protection Officer (DPO)?

Not all organizations need a DPO, but it depends on the scale and nature of data processing activities. A DPO is usually needed when an organization is handling, processing, or storing data on a large scale, or when they’re processing certain types of data or data on a continuous basis.

Public authorities and bodies, including the data protection authority, are also required to appoint a DPO. In some cases, it is often a best practice to have a DPO, or it may be required by a contractual obligation with a customer or vendor. 

What are the steps to achieve GDPR compliance?

To achieve GDPR compliance, organizations should follow these steps:

• Understand the regulation and its requirements, including the 7 GDPR principles
• Identify the personal data they collect and process
• Implement appropriate security measures to protect this data

Finally, organizations should train their staff on GDPR compliance, ensuring that everyone involved in data processing activities is aware of their responsibilities and obligations under the regulation.

There are GDPR compliance automation solutions, like Thoropass, that can ensure you’re on your fastest path to compliance. Talk to one of our experts to learn more.

---