Top 10 GDPR FAQs

The Top 10 General Data Protection Regulation (GDPR) FAQs

Businesses of all sizes need to understand and prepare for the GDPR. To help we provide answers to some of the most frequently asked questions:

  1. Who does the GDPR apply to?
    ‘Date Controllers’ and ‘Data Processors’ need to abide by the GDPR if they manage the data of EU citizens.
  2. What about Brexit?
    The UK leaves the EU in March 2019, so the GDPR will apply, and will continue to apply to those that sell goods or services to people in EU countries.
  3. Who does the GDPR affect?
    Businesses and organisations within the EU, as well as those outside of the EU that offer goods or services to, or monitor the behaviour of EU individuals/data subjects.
  4. What is the difference between a regulation and a directive?
    GDPR is a regulation - a binding legislative act. It must be applied in its entirety across the EU. A directive is a legislative act that sets out a goal for achievement.
  5. Will the fines really be enforced?
    Yes. Each Member State will have individual discretion on criminal sanctions for GDPR infringements.
  6. What constitutes personal data?
    Any information relating to a natural person or ‘data subject’ that directly or indirectly identifies that person. It can be anything from a name, email address, bank details, medical information, or a computer IP address.
  7. What consent must be given to process personal data?
    Consent must be provided by an individual/data subject for the processing of their personal data. The request for consent must be in an intelligible and easily accessible form, with the purpose for data processing attached. Inactivity or pre-ticked boxes will no longer constitute consent for the processing of data. Organisations that demonstrate active consent will have a record of how and when this was provided.  If consent is removed, there must be evidence to show the related data is no longer processed.
  8. How can we show we are accountable?
    Many organisations have measures in place due to the Data Protection Act (DPA). Others must examine and address current practice for GDPR compliance to show how they adhere.  For example, demonstrating the procedures that are in place to protect the data they hold.
  9. Why is a Data Protection Impact Assessment (DPIA) needed?
    To reduce a project’s privacy risks. This assessment identifies the risks to address to help mitigate these at an early stage.
  10. Do I have to report all personal data breaches?
    Yes, it is mandatory to report a personal data breach that may result in a risk to people’s rights and freedoms.

For further practical advice on the GDPR read our Whitepaper – GDPR - what you need to know, by signing up to Gravicus Osprey and gaining access to our Resource Centre, which includes further useful GDPR and data management related documents.

Contact Gravicus for an initial data assessment to fully understand your current level of risk exposure.  We identify your data risks to help you  work towards compliance.

Telephone: 0203 858 0636

Email:  info@


Simply smart data management tools in the cloud - Free Data Protection Impact Assessment with Osprey DPIA

Other related articles that may be of interest: