A few EU GDPR questions before implementation

1. Does every company need to have an Inventory of processing activities?

 An Inventory of processing activities is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

2. How about a DPO?

Appointing a DPO is mandatory if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offenses referred to in Article 10 of the EU GDPR. If you want to find out more about the duties of the DPO check out this free webinar Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

3. How does the GDPR apply to companies outside Europe?

The EU GDPR will apply to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behaviour of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).

The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.

When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.

4. What is the biggest fine so far?

The biggest GDPR fine to date amounts to 123 million Euro and was issued to Marriot.

5. Which would be the best way to present to the management the need to implement GDPR?

You can find a free presentation on the importance of complying with the EU GDPR at https://info.advisera.com/eugdpracademy/free-download/why-is-privacy-important-for-our-company-awareness-presentation.

6. How much time would it take a small company?

The time depends on the size of the company as well as on the complexity of their processing activities. You can find a duration calculator at https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/