Making Sense of GDPR: Frequently Asked Questions

By Chris Combs

In May of 2016, the European General Data Protection Regulation,   or GDPR, came into force. Two years later, on May 25, 2018, the new GDPR regulations will be applicable to all businesses, whether those businesses are prepared for the changes or not.

With a little over a month to go before the changes take effect, there is still much confusion as to what the GDPR does and does not require. With this in mind, we thought we’d take a look at some of the most common questions our clients still have regarding compliance.

Q: Do I have to gain consent from the data subject to process their personal data?

A: According to Article 6(1)(a) of the new ruling, consent is just one of the legal bases that may be used to process personal data. There are a few other instances where personal data can also be processed:

  1. When there is a legal obligation to process the data, as in the case of an employee submitting data to a tax authority.
  2. In order to meet contract obligations to which the data subject is a party.
  3. When legitimate interests must be met, such as marketing goals or commercial interests. The caveat here is that the legitimate interest must outweigh any detriment to the privacy of the data subject.

Q: Does the GDPR require that we encrypt personal data at rest?

A: You’ll be happy to hear this is a bit of a GDPR myth that has been floating around. The reality is no such encryption has been mandated by the new regulations. The GDPR requires that each organization take the necessary technical and organizational security measures appropriate to the risks presented (Article 32(1)). In some instances, encryption at rest may in fact be necessary, but it is in no way a mandate set forth by the GDPR.

Q: Does the GDPR require us to store European personal data only within Europe?

A: You are not obligated by the GDPR to store information in Europe. That being said, it should be noted that transfers of personal data outside the European Economic Area (EEA) typically require a valid transfer mechanism be in place to protect the data once it leaves the EEA.

Q: Does the GDPR prohibit profiling and automated decision-making?

A: This is one of the more gray areas of the new regulations. To answer the question, no, profiling of EU consumers and automated decision-making involving their personal data is not prohibited. However, these activities may be subject to certain conditions, particularly when these automatic decisions greatly affect the data subject. Under these conditions, the following is required:

  • The data subject must be provided with meaningful information about the decision and any potential consequences for them.
  • In some instances, the data subject may request that a real, live human being be involved in the decision-making process (Article 22(3)). Beyond this, a data protection impact assessment may also be required.

Q: What does “the right to be forgotten” mean?

You may have heard that EU data subjects have an absolute right to have their personal data deleted upon request. This is also known as having “the right to be forgotten.” While this is true in some cases, it is not necessarily an absolute right.

According to Article 17 of the GDPR ruling, data deletion is subject to certain limitations. For instance, if the processing of a subject’s data is necessary for compliance with a legal obligation, the data subject cannot make this request. Conversely, data subjects do have an absolute right to stop their personal data from being processed for direct marketing purposes.

Q: Do we need to include a data protection officer in our processes from now on?

A: No, a data protection officer is only required by the GDPR under certain circumstances:

  • You are a government institution.
  • You process sensitive data (health data for instance) as part of your core activities.
  • You systematically monitor subjects (or track some form of behavior either via cameras or software) as part of your core activities.

Q: If my business is outside of the EU, am I still subject to the regulations mandated by the GDPR?

A: This is probably the question we hear most from clients. Regardless if you’re located in the United States, Taiwan, or anywhere in between, the GDPR applies to your business if you offer goods or services to people in the EU or monitor their behavior, for example by placing cookies on the devices of EU individuals.

LinkSquares wants to ensure our clients are ready for May 25th, which is why we have provided a free eBook to get you ready. Download your copy of “GDPR Regulations – Everything Legal and Finance Teams Need to Know” today.

Topics: Contract Management legal