GDPR 101 Frequently Asked Questions
Why create GDPR 101 Frequently Asked Questions?
Well mainly because we started getting questions about GDPR from nervous companies, agencies and clients. What is it? Does it apply to my business? Can I ignore this or do I need to do something?
So NicheQuest partnered with a veteran IT Consultant to learn more. We read all 88 pages of the law as well as articles, reports and synopses.
Then we started asking our own questions and searching for questions others were asking online. Our research included hours of discussion and took us to websites like Quora and (of course) Google.
It didn’t take long to discover that LOTS of people were asking ALOT of questions. . . and not just about the basics.
The results of our research are below, and while we are not legal experts, we can corroborate and validate our answers based on MANY sources.
As you read through the questions, you will find links to many of the most relevant sources we found. Our goal is to make this GDPR information page a valuable resource for you and those you send here.
Underlying all of this information is one burning question. . . Will GDPR or similar regulation be coming to the United States? Scroll down to answer 101 and there’s a link to an article that will provide an answer.
Thanks for visiting.
1. What is GDPR?
General Data Protection Regulation or GDPR is a comprehensive set of regulations pertaining to the storage and use of electronic data.
2. What does GDPR stand for?
GDPR stands for General Data Protection Regulation.
3. Where is it applicable?
GDPR is applicable whenever you are using electronic data for business in any of the 28 member countries of the European Union (EU).
4. Is GDPR applicable for businesses outside the EU?
Yes. GDPR is applicable to any business anywhere in the world that does business with natural citizens and/or businesses located in the EU.
5. Do businesses in America have to comply with the General Data Protection Regulations?
Yes, when they are doing business with natural citizens and/or businesses located in the EU.
6. Do these EU regulations also regulate my web page?
Yes, if your web page collects data or tracks visitors from the EU.
7. What countries are in the European Union?
Currently, there are 28 member countries to the European Union: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland,
Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom (until 3/29/19).
8. Why is the UK in the EU only until March 29, 2019?
On June 23, 2016, England held a national vote to determine whether the country should stay or leave the European Union. Subsequent to the vote, there have been questions raised about whether Cambridge Analytica – the bankrupt British company that took the personal data of 87 million Facebook users to help target political ads during the 2016 United States Presidential election – “might” have influenced the Brexit vote.
Resources
9. Once the UK leaves the EU, will they be obligated to comply with the General Data Protection Regulations?
Yes, when a British company does business with a natural person or company in the European Union (EU).
10. What is a “natural person”?
GDPR defines a natural person as someone who can be identified (in a variety of ways) and is in residence in an EU member country.
11. What are some of the potential identifiers?
There are many different identifiers. . .name, identification number (like a drivers license or US Social Security number), location data (like GPS information or an IP address) or cultural, economic, genetic, mental, physical, physiological, sexual or social attributes that could reveal the identity of a natural person.
12. Is there a specific GDPR descriptor for these identifiers?
All of these are collectively known as PII – Personally Identifiable Information – and are protected by GDPR.
13 What kind of PII might be gathered on a website?
There are many kinds of personally identifiable pieces of information…name, address, social security number, credit card number, medical information; to name just a few.
14. Are there certifications for data protection?
Yes, but they are voluntary. (Article 42 – 3)
Resource
15. Are there any specific softwares that I need to buy, license, or use?
No. GDPR is about best practices, contractual and technological obligations and codes of conduct.
16. Are there levels of best practices, contractual and technological obligations and codes of conduct?
Yes. It varies depending on the size of the business with the “cut off” at 250 employees.
17. Does GDPR have a single supervisory authority?
No. There is an “EU” supervisory authority as well as individual member country supervisory authorities.
18. How do I get GDPR compliance certification?
There are companies that offer this certification, but it isn’t a requirement of these regulations.
20. Why is it so important to be prepared for GDPR compliance?
It is important to be prepared for GDPR only if your company is located or does business with people or companies in the EU because the fines for non-compliance are steep.
21. Does the GDPR affect testimonials being used on a website?
GDPR would effect testimonials on a website if the testimonial contained PII (Personally Identifiable Information). ie: “XYZ Company does great work.” – Bob S., has no PII. “XYZ Company does great work.” – Bob Smith, Fargo, ND, has PII and would cause GDPR issues.
22. How do I get my side project to be GDPR compliant?
That would depend on what your “side project” is.
23. What if American Internet corporations simply refuse to comply with GDPR?
They will either face fines or more probably, like many nations in the world that regulate internet traffic, American companies that do not adhere to the policies and procedures of GDPR, they will probably be blocked.
