GDPR & Data Protection FAQ

What is personal data?

UK law such as the GDPR and the Data Protection Act (‘DPA’) is all about protecting  “personal data” so it’s critical to understand what it is so you know whether GDPR applies to your processing of it.

In short, “personal data” is defined as “information that relates to an identified or identifiable individual”.

Of course, that could be any number of things. How a person can be identified could be as simple as a name, an address or an email. However, you should also remember that there are more technical ways to identify someone, and they’re not always as obvious.

For example, cookies are small text files stored on a computer when someone visits a website. These are used to identify that user and therefore, are classed as personal data. Likewise, an IP address could be classed as personal data.

Context is important here, and it depends a lot on how the data is used and whether it could end up being used to identify someone.

Perhaps a more straightforward way of thinking about it is to consider if the data is “truly anonymous”.

UK law such as the GDPR and DPA does not cover data that cannot be associated with a person and does not have any identifiable traits that could expose an individual’s identity.

Are small businesses exempt from GDPR or the DPA?

The size of your company has no bearing on whether you have to comply with most of the GDPR. There are a few (rare in practice) relaxations in the GDPR for companies that employ less than 250 people.  People have rights under GDPR and these must be considered with the DPA in mind, Whatever size your company is people have data protection rights.

Can I charge people who request their data?

If you process personal data covered by GDPR and the DPA, then it is people’s right to have access to that data.

Importantly, it’s unlikely you can charge for access to that data. The only time a fee may be deemed acceptable is if the request is manifestly unfounded or is  excessive for instance if the person requests further copies of their data within a short time of the first request.

You also need to respond within a month of being requested.

People have other rights under GDPR.

I've received a data request via social media - do I have to respond?

In short, yes.

Requests for access to personal data do not have to be via any formal mechanism such as a written letter.

People can request their data using email, phone or even social media messaging.

I have a web store, what data can I legally store?

When collecting data from clients, you need to ensure the collection and storage of it is lawful, fair and transparent.

You should be totally open with your customers when collecting any data, and be clear with yourself as to why you need it.

For example, when people sign up to use your store, do you really need to know their age or sex? This personally identifiable data might be necessary in some cases (for example when selling restricted items such as alcohol or knives), but if it’s not, then you don’t need to collect it in order to fulfil an order.

However, you’ll notice some stores still do ask for this information because they use it to ‘profile’ their customers, that is, it’s used in marketing so they can provide personalised recommendations.

In these cases, the companies should have a full and robust policy on how that data should be used and the mechanisms in place to allow people to agree with them or opt-out.

There are no hard and fast rules on what data you can store, instead, you need to decide whether that data is “personally identifiable” and apply the necessary checks.

Is there an automated way to comply with GDPR?

Unfortunately, no.

GDPR is complex and complying with it depends entirely on the type of business you are and the type of customers you deal with.

Every business, even in similar industries, can have subtle differences which can have a huge bearing on how they store and handle data, and therefore how they need to comply with GDPR.

What is "Special Category Data"

Data that is particularly sensitive and which if mishandled can cause greater harm is classed as “Special Category Data” and you need to think very carefully before you handle it.

Special category data is classed by the GDPR as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

You should be very careful about your legal grounds to process such data.  If at all unsure seek professional advice before you process it.

What is a GDPR representative?

The UK GDPR dictates that, in certain circumstances,  companies wanting to process the data of UK citizens must appoint a UK GDPR representative.

Likewise, any company wishing to process the data of EU citizens must comply with the EU GDPR and appoint a EU GDPR representative if they are outside the EEA. This includes companies in the UK now that it has left the EU.

In both cases, the representative will be the point of contact for all communication regarding the collection and use of all data regarding citizens, and the data protection contact for the relevant authorities.

My company is based outside of the UK and the EU, do I need to comply with GDPR?

If you do any business with, or process the information of any citizens based in the EU or the UK, then you will need to comply with either the UK or EU GDPR or, in some cases, both.

This is what Article 3 of the UK/EU GDPR states in these cases:

 This Regulation applies to the processing of personal data of data subjects who are in the Union /United Kingdom by a controller or processor not established in the Union/United Kingdom, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union/ United Kingdom; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union/ United Kingdom.

The two versions of the GDPR aim to protect the data of individuals within the European Union/ United Kingdom, and therefore applies to all companies who deal with citizens based in the EU/ UK.

I’m in the UK, do I need a EU GDPR Representative?

The EU GDPR spells out the reasons why you might need to appoint a GDPR representative:

If you are based in the UK and do not have a branch, office or other establishment in any other EU or EEA state, but you either:

  • offer goods or services to individuals in the EEA; or
  • monitor the behaviour of individuals in the EEA,

Therefore, if you ship any goods to individuals in any countries within the EEA or handle data of people within the EU (such as surveys, CCTV images etc) and you don’t already have a branch or office there, then you need to appoint a GDPR representative.

Where do I appoint my GDPR representative?

You should appoint a GDPR representative in a country in which some of the individuals who’s data you’re processing reside.

Who can be my GDPR representative?

There are many individuals, companies and organisations that are capable of being a GDPR representative, so you should perform research in the country in which you are going to appoint one.   They ought to be experts in the field of data protection law and be used to dealing with individuals and the country’s data regulator.   We can assist you with this.

When you have decided on someone to be your GDPR representative, you simply need a service contract with them to make clear that they will be working on your behalf.

You must then make it clear in your documentation (such as privacy policy on websites) who your representative is.

They will then become the contact should any citizen or member state data regulator wish to discuss any data protection issues.

However, this does not abdicate your responsibilities under GDPR, you and your company will still be responsible and liable for all GDPR actions.