Q. What is the GDPR?
A. The General Data Protection Regulation (GDPR) is a European regulation that will replace the Data Protection Act 1998 (DPA) with effect from 25th May 2018.
Q. Will the GDPR apply to my organisation?
A. The GDPR will apply to any organisation, in the public, private and third sector, that holds or uses information about living individuals (or ‘personal data’). Almost all organisations hold personal data about their employees, customers and suppliers.
Q. As the GDPR is a European regulation, will it apply in the UK after it leaves the European Union?
A. Yes. The UK government and the Information Commissioner’s Office (ICO), which enforce the DPA have both indicated that the GDPR will apply in the UK.
Q. What happens if I am not compliant with the GDPR when it comes into force on 25th May 2018?
A. The GDPR will grant the ICO a wide range of powers, including the ability to conduct compulsory audits and issue fines of up to €20,000,000, or 4% of worldwide annual turnover. For larger organisations, fines could be significantly larger than €20,000,000.
Q. My organisation is a ‘data processor’ according to the Data Protection Act (DPA). Will the GDPR apply?
A. Yes. The scope of the GDPR is wider than that of the DPA.
Q. Does the GDPR mean that I must appoint a data protection officer (DPO)?
A. The GDPR specifies that the following types of organisation must appoint a DPO:
- Public authorities, except for courts acting in their judicial capacity;
- Organisations whose core operations require regular and systematic monitoring of individuals on a large scale; and
- Organisations whose core activities consist of processing special categories of persona data (special categories include data revealing ethnic origin, political opinions or philosophical beliefs, or trade union membership, data concerning health, or data concerning an individual’s sex life or orientation).
Organisations that do not fall under any of the above categories are encouraged to appoint a DPO on a voluntary basis.
Q. How can I find a DPO?
A. This will be difficult. A study suggests that the GDPR will create the demand for 28,000 DPOs in the UK alone, however there is a recognised skills shortage of appropriate candidates, who must have expertise in data protection law and practice.
Q. What can I do if I cannot find a DPO for my organisation?
A. The GDPR allows organisations to outsource the role of DPO to a third-party service provider. It also recognises that many organisations will not need a full time DPO; the role may be filled on a part-time basis.
Q. How can ProDPO™ help?
A. ProDPO provides data protection officer services on an outsourced basis, taking the problem away, and enabling you to focus on running your business.