24. Should I be wary of online companies I formerly subscribed to sending me emails asking me to click on a link to accept their new privacy policy?
That would depend on the company sending the link. If you’re familiar with the company and you’ve done business with them before, they are probably conducting business in the EU and trying to adhere to the new regulations. If you get a “privacy link” from a company you don’t know, proceed with caution.
25. How can a website owner comply with GDPR policy of 2018? If I have a site running Google AdSense and Google Analytics, how can I make sure I am complying with GDPR according to the new updates of 2018?
GDPR is a collection of rules and regulations about the privacy and security of the personal data your company collects and stores – and explaining to those whose data you’ve taken in simple, understandable ways. Seek professional help to amend your data use statements as well as your website and business infrastructure.
26. How will the GDPR 2018 regulation affect street photographers and posting photos on Instagram?
Since before the internet, professional photographers have needed model and property releases in order to sell images without legal liability. If the images posted on Instagram are for the purpose of selling a person, place or thing in the EU. . . and the image contains PII (Personally Identifiable Information). . . and you want to avoid legal issues. . . get a release.
27. How do I become GDPR compliant on a simple website with only email/password for registration purposes?
You will need a “simply worded” Privacy Policy stating the SPECIFIC use of the email. If other PII is collected, that use must be specified as well. To be safe, add a checkbox with “defined use” of the PII on the registration page that the user must click.
28. Will people abuse the GDPR law similar to patent trolls now that it is into effect and many organizations aren’t yet compliant?
There is a very high probability of this occurring for a while.
29. Is there a software solution for GDPR compliance?
GDPR is a process, not a product.
30. What data must be exported to comply with GDPR Article 20?
Whatever PII you have gathered: name, address, shoe size, weight, EVERYTHING you have collected about the person
31. Is it okay if we mention in our TOS that we are not a GDPR compliant?
Post-GDPR, companies will have to reassert opt-in on a periodic basis (e.g. once a year) or does opt-in last forever?
32. Is it “ok” to not be GDPR compliant PROVIDED you are not doing business with any people or businesses in the EU.
GDPR isn’t an “opt in” or “opt out”. GDPR is a set of policies and procedures that must be followed if you do business with people or businesses located in the EU.
33. In light of the upcoming GDPR requirements, how do you embed a Vimeo video on a website with no cookies?
It MIGHT be possible with a paid Vimeo account.
34. With GDPR looming, I want to remove all cookies on my WordPress site. If this is possible, how do I set this up so that the future WP and theme updates don’t reinstate them?
If the WordPress site is using Google Analytics, cookies cannot be turned off permanently.
35. How can I find and appoint a GDPR officer for my G Suite?
My G Suite is for my personal use and is not attached to any company.
36. Google has a DPO (Data Protection Officer). . . Do All Businesses Need a DPO?
A DPO is required if your company has over 250 employees and your company is doing business with people or businesses located in the EU. A DPO isn’t required for personal internet use.
37. Will GDPR kill off all salespeople?
If anything, GDPR will create opportunities for salespeople as outbound digital marketing will face more stringent requirements under GDPR.
38. Under the GDPR if a customer asks to delete their personal data, does that also include email interactions (via helpdesk + personal emails)?
It can because email includes PII. However, “archiving (Article 89) in the public interest” lists some exceptions and parameters subject to legal interpretation
39. Under the GDPR, if someone creates an account on your website, do they need explicit opt-in to receive even basic e-mails that relate to their activity? Like receiving activity updates on Quora?
Under GDPR, a company’s outbound data activity to people and businesses in the EU needs to be specifically defined for both use and length of time.
40. How does the GDPR affect websites that use the Facebook pixel to deliver ads and does a website need to give the option to not execute any pixel activity?
GDPR requires businesses doing business with people or businesses in the EU to provide specific use of personal data and have them “opt in.”
41. What exactly does GDPR require a small business, small organization, or sole trader to do?
Regardless of business size, GDPR requires entities (governments, organizations, sole proprietors, public or private businesses) doing business with either people or businesses in the EU to respect and protect the privacy of personal information and define how the data is being used and stored and get specific “opt-in” permission from the individual data provider for each use.
42. Concerning GDPR, for a website that uses tools (ex: Analytics or else), what changes are needed since you are not the one storing data?
Your privacy policy must clearly define in simple terms each use of PII. “Anonymous” data (400 page views) does not require permission. Personally Identifiable Information (20 page views from 192.168.1.4, 22 page views from 10.11.24.3) in your tracking requires a privacy statement to let people know of this use as well as a way for visitors to “opt-in” and allow you to use their data in this way and get confirmation of this from professional legal counsel.
43. Has anyone posted bounties for reporting GDPR violations?
44. What is the extent of GDPR penalties upon small businesses? Receiving a €10M fine, when a company can have an annual turnover of, let’s say, €100k, clearly does not seem reasonable.
Regardless of size, GDPR fines can go up to 4% of the total worldwide annual turnover of the preceding financial year.
45. Under what authority can the EU impose GDPR-related fines on companies with no presence or assets located within the EU?
If you’re in “their house” – and that includes a website opening on a computer in the EU – it’s their rules. Or what will probably happen is that like other countries in the world that restrict internet access, the EU will block non-compliant websites.
46. What is a practical solution for a business to continue using data of existing dormant customers who had given implicit consent at the time of registering?
They can give explicit consent only on next login which may not be in near future.
If the customers are located in EU member countries, GDPR requires businesses using PII to both define the data usage and get consent for each data usage.
47. Is SAP software GDPR compliant?
48. Is the 1-month limit for Article 17 of the GDPR counting time for deletion or just response time?
Article 17 states, “Without undue delay.”
49. Can GDPR consent requirements be made open only to EU & UK country users based on their IP addresses?
GDPR consents are required within the EU member countries and need to specify every data use
50. How do Ethereum projects comply with GDPR?
GDPR compliance is about accounting for how PII (Personally Identifiable Information) is safely stored and specifically disseminated. One of the concepts of blockchain is the safety of data through “distributed computing”; no single machine has all the information. As a “blockchain variant”, it would seem that data within an Ethereum project – provided a privacy policy clearly states each specific use of PII – could be compliant, but like the Ethereum project itself, the creation of an easy-to-understand Privacy Policy and specific “opt-ins” could be onerous. . . but seek out professional legal counsel.
51. Is the GDPR self-contradictory in that article 17 requires processors to implement the right to be forgotten, but article 30 requires processors to maintain a record of all categories of processing activities carried out?
PII is the Personally Identifiable Information (ie: Bob Smith, 34 West Lane, Liverpool, England) of those in the EU. Mr. Smith can “choose to be forgotten” by a data processor. If the processor “forgets” categories like. . .”People (or males) in England” or more specifically, “People (or males) in Liverpool”, the data has been “pseudonymized”, and no PII has been disclosed.
52. Does GDPR allow me to process phone numbers from real estate ads without the persons’ consent?
If the phone number belongs to a person or business outside the EU, yes. For people or businesses inside the EU, a phone number would be considered PII.
53. What steps do I need to take to not comply with the GDPR? I am more than happy to not deal with EU customers. I’m a small non-EU business and this is a massive cost burden for me.
As we learn more about how our personal information was used and disseminated across the “old wild west” of the internet, it is apparent that GDPR “variants” are coming everywhere.
Resources
54. How do I become GDPR compliant on simple website with only email/password for registration purposes?
Write a “simple” privacy policy, clearly, state each specific use of PII and have a clearly defined method for “opting in”
55. Post GDPR, will companies have to reassert opt-in on a periodic basis (e.g. once a year) or does opt-in last forever?
GDPR is a set of policies and procedures about the storage, use and dissemination of PII (Personally Identifiable Information) of people and entities in the EU. If you are conducting “data driven” business in the EU, it isn’t an “opt-in” or “opt-out”. . . just like you wouldn’t “opt-in” or “opt-out” of stopping at a traffic light.
56. How does the GDPR track down individuals who may not be complying with their regulations?
The EU supervisory authority as well each member country’s supervisory authority will have reporting methods.
57. Is it okay if we mention in our TOS that we are not a GDPR compliant?
Sure. Just don’t take any data or do business with any people or businesses located in a member EU country or you could be open to legal issues.
58. What limits does GDPR put on web scraping?
If you are scraping the data of people or entities in the EU, you need a privacy policy explaining in simple terms what you do with the data, and you will need a method of allowing anyone providing PII to opt-in for each specified use.
59. On my website I have both a social sign-up button and a social log-in button (FB and Google). What is the best way to make sure that the social log-in and sign-up forms are GDPR complaint?
If you are processing the data of people or entities in the EU, you need a privacy policy explaining in simple terms what you do with the data, and you will need a method of allowing anyone providing PII to opt-in for each specified use, as will Facebook and Google who are already facing GDPR issues.
