Frequently asked questions – GDPR

Our GDPR FAQ page explains common questions around the  European-wide law that places greater obligations on how organisations handle personal data. It applies to data processing carried out by organisations operating within the EU and came into effect on May 25 2018. The Regulation is a binding legislative act, unlike a Directive which sets out a goal for EU countries to achieve.

Visit our GDPR Compliance Packages page for help with compliance.

Visit the ICO page for an overview on the GDPR.

Yes, a company email address like is considered personal data under GDPR.

If your business handles the data of EU citizens, GDPR is likely to apply to you. Here are some specific examples:

  • If you have staff or contractors who are EU citizens, GDPR will apply to you
  • If you have any customers, clients, suppliers, partners etc., in the EU, GDPR will apply to you
  • If you attend trade shows and events and collect the business cards of EU citizens for marketing purposes, GDPR will apply to you
  • If your CRM system has the names of EU citizens, and you send them newsletters, GDPR will apply to you
  • If your company website sells goods and services to a global market, including the EU, GDPR will apply to you
  • If, however, your company does not ‘actively’ market itself to the EU, yet still sells to the EU ‘occasionally’, then GDPR may not apply to you
  • If you use outsourced services from a European service provider, GDPR will apply to you. E.g., PayPal is based in the Netherlands.

GDPR applies all types of personal data, including your staff, your recruitment process, your client contacts, your supplier contacts, your partners etc. As long as you hold (or process) the personal data of EU citizens, you are liable to fall under GDPR

If you don’t hold the personal data of EU citizens, then GDPR may not apply to you. However, if your clients and suppliers do handle EU citizens’ data, they may stop working with you unless you become GDPR compliant. This is because the GDPR requires all businesses to work only with other businesses who are GDPR compliant.

Yes you can, but it may not be practical or cost effective to maintain separate processes. Most experts believe that GDPR provides a higher level of protection for personal data than the current standards in North America, so should be adopted by all businesses for all types of personal data.

No, GDPR applies to your whole organization because the personal data of the EU operation is likely to be processed by the North American operation (e.g., staff payroll, client/supplier invoices, local support services etc.).

Yes. The GDPR applies to firms that offer goods or services to EU citizens irrespective of if payment is exchanged.

You may be fined for up to €23m or 4% of your worldwide turnover whichever is greater – this could happen in the event of a data breach, and you are shown to be negligent in looking after personal data. In addition (and separately), you may also be subject to lawsuits by affected data subjects, if, for example, you contacted them without having a legal basis to do so.

As much as fines, the reputational damage might have a bigger impact on some businesses. Facebook is currently spending millions of dollars on advertising in the UK saying how much it protects the data it holds, following the recent scandal with the UK company, Cambridge Analytica.

It should not be overlooked that businesses can only deal with other businesses who are GDPR compliant, so if you don’t comply, you will see a loss of business from your partners/ clients/suppliers who do comply.

This is an independent public authority which is established by each EU country to oversee data protection measures within the country, with tasks ranging from conducting investigations and issuing fines, to promoting public awareness associated with personal data.

A DPO is an individual who is tasked with advising the company and managing their GDPR compliance. The DPO must report to the highest level of management and operate independently, with sufficient resources.

A DPO is mandatory is some specific situations, but it is strongly recommended for any company that holds and processes significant volumes of personal data. Many companies outsource this position to keep their costs down.

If you offer goods or services to EU citizens or monitor their behaviour, you may need to appoint a representative in the EU who will liaise with the local supervisory authority, when required to. If you have an office in the EU, it can act as your representative.

It can be an individual or a company based within the EU, preferably in the country with which you do the most business/collect data. There is no requirement for the representative to be a legal firm, but it should be familiar with GDPR.

It represents your business within the EU and acts on your instruction when dealing with, for example, enquiries from the Supervisory Authority or in response to a data breach.

Anonymization is the irreversibly de-identifying of personal data such that the person cannot be identified – this data is outside of GDPR. Pseudonymization is a technique to process data whereby separate sources of data have to be combined to identify an individual.

Yes, although the ISO certification is helpful in your journey. If you have existing processes in place, carrying out the additional work to become GDPR compliant should not be too onerous.

No. You need to keep a trace of it, to ensure you do not, for example, accidentally contact a person again. Generally, you would strip out most of the data and keep enough to identify the individual and keep a record of the fact that s/he has asked to be forgotten.

Some companies have adopted this approach, but is it sustainable in the long run? With the recent announcement of the new California Consumer Privacy Act, will these websites also deny access to visitors from California?

In the US, there is the  Health Insurance Portability and Accountability Act (HIPAA), which is a data privacy regulation that protects an individual’s medical record and applies to organizations in the health sector.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) which is similar to the GDPR in that it applies to all personal information and governs all commercial entities. The Personal Information Protection Acts (PIPA) is similar to PIPEDA but applies to the provinces of British Columbia and Alberta.

Yes. GDPR applies to the data of EU citizens and is generally considered the highest standard of data protection. If Canadian organization process the data of EU citizens, they need to become GDPR compliant, albeit it may be a less onerous journey if they already enact PIPEDA or PIPA.

GDPR applies to all businesses. The other regulations are more nuanced about who they apply to.

for help with planning, implementing & maintaining your gdpr compliance programme, call now.