This page is a data protection FAQ, giving answers to some of the most commonly asked questions about the GDPR and data protection.
This data protection FAQ will be updated regularly.
GDPR FAQ
What are the 7 main principles of GDPR?
The UK GDPR and the EU GDPR are both based on 7 principles which any organisation that handles personal data must comply with.
These are:
• Lawfulness, Fairness, and Transparency
The personal data must not be used for anything illegal and there must be a lawful (or legal) basis for any purpose of using the data. Also, people must be informed about what is happening to their data.
• Purpose Limitation
Any personal data collected must be for a specified, specific and legitimate purpose.
• Data Minimisation
Only personal data necessary for specified purposes may be collected.
• Accuracy
As far as possible personal data needs to be accurate.
• Storage Limitation
Personal data may only be kept as long as is necessary for the specified purpose(s).
• Integrity and Confidentiality
This probably should have been called security!
A level of security appropriate to the risks associated with the personal data handled must be determined and implemented.
• Accountability
Any organisation is required to comply with the above principles and to be able to demonstrate its compliance.
What is GDPR and its purpose?
The GDPR or General Data Protection Regulation is legislation that the EU created and enforced from May 2018. It was introduced to harmonise and extend existing data protection legislation across the EU. This legislation is based very firmly in human rights. It permits organisations to do certain things with information about people, but imposes limitations on this to prevent people suffering harm. The law also gives people some control over what their information is used for.
Who does GDPR apply to?
The GDPR applies to organisations (companies, partnerships, charities, public bodies, etc) and individuals (unless acting ‘in the course of a purely personal or household activity’). It applies if the organisation has an establishment in the EU (strictly the European Economic Area (EEA), which consists of the EU together with Iceland, Norway, and Liechtenstein).
It also applies to organisations without an establishment in the EU if they are offering goods or services to people in the EU or are monitoring the behaviour of people in the EU.
The UK GDPR applies in a similar way in the context of the UK.
What are the four pillars of GDPR?
The GDPR does not have ‘pillars’ as such.
The main requirements of the GDPR relate to:
- Compliance with the principles
- Data subject rights
- Personal data security and breach reporting
- International transfers of personal data
What is a data breach under GDPR?
The official definition of a personal data breach in Article 4 of the GDPR is:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
This includes accidental deletion of the only copy of data, emails sent to the wrong address, attaching the wrong file to an email, corruption of data and even reading something aloud when the wrong person is listening!
How many GDPR rules are there?
The GDPR has seven principles for the processing of personal data.
These are:
1. Lawfulness, Fairness, and Transparency
The personal data must not be used for anything illegal and there must be a lawful (or legal) basis for any purpose of using the data. Also, people must be informed about what is happening to their data.
2. Purpose Limitation
Any personal data collected must be for a specified, specific and legitimate purpose.
3. Data Minimisation
Only personal data necessary for specified purposes may be collected.
4. Accuracy
As far as possible personal data needs to be accurate.
5. Storage Limitation
Personal data may only be kept as long as is necessary for the specified purpose(s).
6. Integrity and Confidentiality
This probably should have been called security!
A level of security appropriate to the risks associated with the personal data handled must be determined and implemented.
7. Accountability
Any organisation is required to comply with the above principles and to be able to demonstrate its compliance.
In addition to these, the GDPR has rules about responding to people’s requests about their data, transferring data to other countries, reporting data breaches and outsourcing of data processing
What activities does GDPR apply to?
The General Data Protection Regulation (GDPR) applies to the automated or structured processing of personal data.
- Automated means using a computer (including a Smartphone)
- Structured means the data is stored in a filing system
- Personal data is any information relating to somebody who you can identify
- Processing means doing anything (including storing) personal data
It does not apply if the processing is for a purely personal or household activity. For example, as long as you are not doing it as a professional photographer, GDPR does not prevent you taking photographs of your (or other) children at a school event.
Who is protected by GDPR?
If your company has a base (an ‘establishment’) in the EU or the UK then the GDPR requires you to process anybody’s personal data according to a set of rules. This applies wherever in the world people are located. Also, even if you do not have a base in the EU or UK but offer goods or services to individuals in these places you have an obligation to comply.
People often talk about citizens in this context. GDPR makes no reference to citizens. What matters is the location of people and the location of your business.
Who does GDPR not apply to?
The GDPR does not apply to individuals carrying out a purely personal or household activity.
It also does not apply to companies which do not have an establishment in the EU or the UK unless they offer goods or services to people located in those countries or monitor the behaviour of these people – for example by monitoring the opening of marketing emails.
Is age protected under GDPR?
Age is likely to be personal data, just like name, address, telephone number etc. It does not have any particular status and is not considered to be ‘sensitive personal data’. So you would need to handle it according to the normal rules.
Who owns data under GDPR?
The concept of owning data does not exist in the GDPR. A ‘controller’ is responsible for handling data ‘relating to’ a ‘data subject’ correctly, according to the law. A data subject has specified rights which allow them to require a controller to do certain things relating to this data, including, under certain circumstances, providing a copy of data held, correct it and delete it.
Nobody owns the data in the normal sense of ownership.
If you find this data protection FAQ useful and would like to know more about any of these questions have a look at our list of data protection courses which provide a detailed understanding of data protection compliance.
If you would like official guidance on data protection compliance in the UK visit the ICO’s website.
Data Protection Act FAQ
What is the Data Protection Act 2018?
The Data Protection Act (DPA), which was passed in 2018, is an Act of Parliament of the United Kingdom. It relates to the obligations of organisations when they handle information about people.
It has three main parts:
- Part 2: General Processing. This part ‘supplements, and must be read with, the UK GDPR’.
- Part 3: Law Enforcement Processing. This part provides a data protection regime for ‘Competent Authorities’ when processing personal data for ‘law enforcement purposes’
- Part 4: Intelligence Services Processing. This part provides a data protection regime for processing personal data by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters.
Accordion title 2
This is a placeholder tab content. It is important to have the necessary information in the block, but at this stage, it is just a placeholder to help you visualise how the content is displayed. Feel free to edit this with your actual content.