Resources
60. Why does GDPR make finding domain owners harder?
Under GDPR, domains owned by EU residents have the right to be forgotten (hidden).
61. If I choose to not comply with GDPR, have no property or assets in the EU, but continue to do business in the EU, what can they do to me?
Because of the seamlessness of the internet, it is easy to forget how “interconnected” our planet is. I’m here. They’re there. They can’t touch me might not be the case. Don’t be so sure …
Resource story from Bloomberg – Click This Link Russian Loses $492 Million Yacht in Divorce
62. GDPR Frequently Asked Questions – Are There Other Resources?
Here are a few more sources with questions and answers
63. What’s a DPO?
The Data Protection Officer (DPO) can be either an employee or outside service provider who acts as the “point person” for a company’s GDPR policies and procedures.
64. What Are The Responsibilities of a DPO
“A DPO has formal responsibility for data protection compliance within an organization.” Click here for more info
Here’s another source related to responsibilities of a DPO, controllers/processors and staffing. Click Here
65. What Kind Of Companies need a Data Protection Officer (DPO)
Here is a resource on the Nortal website. You’ll see an example of a cookie policy when you click here
66. What rights will individuals have under GDPR?
Broadly speaking, individuals in the EU member nations will have several rights:
The right to know how their personal data is used,
The right to agree or refuse to any use of their data
The right to transfer their data to another controller or processor
The right to be “forgotten” on the internet
67. What effect does Brexit have on GDPR?
Before March 29, 2019, none. The UK is still part of the EU. After 3/29/18, like the home of any other foreign company doing business in the EU, businesses located in the UK will be required to comply with the policies and procedures of GDPR when they are involved with people and entities located within the EU.
68. Where Can I Find a GDPR Glossary of Terms?
Here’s a list of 35 terms at the eugdpr glossary
69. What’s the background to the GDPR?
It has taken about 4 years to craft the GDPR. It is based on the EU’s recognition that people in the EU have a right to know and grant permission as to how their personal data is being used by a company. GDPR gives people the right to know their PPI (Personally Identifiable Information) is being stored safely as well as having the right to be forgotten by the “internet” or have their data moved to another data processor or controller.
70. When does the GDPR take effect?
It took effect May 25, 2018.
71. I believe the GDPR makes extra provisions for children?
Yes. GDPR requires that the data of children be VERY simply explained, be VERY well protected and in some situations, get parental permission.
72. As the UK voted to leave the EU, does the GDPR still apply?
Yes. Before their departure date of 3/29/19, as a member of the EU, and after that date, UK companies doing business in the EU will still need to comply with GDPR with people in the EU.
73. What are my main responsibilities under the GDPR?
The main responsibilities under GDPR are for your company to protect and secure the personal data of people living in the EU. Also, you are now obligated to define and get permission for every use of the personal data of the people living in the EU.
74. What’s the definition of ‘Personal Data’ under the GDPR?
As implied by the GDPR’s operative phrase, “Personally Identifiable Information”, the personal data that needs to be safeguarded under GDPR is information by which an individual in the EU can be recognized.
75. What are the key things I should consider when handling personal data?
The main things to consider about the data of people in the EU under GDPR are to keep it safe and define its use.
76. I understand I must have a legal basis to process personal data under the GDPR?
Obviously, you cannot use personal data for illegal purposes like blackmail or extortion. You must define and allow for “opting-in” on every use of personal data of people in the EU that you do.
77. I understand I must have a legal basis to process personal data under the GDPR?
Obviously, you cannot use personal data for illegal purposes like blackmail or extortion. You must define and allow for “opting-in” on every use of personal data of people in the EU.
78. Do I have to appoint a Data Protection Officer for the GDPR?
That depends on several factors.
Read the info here from the Information Commissioner’s Office
Click This Link to view a chart from Insights Association
79. What is the role of a Data Protection Officer under the GDPR?
The DPO (Data Protection Officer) is an assigned role in a company as the “point person” for “all things GDPR”.
Visit this page for details at https://goo.gl/ssPL63
80. Is there “certification” for DPO?
While there are companies offering certifications for DPO, it is not required by GDPR.
81. What is Article 39 of the GDPR?
Article 39 of the General Data Protection Regulation defines the tasks of the data protection officer (DPO).
82. What rights do individuals have under the GDPR?
GDPR grants individuals living in the EU several important rights regarding the personal data they have provided to a company. They include the right to be forgotten, know how their data is being used, opt in or out to every usage, transfer their data to another processor or controller, and be notified of any data breach.
