What is the GDPR? 9 Frequently Asked Questions

The GDPR will be a game changer for the digital industry in terms of how it handles personal data. Are you ready?

You may have heard of GDPR but are you aware of how it is going to impact your business? Jellyfish Training has introduced two new courses that will help organisations and marketers adapt - GDPR: A Beginners' Guide and GDPR: Consent, Rights & Fines.

For those who are still in the dark, we’ve looked at some of the most commonly asked questions around the new legislation.

So let’s start with the basics…

What is the GDPR?

GDPR is the abbreviation of the EU General Data Protection Regulation that that comes into force in all EU states on May 25^th 2018. It intends to strengthen data protection for all individuals within the EU and will impact the way all organisations handle personal data.

GDPR supersedes the 1995 EU Data Protection Directive that was adopted into member states’ law in 1998 (the Data Protection Act (1988) in the UK).

Ok, so that’s the legal definition but what do you need to do?

What is GDPR compliance?

The EU GDPR is based on six principles that specify how personal data must be handled and how organisations that “process” personal data must behave.  GDPR compliance means applying all principles (that apply) to everything an organisation does in relation to collecting, handling, using and even deleting personal data.

So far so good, but personal data can mean many things right?

What is personal data under GDPR?

Under GDPR, personal data is Personally Identifiable Information that can be used to identify a “natural person” – a living human being – often referred to as a “Data Subject” in the text of the EU GDPR.

Again, a nice legal definition but what does it mean in practice?

What is meant by personal data?

Personal data is any data that can identify an individual – sometimes referred to as sensitive personal data or Personally Identifiable Information (PII).  Some data that is not personal data becomes so when added to additional information that could identify an individual.

So, to give an example, Mr D. L. Jones who lives at no. 43 is not personal data; add a postcode and it becomes Personally Identifiable information.

What is sensitive personal data?

Sensitive personal data is information about an individual that is subject to the most stringent rules and controls under GDPR.  This is data that reveals a data subjects racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or trade union membership.

The regulations also cover the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Ok, so we know who or what the GDPR is meant to protect but who needs to comply?

Who does GDPR apply to?

The EU GDPR applies to every business and public body in the EU that employs people or collects, stores or uses (Processes) the Personal Data of any individuals.  It also applies to any non-EU organisations that Process Personal Data in the EU.

It also applies to any business, regardless of geographic location, that offers products or services to EU citizens.  All employees of multi-national and trans-national companies that sign Binding Corporate Rules so that Personal Data can be transferred outside of the EEA (the EU plus Iceland, Liechtenstein and Norway) are also protected by the GDPR.

So, the chances are that includes you!

What are the penalties for non-compliance with GDPR?

The maximum fine for “general” transgressions is €10m or 2% of a company’s annual turnover.  For transgressing the rules regarding the core GDPR principles, individuals’ rights or transfers to countries outside of the EEA the maximum fine rises to €20m or 4% of annual turnover.  This larger sum can also be applied for non-cooperation with Supervisory Authorities such as the ICO.

The Information Commissioners’ Office (the ICO) has the power under the GPDR to levy substantial fines that are “effective, proportionate and dissuasive.”  The ICO’s philosophy has always been to use fines either as a last resort or to punish those who have ignored Data Privacy law.  Under the Data Protection Act (1998) the maximum fine was laid down as £500,000.

Now we know what some of you in the UK are thinking; aren’t we leaving the EU?

Will GDPR apply after Brexit?

Yes, the UK will have a new law from mid-2018 onwards, the Data Protection Act (2018).  This is, for all intents and purposes, the EU GDPR with only a few derogations (changes).  The DPA 2018 references the GDPR and the guidance is that both laws should be considered when making decisions about Data Privacy.

Sounds like you’ve got no choice but to take this seriously then.

How will GDPR affect marketing?

GDPR tightens the rules governing consent which means that marketers will need to take steps to ensure that they comply with the GDPR. Companies that market through their websites will need to ensure that the consent they gain is done so as a clear, affirmative action – inferred consent is no longer consent. 

If current consent is not GDPR compliant it will have to be refreshed. B-to-C ‘cold-calling’ (i.e. without the recipient’s consent) is highly likely to fall foul of the new law, especially if data has been bought in from a third party. 

B-to-B marketing is less reliant on consent and should be, on the whole, unaffected providing marketers are clear about how and from where they obtained their target audience’s data

So, hopefully that's given you a flavour of what the GDPR is and what it means for you. To get your business and marketing in shape, make sure you view our courses:

GDPR: A Beginners' Guide and GDPR: Consent, Rights & Fines

Alternatively you can view our full range of training courses here.