Q. What is the GDPR?
A. The General Data Protection Regulation (GDPR) is a European regulation that replaced the Data Protection Act 1998 (DPA) on the 25th May 2018.
Q. Does the GDPR apply to my organisation?
A. The GDPR applies to any organisation, in the public, private and third sector, that holds or uses information about living individuals (or ‘personal data’). Almost all organisations hold personal data about their employees, customers and suppliers.
Q. As the GDPR is a European regulation, does it apply in the UK now that it has left the European Union?
A. Yes. The UK government and the Information Commissioner’s Office (ICO), which enforce the DPA have both indicated that the GDPR continues to apply within the UK.
Q. What happens if I am not compliant with the GDPR?
A. The GDPR grants the ICO a wide range of powers, including the ability to conduct compulsory audits and issue fines of up to €20,000,000, or 4% of worldwide annual turnover. For larger organisations, fines can be significantly larger than €20,000,000.
Q. My organisation is a ‘data processor’ according to the Data Protection Act (DPA). Does the GDPR apply?
A. Yes. The scope of the GDPR is wider than that of the DPA.
Q. Does the GDPR mean that I must appoint a data protection officer (DPO)?
A. The GDPR specifies that the following types of organisation must appoint a DPO:
Public authorities, except for courts acting in their judicial capacity;
Organisations whose core operations require regular and systematic monitoring of individuals on a large scale; and
Organisations whose core activities consist of processing special categories of persona data (special categories include data revealing ethnic origin, political opinions or philosophical beliefs, or trade union membership, data concerning health, or data concerning an individual’s sex life or orientation).
Organisations that do not fall under any of the above categories are encouraged to appoint a DPO on a voluntary basis.
Q. How can I find a DPO?
A. This will be difficult. A study suggests that the GDPR has created demand for 28,000 DPOs in the UK alone, however there is a recognised skills shortage of appropriate candidates, who must have expertise in data protection law and practice.
Q. What can I do if I cannot find a DPO for my organisation?
A. The GDPR allows organisations to outsource the role of DPO to a third-party service provider. It also recognises that many organisations will not need a full time DPO; the role may be filled on a part-time basis.
Q. How can ProDPO™ help?
A. ProDPO provides data protection officer services on an outsourced basis, taking the problem away, and enabling you to focus on running your business.