Top 10 GDPR FAQs

Your Top 10 Frequently Asked Questions About GDPR

When did GDPR come into effect?

The General Data Protection Regulation (GDPR) came into place on 25 May 2018. It supersedes the Data Protection Act 1998 (DPA 1998) to bring data protection legislation into line with new, previously unforeseen ways that data is now used.

Why do we need GDPR?

The DPA 1998 was enacted before the internet and cloud technology created new ways of exploiting data, such as Facebook and Google swapping access to people’s data for use of their services, and the GDPR seeks to address that.

Who does the GDPR affect?

The GDPR affects all companies and industries, both in the private and public sectors that sell to and store personal information about citizens within the EU. It also applies to organisations based outside the EU if they process data about EU citizens.

What action does my company have to take?

Under the GDPR all companies who handle personal data must have security controls in place to ensure the safety of this data. The GDPR is a good opportunity for companies to review and tighten these measures to ensure maximum data security.

For example:

  • check who has access to your data and restrict this to only those who need it
  • implement a data protection policy that outlines your data retention period and how information will be destroyed when it is no longer needed
  • ensure you gain explicit rather than implied consent to process data from customers

For more information, check out these 5 steps to GDPR compliance.

Will Brexit affect GDPR?

GDPR will still largely apply once the UK has left the EU. This is because the UK has already reformed its own data laws in line with the GDPR in the form of the 2018 Data Protection Act 2018. This is essentially GDPR with a number of tweaks that make it unique to the UK. In practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.

The EU version of the GDPR will still apply directly if you operate in Europe or process data about EU customers.

Please visit the ICO website for more detailed information about the implications of Brexit on the GDPR.

What is a Data Protection Officer and does my business need one?

A Data Protection Officer (DPO) is responsible for highlighting concerns about the company’s data protection compliance and reporting these directly to company management. Having a DPO is an effective way of demonstrating your commitment to data protection.

You need to appoint a DPO if you are a public authority or body, or if you carry out certain types of processing activity. If you’re unsure about your responsibilities, complete this short 5 minute survey to determine whether this is a necessary step for your organisation.

What are the rights of clients?

Citizens of EU countries will gain greater control over their personal information under the GDPR. They will gain the right to be forgotten, the right to know when their personal data falls into the wrong hands, the right to be informed about the purpose of any data processing and will be asked for explicit consent before a company can process their information.

Abiding by clients’ rights is not only the law, but will also increase customer trust and improve overall customer-company relations.

What is a data breach and what should I do if one occurs at my company?

A data breach is a security incident in which sensitive, confidential or otherwise protected data is lost, destroyed, corrupted or disclosed. When a security incident takes place, you must quickly establish if a personal data breach has occurred, and promptly take steps to address it, telling the ICO within 72 hours and notifying customers if required.

What’s the difference between a processor and a controller?

The ICO defines the roles of processor and controller as follows:

‘A controller determines the purposes and means of processing personal data’
‘A processor is responsible for processing personal data on behalf of a controller’

The GDPR places specific legal obligations on a processor such as maintaining records of personal data and processing activities. You also have legal liability if you are responsible for a breach.

As a controller, the GDPR places further obligations on you to ensure your contracts with processors are GDPR compliant.

What are the penalties for non-compliance?

In the event of a data or compliance breach, the ICO can impose fines of up to €20 million or 4% of group worldwide turnover, whichever is greater, against both data controllers and data processors.

The GDPR massively affects how you must handle, dispose of and store personal data. It is best to devise and implement a clear, company-wide plan that details how you manage data in order to comply with the GDPR to avoid data breaches.


Get in touch today

SDR are experts in providing customised document storage, scanning and destruction solutions for all documents and IT equipment. You can be assured your data is handled securely and in compliance with GDPR, with a Certificate of Destruction being issued after each service for your records.

SDR can assist with all of your needs contact us today on 0800 037 7777.