83. What Is The Accountability Principle and How Does It Relate To GDPR?
Read This From Dropbox Business “The General Data Protection Regulation has now explicitly codified the accountability principle in Article 24, which requires that organizations implement “appropriate technical and organizational measures” to be able to “demonstrate” their compliance with the Regulation.” Click Here for more information from Dropbox Business
84. What is Privacy by Design?
Privacy by Design is a conscious effort throughout the engineering process rather than an “afterthought”.
Click Here for a Privacy By Design Cheat Sheet
85. I’ve been told I need a privacy notice for the GDPR – is this correct?
Yes. The General Data Protection Regulation not only requires an easy to find privacy policy, but it must be simple and easy to understand.
86. Do I have to do a Data Protection Impact Assessment under the GDPR?
A DPIA will depend on the size of your company and the uses of the data you gather.
Resource Links
87. What Is a Subject Data Request?
Subject Data Requests go to the heart of GDPR’s individual rights.
According to DPOrganizer, “The Data Protection Directive and its replacement, the General Data Protection Regulation (in short GDPR) grant citizens rights regarding the personal data that is being processed by organizations.
One of the most important rights established that individuals have the right to access the personal data that an organization is processing about them.” Read More
88. What happens when personal data is breached under the GDPR?
Lots of problems for the breached company, and lots of requirements – the most important being that the DPO must notify EVERYONE whose data might be compromised within 72 hours of discovery.
89. What are the penalties for non-compliance of the GDPR?
Potentially up to 4% of the violator’s previous year’s worldwide revenue.
90. What is the Article 29 Data Protection Working Party?
The Article 29 Data Protection Working Party is a group that is establishing standards, definitions, policies and procedures for GDPR.
91. What’s the difference between a Controller and a Processor under the GDPR?
Under GDPR, a Controller decides what data is to be used to do what works, while a Processor actually does the work. They can be the same or different entities.
92. Are there any circumstances where the GDPR does not apply?
Within the EU, no. The question is akin to, “Are there times when I don’t need to stop at the traffic light?”
93. What about personal data I want to transfer outside the EU or to international organizations?
One of the stipulations of GDPR is the ability to transfer data between both companies and countries. For the transfer of data to countries outside the EU, GDPR requirements stand. Here’s an article that might help you if you need more info on this topic. Click Here
94. What are the GDPR Recitals?
The Recitals are the reasons that these laws were enacted.
95. My organization is compliant with ISO 27001. Will this help with my data protection compliance?
ISO 27001 Is an information security standard. Compliance with ISO 27001 can help towards compliance with GDPR, but one does not equal the other. Check with your legal and IT teams to find the overlaps and the holes.
96. My organization complies with NIST. Does this give me a head start with GDPR compliance?
The National Institutes of Standards and Technology, like ISO 27001, can help towards compliance, but one does not equal the other. Check with your legal and IT teams to find the overlaps and the holes.
97. I’ve heard that if I comply with PCI-DSS 3.2, I’ll meet the European Union data protection requirements. Is this correct?
The Payment Card Industry Security Standards Council (PCI SSC) like NIST and ISO 27001, can address aspects of compliance with GDPR, but one does not equal the other. Check with your legal and IT teams to find the overlaps and the holes.
98. What is happening in the US related to GDPR?
If you are an American business, and you do not conduct any business with anyone in the EU, GDPR will have no direct effect on your business. . . yet. Currently, GDPR is only for the data of people in the EU. However, “variants” of the GDPR are starting to become laws in various states. Such as the Vermont data broker law. . .
or California’s privacy law. . .
99. How Do You File a GDPR Complaint?
If you’re a complainer visit the European Data Protection Supervisor.
100. How Will the EU’s Data Regulations Change The World?
You might want to check out an article by Shelley Palmer in AdAge …
“Depending on your field of work, you may be impacted by GDPR more than others may be. For instance, email marketing now requires proof of opt-in. You can no longer pre-check boxes to automatically sign members up for newsletters, or have a box to opt out; instead, you’ll be able to collect and use email addresses only if members opt-in. You must also have proof of opt-in (as defined in the regulations).” Click here for the full article .
101. Will GDPR or a similar regulations be coming to the United States?
GDPR is a major change to the internet regarding privacy and personal data. While these regulations are European Union (EU) law, on June 28, 2018, California passed a privacy law to take effect on January 1, 2020. Read The Article here in the Washington Post.
Be First to Comment