The General Data Protection Regulation (GDPR) has been at the forefront of data privacy since 2018. The law is known for its heavy-handed enforcement and strict approach towards personal data. Businesses often struggle to implement GDPR requirements due to many unanswered queries surrounding it. However, this blog now addresses the 15 most common GDPR questions, so it’s no longer like swimming against the tide.

16 frequently asked GDPR questions and answers

If you are looking for answers to your questions related to GDPR compliance, you are at the right place. 

1. What is GDPR and who does it apply to?

GDPR is a data protection law passed by the European parliament to protect EU citizens’ right to privacy as enshrined in the European Convention on Human Rights. 

It empowers data subjects with rights over their data, requires businesses to comply with privacy-by-default principles, have a lawful basis for processing, be transparent about data practices, and notify data breaches.

The law has an extra-territorial reach and applies to:

  • All organisations in the European Union 
  • Organisations outside Europe if they offer their products or services to EU residents or monitor their behaviour

The key factor in determining whether you target EU residents is intention. For example, marketing products in languages specific to  EU member states or accepting payments in EU currencies.

2. What constitutes personal data under GDPR?

Any information that is capable of identifying a living person can be termed personal data. Here are some examples:

  • Name
  • Email address
  • Phone number
  • IP address
  • Location
  • Gender
  • Race
  • Ethnicity
  • Religious beliefs

Here is your complete guide to GDPR

3. What parties are involved in GDPR?

GDPR mainly involves 3 parties, namely, the data subject, data controller, and data processor. 

  • A data subject is an individual to whom the personal data relates, in other words, the owner of the personal data. For example, when a customer gives their name and contact number to book a reservation at a restaurant, the customer is a data subject.
  • A data controller is the person who controls and makes decisions about the personal data collected from data subjects. In the above example, the restaurant owner is the data controller.
  • A data processor processes personal data on behalf of the data controller. For example, an application used to make restaurant reservations processes personal data on behalf of the restaurant.

4. What are the penalties for non-compliance with GDPR?

The GDPR prescribes a two-tiered penalty for non-compliance depending on the provisions violated. 

Administrative fines for severe non-compliance like violating consent requirements, data subject rights, or cross-border transfer may go up to 20 Million EUR, and for less severe ones like implementing measures for data protection by default, up to 10 Million EUR.

5. What rights do data subjects have under GDPR?

GDPR confers the following rights to data subjects:

  • Right to be informed: The individuals whose data is being processed have the right to receive information about the processing, including the types of data being collected, the reasons for the collection, and the duration for which the data will be kept by the controller.
  • Right to access: Individuals can access a copy of their information handled by the business.
  • Right to rectification: They can also request the data controllers to correct any inaccuracies or incomplete information.
  • Right to erasure: Data subjects have the right to be forgotten by requesting the deletion of all personal data relating to them.
  • Right to restriction: It allows individuals to limit/ restrict controllers from processing their personal data under certain conditions such as when the processing is unlawful or the data is no longer required.
  • Right to data portability: Data subjects who provide their personal data to the controller have the right to receive their data in a machine-readable and portable format if the processing is automated and based on their consent or contract.
  • Right to object: Individuals have the right to object to processing their data under specific circumstances such as when used for direct marketing, public tasks or legitimate interest.
  • Rights regarding automated decision-making: They also have the right to avoid being subjected to a decision based solely on automated decision-making except under some conditions such as when explicit consent is given.   

6. How do I obtain valid consent under GDPR?

Consent is a significant legal basis for processing because GDPR follows an opt-in model. You can process personal data with explicit consent from the data subject given without coercion, force, or influence by the data controller. In short, they must have a real choice.

Consent under GDPR is defined as a freely given, informed, specific, and unambiguous affirmative action of a data subject to indicate their willingness to process their personal data. 

Some GDPR-compliant ways to obtain valid consent include:

  • Obtaining signatures
  • Providing unticked checkboxes
  • Giving Yes or No buttons
  • Placing Accept or Reject buttons. 

GDPR does not allow businesses to imply consent from inaction such as closing the consent request message or using dark patterns.

7. What do you mean by a legal basis of processing?

Legal bases of processing are the hearts and minds of GDPR. It is like a green card allowing data processing activities. 

Processing of personal data is only permissible if there is a legal basis. The following are the six lawful/legal bases of processing:

  • Consent
  • Contract
  • Legitimate interest
  • Legal obligation
  • Public task
  • Vital interest

Find more about the legal bases of processing

8. Can I process personal data without consent?

The short answer is yes. You can process personal data if you meet any of the six legal bases. For example, to fulfil a contractual obligation or to enter into one. Another example is to comply with a legal requirement/obligation such as a court order.

Businesses also use legitimate interest as a legal basis. Such use must align with the user expectations and must arise out of the relationship between the data controller and the data subject. For example, using personal data for fraud prevention or direct marketing.

9. Is there a way to meet GDPR compliance without a cookie pop-up?

This is a very popular GDPR question on the internet, for instance, see this one from Reddit.

A cookie pop/ cookie banner is a message that informs visitors about the cookies you use on websites. It enhances transparency, builds trust, and allows website visitors to make informed decisions. 

Though it can be frustrating for at least some users, a cookie pop-up is significant, especially under the GDPR and ePrivacy directive. These regulations require websites that use non-essential cookies to obtain explicit consent from users. 

