What is the GDPR?
The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.
Does the GDPR only apply to EU organisations?
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
How can I prepare?
You can find the latest ICO guidance on the new legislation in our Guide to the GDPR. We will regularly update it and you can check it for the latest position.
We are also here to help. As well as these FAQs, we’ve created a package of tools aimed at small and micro businesses:
- Getting ready for the GDPR – a practical self-assessment tool
- Our 12 steps to take now checklist, and
- A dedicated advice line for small organisations.
The GDPR is an evolution of the existing law. If you are already complying with the terms of the Data Protection Act 1998, and have an effective data governance programme in place, then you are already well on the way to being ready for the GDPR.
Our Deputy Commissioner Steve Wood explains how the GDPR need not be a burden in his blog from August 2017.
My firm employs fewer than 250 people. Am I exempt from the GDPR?
You’ll have to comply with the GDPR regardless of your size, if you process personal data.
Size is a factor in a range of areas including the requirement to maintain records of processing. There’s more information about documentation in our Guide to the GDPR.
Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO in certain circumstances. There’s a section on DPOs and when they need to be appointed in our Guide to the GDPR.
Can I have specific guidance for my sector?
Our guidance focuses on the general application of the GDPR. But we are engaging with representatives from a variety of sectors to provide sector-specific advice which could inform key pieces of guidance produced by influential industry bodies.
What are the rules under the GDPR for subject access requests?
The right of access under the GDPR contains important differences around fees, time limits, refusals, electronic format, refining requests and method of access. There’s more detail in the Individual rights section of the Guide to the GDPR.
Can you help me decide what to include in my privacy notice?
The GDPR sets out the information that you should supply and when individuals should be informed.
The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
There’s more information in our Right to be informed section of the Guide to the GDPR.
Further advice is available in our code of practice on privacy notices.
What are your criteria for issuing monetary penalties?
Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.
Information Commissioner Elizabeth Denham explains more about fines under the GDPR in her blog post of 9 August 2017.
There are certain criteria that need to be assessed before imposing a fine, many of which are similar to those the ICO would consider when determining whether to impose a penalty under the DPA, such as: the number of people affected, any damage to the data subjects, the negligent or intentional nature of the infringement and action taken by the data controller to mitigate the damage.
However, the GDPR has introduced some new criteria, such as:
- The controller’s adherence to codes of conduct and approved certification mechanisms
- The extent to which the data controller notified the supervisory authority of the infringement and co-operated with it.
Europe-wide guidance on administrative fines is also now available.
We’re also in the process of updating our regulatory action policy to reflect the new law.
As well as fines we will have other tools to help us change the behaviour of organisations such as warnings, reprimands or corrective orders. We will always exercise our powers proportionately and judiciously.
How do I access the ICO’s advice services?
We’ve set up a dedicated advice line for small organisations. But you can also get in touch via live chat or email. Click on the ‘Contact us’ link on the blue footer from any page of the ICO website.
Do I always need consent?
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.
You can get more information about all the lawful bases in our Guide to the GDPR.
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
It’s your responsibility to identify a lawful basis for processing under the GDPR.
There are also checklists on consent to help in the Guide to the GDPR.
Is parental consent always required when collecting or processing children’s personal data?
The GDPR contains new provisions intended to enhance the protection of children’s personal data, in particular, privacy notices and parental consent for online services offered to children.
Article 8 imposes conditions on children’s consent, but it does not require parental consent in every case. Other lawful bases may still be available. Article 8 only applies when the controller is:
- offering information society services (ISS) directly to children; and
- wishes to rely on consent as its basis for processing.
So if an ISS is actually intended for parents to use, or if the controller is relying on a different lawful basis such as legitimate interests, then Article 8 won’t apply.
We’ve included a section covering this topic in our Guide to the GDPR. Information Commissioner Elizabeth Denham explains more about children’s consent in her blog from 21 December 2017 and asks for comments on her draft Children and GDPR guidance.
When does the right to data portability apply?
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
There’s more detail in the Individual rights section of the Guide to the GDPR.
What is large-scale processing?
The GDPR does not define what constitutes large-scale processing. However, processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects. In many cases it is unlikely that small organisations will be processing on a large scale processing.
Examples of large scale processing can be found in question 3 of the Article 29 Working Party FAQs on data protection officers.
How do we know if we’re a processor or controller?
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
There’s more information in the Key definitions section of our Guide to the GDPR.
You can use our Getting Ready for the GDPR self assessment tools to help you prepare, which is part of our Data protection self assessment toolkit.
I want to know more about the rules on security under the GDPR
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.
Does my organisation need to register under the GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
The new Regulations will come into force on 25 May 2018. This doesn’t mean that everyone has to re-register and pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired.
You can find more detail in our Guide to the Data Protection Fee.