GDPR Compliance FAQ

Yes, GDPR has extraterritorial scope. It applies to any organization that offers goods or services to EU residents or monitors their behavior, regardless of where the organization is based. A Canadian or American company with EU customers or website visitors must comply with GDPR requirements for EU personal data.

GDPR fines can reach up to 20 million euros or 4% of global annual turnover, whichever is higher, for the most serious violations. Lower-tier violations can result in fines up to 10 million euros or 2% of global turnover. Supervisory authorities consider factors like severity, duration, cooperation, and preventive measures when determining penalties.

Personal data is any information that can directly or indirectly identify a natural person. This includes obvious identifiers like names, email addresses, and phone numbers, as well as IP addresses, cookie identifiers, location data, biometric data, genetic data, health information, and any data that can be combined to identify someone.

GDPR defines six lawful bases: consent (freely given, specific, informed, and unambiguous), contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Organizations must identify and document the appropriate lawful basis before processing personal data, and the basis cannot be changed retroactively.

GDPR grants individuals eight rights: the right to be informed, right of access, right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling. Organizations must respond to data subject requests within 30 days.

A DPO is mandatory for public authorities, organizations whose core activities require large-scale systematic monitoring of individuals, and organizations that process special category data on a large scale. Even when not required, appointing a DPO is considered a best practice for organizations processing significant amounts of personal data.

A DPIA is a process for identifying and minimizing data protection risks of a project or processing activity. It's required before processing that is likely to result in a high risk to individuals' rights, including systematic profiling, large-scale processing of sensitive data, and systematic monitoring of publicly accessible areas.

Organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights. If the breach is likely to result in a high risk to individuals, those affected must also be notified directly without undue delay.

The right to erasure, commonly called the right to be forgotten, allows individuals to request deletion of their personal data when it's no longer necessary for the original purpose, consent is withdrawn, or the data was unlawfully processed. Organizations must comply unless there are overriding legitimate grounds for retention such as legal obligations.

GDPR, along with the ePrivacy Directive, requires organizations to obtain informed consent before placing non-essential cookies on users' devices. Cookie consent banners must clearly explain what cookies are used for, allow granular consent choices, not use pre-ticked boxes, and make it as easy to reject cookies as to accept them.

Transferring personal data outside the EU/EEA is only permitted through approved mechanisms: adequacy decisions for countries with equivalent protection, Standard Contractual Clauses, Binding Corporate Rules for intra-group transfers, or specific derogations. The Schrems II ruling invalidated the EU-US Privacy Shield, making transfers to the US more complex.

Privacy by design requires integrating data protection considerations into system design and business practices from the outset, not as an afterthought. Privacy by default means systems must be configured to provide the highest level of privacy protection by default, collecting only necessary data and limiting access to only those who need it.

When receiving a DSAR, verify the requester's identity, search all systems for their personal data, provide the information in a commonly used electronic format within 30 days, include details about processing purposes and recipients, and do so free of charge. Have documented procedures and trained staff to handle DSARs efficiently.

Organizations must maintain Records of Processing Activities (RoPA) documenting all processing activities including purposes, data categories, recipients, transfer mechanisms, retention periods, and security measures. Additionally, maintain records of consent, data protection impact assessments, breach notifications, and data subject request responses.

GDPR fully applies to employee personal data. Employers must have lawful bases for processing employee data, provide privacy notices, implement appropriate security measures, and respect employee data subject rights. Consent is generally not a valid basis for employee data due to the power imbalance in the employment relationship.