“Five Commonly Asked Questions Regarding the GDPR”

Are you feeling a little lost about whether the General Data Protection Regulator (GDPR) applies to you? You aren’t alone. There are still many organisations that are only just beginning to realise just how significant the GDPR really is and its potential impact on the way their businesses will operate once the GDPR comes into effect on the 25^th of May 2018.

Fife Chamber member Gilson Gray wanted to share the five (5) questions they come across daily:

1. Do all businesses have to comply?

The GDPR applies to all organisations located within the European Union and will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location. This includes private businesses, public limited companies, public authorities, charities, and unincorporated associations or clubs.

2. Isn’t this just an IT issue?

Absolutely not! It is a common misconception that the GDPR only captures data held in electronic format. The GDPR applies to all personal data regardless of the form in which it is stored. Therefore, it is essential that your organisation reviews, updates, and regularly audits its physical security measures just as often as its electronic security measures. An individual entering your premises and copying information onto a USB key or taking away physical documents containing personal data are equally serious data breaches. From network and information systems security to physical building access control and CCTV footage – the GDPR applies to every instance where personal data may be collected, processed, or stored by your organisation.

3. Just how big are the fines?

The current maximum fine under the Data Protection Act 1998 is £500,000. This will be replaced with a remarkably steep fine of up to €20,000,0000 or four percent (4%) of annual global turnover, whichever is greater. In addition to the statutory penalties that may be levied by the ICO, the GDPR also allows data subjects to seek monetary damages in court from organisations that violate their rights.

4. Can’t I just imply consent?

Consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters. It must be in an intelligible and easily accessible form, freely given, specific, informed and demonstrate an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. It must be as easy to withdraw consent as it is to give it. ​ Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice.

5. What is personal data anyway?

Personal data is any information related to a natural living person or “data subject”, that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, expressions of opinion, biometric information, or a computer IP address.

To find our more or to speak to a member of our Data Protection Team, please visit

www.gilsongray.co.uk or call us on 0141 530 2022.