Deploy a cookie banner and become GDPR-compliant

Just 3 simple steps

Sign up for a free trial

14-day free trialCancel anytime

However, if you are confident that you only deploy essential cookies, you might be able to avoid a banner. But you still need to provide a cookie policy or a dedicated section for cookies within your privacy policy. The chances are that you use at least some non-essential cookies.

10. Where to start GDPR compliance for a new company or a non-compliant one?

Navigating GDPR requirements and implementing compliance measures can be a challenging task for startups. But let us remind you that it can be a valuable investment.

Here are some key considerations to start with GDPR compliance. 

  • Legal awareness: Get familiar with the law. You can start with blogs and other resources, consult a legal professional, or appoint an official responsible for ensuring compliance. 
  • Data audit: Conduct a thorough mapping of your data flow and maintain an updated list of your data processing activities. This is mostly applicable to businesses with more than 250 employees, but it is a recommended practice for all.
  • Lawful basis: Justify your data processing activities with one of the six lawful bases of processing.
  • Data security: Implement security measures at organisational, physical, and technical levels. Examples include pseudonymisation, encryption, strong passwords, and training employees on GDPR.
  • Maintain transparency: Conspicuously provide an easy-to-understand privacy policy containing information on the types of data you collect, purposes for collecting, with who you will share the data, data subject rights, how they can exercise them, etc.

Need a compliant Privacy Policy?

CookieYes can simplify the process

Generate a Privacy Policy

No signup required

  • Data subject access requests: Understand and validate the rights conferred upon data subjects. Provide convenient request mechanisms such as toll-free numbers, dedicated and active email addresses, web forms, etc.
  • Impact assessments: Analyse any risks associated with data processing, especially the special categories such as racial or ethnic origin, religious beliefs, etc. Prioritise risk mitigation measures wherever applicable.

Also read our GDPR checklist for US businesses

11. Is appointing a DPO mandatory?

 Appointing a Data Protection Officer is mandatory only under the following conditions:

  • If your organisation processes special categories of personal data on a large scale
  • If you regularly monitor data subjects on a large scale
  • If you are a public authority

Even if not required by law, appointing a DPO is a good practice.

12. How do I handle data breaches under GDPR?

Once a breach has occurred, the next 72 hours are crucial under GDPR. Here are some steps to handle your breaches in the best way possible:

Confirm and contain: Identify and confirm that a breach has occurred. Take the necessary steps to contain it and reduce the risk by separating it from the unaffected database and limiting access to compromised data.

Assess and mitigate: Collect information regarding the data breach, including the date and time. Analyse the breach and try to understand the reason. You must then assess the level of risk and implement remedial measures.

Notify: If the data breach is of high risk and affects the rights and freedom of data subjects, notify the breach to the affected individuals and appropriate DPOs.

Review: Sit back and discuss with the team why the incident occurred and how it could have been avoided. The review process is crucial as it provides insights into the data breach, the steps taken, successes and failures, and promptness in addressing the breach.

 13. What are the 7 GDPR requirements?

    The following are the 7 GDPR requirements:

  • Lawfulness, fairness, and transparency: Have a lawful basis for processing, do not process personal data in a way that exceeds the data subject’s expectations, and inform them about the processing activities.
  • Data minimisation: Do not collect personal data unnecessarily and minimise it to what is required for the specific purpose.
  • Purpose limitation: The use of personal data must be compatible with the purpose of the collection. That is, the data should only be processed for the specific purpose that was informed to the data subject during data collection.
  • Accuracy: Keep the data up-to-date, and correct any inaccuracies.
  • Retention: Do not retain the personal data for longer than necessary.
  • Integrity and confidentiality: Maintain confidentiality of personal data handled by your organisation using adequate and appropriate security measures.
  • Accountability : Document your compliance strategies and steps taken to demonstrate GDPR compliance.

14. Is the “accept cookies or pay” business model GDPR-compliant?

By this time, at least some of you might have come across cookie banners asking for payment to decline cookies. Its legal validity is still a grey area and the GDPR or ePrivacy directive does not expressly mention this. However, EDPB has published its opinion where it passively says yes to the “consent or pay” model for cookies. 

But that is not all, it also raises concerns over personal data becoming a trading commodity and requires businesses to provide a free equivalent alternative without behavioural monitoring in addition to the paid alternative.

Here is a simple example of the 3 choices:

  • Agree to all analytical and behavioural monitoring cookies [Unpaid]
  • Pay and decline analytical and behavioural monitoring cookies [Paid equivalent alternative]
  • Agree to limited analytical cookies [Additional unpaid alternative without behavioural monitoring]

15. What is the difference between personal data and sensitive data under GDPR?

Personal data is any information that can identify a living individual. Examples include:

  • Names
  • Unique identification numbers
  • Email addresses
  • Location
  • Physical address
  • Contact numbers
  • Fingerprints or other special categories of personal data

GDPR creates a sub-category of personal data that requires extra protection known as special categories of personal data or sensitive data. Breaching their confidentiality can adversely affect data subjects, leading to risks such as discrimination or interference with fundamental rights.

Sensitive data includes personal data revealing:

  • Racial/ethnic origin
  • Biometric or genetic data
  • Political opinion
  • Religious or philosophical beliefs 
  • Trade union membership
  • Sexual orientation and sex life

16. Is GDPR training mandatory for employees and management?

Yes. If your business handles the personal data of EU citizens, you are required to train your staff and management on GDPR compliance. 

Though GDPR provisions do not explicitly impose this as an obligation, it requires you to implement technical and organisational security measures. When read with the EDPB guidelines, GDPR training is an inevitable part of GDPR.