Questions on EU GDPR

1. Are there any limitations to the applicability of the GDPR?

The EU GDPR applies to all companies processing personal data regardless of their size. There are however some exemptions for small companies.

For example, you only need to keep an inventory of your processing activities according to art. 30 y if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

2. Do all companies need to register to the data protection authority?

Registering to the Supervisory Authority is now subject to local laws because the EU GDPR leaves this to the Member States. Depending on where your company is located you should check the website of the Supervisory Authority.

3. What are the security requirements for personal data?

The GDPR applies the same broad security obligation as the old Data Protection Directive, requiring controllers and processors to take appropriate technical and organizational measures to protect their systems.

This broad obligation is supplemented by additional obligations to take the following steps, where appropriate: a) the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of its information technology systems; b) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and; c) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

These are not mandatory obligations. Instead, they only apply “where appropriate” thus indicating they may not be needed in all case.

If you want to learn more about security measures check out this Security Awareness Training (https://advisera.com/training/awareness-session/security-awareness-training/).

4. Are there any company certifications available for compliance with the GDPR?

According to the EU GDPR, it is possible to demonstrate compliance by signing up to a Code of Practice or becoming Certified. The Supervisory Authorities are the ones that need to approve such codes of practice and certifications however, there are none available yet.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).