Frequently Asked Questions About the GDPR

H ere are some of the questions we hear most often and the answers as we understand them. If you've got a question of your own add it in the comments at the bottom of the page and we, or another reader, will answer it if we can.

General questions

The only source of information that's guaranteed to be correct at the moment is the final draft of the regulation itself, which can be found here. The first part of that document is actually mostly fairly easy to read, but it isn't written as a guide on how to implement the law.

The Information Commissioner's Office (ICO) is responsible for enforcing the The General Data Protection Regulation in the UK and they have some good guidance on compliance that can be found here.

Everything else you read regarding the GDPR is just someone's interpretation of a law that is yet to be tested in the courts, so approach with caution. That certainly includes the content on this site, and even applies to what's written on the ICO site, but, as the ICO will be enforcing the law their understanding of it will be important to businesses in the UK.

As a rule of thumb, this is the order of trust:

  1. The actual wording of the General Data Protection Regulation
  2. The Information Commissioner's Office's GDPR guidance
  3. Content written by people who aren't trying to sell you something
Approach content written by people trying to sell you something with caution.

Yes absolutely, the UK government has made it clear that even after Brexit, Britain will retain data protection laws that match or exceed the requirements of the General Data Protection Regulation to ensure that UK companies can continue to trade in Europe.
The regulation is intended to allow anyone with an interest in their data to access it. But, there are some other groups of people who might be interested too, such as your competitors, people with a grievance against you or your organisation, malcontents, aggrieved former employees to name but a few. Those types of requests could be made solely to check if your systems are in place, with the hope of finding an opportunity to get your business into trouble if not.
The Information Commissioner's Office (ICO) is responsible for enforcing the The General Data Protection Regulation in the UK.
Elizabeth Denham, the Information Commissioner, has stated again recently that the ICO prefer "the carrot to the stick". The ICO are not a punuative organisation, but it's also reasonably certain that organisations that flout the GDPR or deliberately ignore their responsibilities will not be looked upon kindly. Our section on GDPR Penalties and Fines has more on this.
This is one of the biggest areas of confusion, but the answer is categorically yes. The 250 employee rule relates to a reduced record keeping requirement for data processing of general personal data, read more about that in the Compliance and Accountability section of our detailed guide to the GDPR.
Yes, it definitiely does, it applies to businesses of all sizes. Read more about that in the Compliance and Accountability section of our detailed guide to the GDPR.
Yes, it definitiely does, it applies to businesses of all sizes. Read more about that in the Compliance and Accountability section of our detailed guide to the GDPR.

Data Questions

The GDPR applies to all data about an individual, no matter whether that data relates to members of the public (for example if you're a B2C company) or staff members of other businesses and organisations you interact with. You can read a lot more about this in the What Data Does The GDPR Apply To? section of our GDPR Detailed Guide.
It does, the GDPR applies to all personal data about an individual your organisation holds, no matter what capacity you interact with that individual in. You can read a lot more about this in the What Data Does The GDPR Apply To? section of our GDPR Detailed Guide.
In general, no, except "Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character". There's more detail on this in the Individual's Rights section of our detailed guide.
Yes, it absolutely does, although the requirement to keep data up to date does not necessarily apply to the results of historic data processing. You can read more on this in the Data processing principles section of our detailed guide.
Yes it does. Much of the press around the GDPR has been focused on how it relates to electronic records and 'big-data', but the regulation applies just as much to the contents of your filing cabinets as the contents of your hard drives. Secure storage of paper records and restricting access to them will become even more important under the GDPR.

Software questions

There's no simple answer to this question, it very much depends on what is meant by moving to the cloud. Cloud services like Microsoft Azure are certified as being able to form part of a GDPR compliant IT infrastructure and that may be a very appealing route for organisations when compared with trying to harden existing on-premises servers. However, an inherently insecure software system, for example one that doesn't require a user to login, or that allows weak passwords is just as insecure when moved to the cloud and is now even more dangerous as it is exposed to the whole of the web rather than just the users on your network.

That being said, redeveloping systems to be cloud based inherently involves considering the security of the data in great detail and that is exactly the same thinking that is needed to reduce the changes of data breaches, so redeveloping old legacy applications as cloud-based systems can be a very effective way to bring them up to scratch for the GDPR.

We've heard differing opinions on this, so we asked the ICO. They say that yes, emails containing personal data would indeed be covered by the GDPR.

Yes, a backup tape or other backup media will potentially contain a lot of individuals' personal data that would fall under the GDPR. The deeper question is what a business can sensibly do about that, as there is no way to expunge a single individual from a backup file should a person request to be removed from your organisation's records, or if you no longer have a reason to retain their data.

We expect that the GDPR will be enforced practically here and that rather than having to devise ways to search through backups, the expectation will be that you keep your backup media securely either under lock and key if it's a physical medium (such as a tape) or in a secure location that only the appropriate staff have access to if it is a digital backup. In either case, we imagine the requirement will be to keep a detailed log of any times that staff members interact with those backups.

Despite what software vendors may be keen to tell you, there isn't really any such thing as 'GDPR compliant software', instead software can form part of a GDPR compliant process. The most important part of making any process GDPR compliant is training staff in the principles of data security.

That being said, the GDPR does make specific recommendations (but not hard and fast rules) around the use of encryption. Our recommendation is to ensure that personal data is stored on encrypted hard drives, and that the personal data columns in the databases that store the data for your software are encrypted too. This means that should someone gain access to your network and steal your databases, the personal data would still be inaccessible to the thief.

Encrypting your data in this way removes the obligation to inform the affected individual's of the occurence of the data breach. You can read more on this in the Reporting Breaches section of our detailed guide.

It does indeed. For most businesses, this realisation is probably one of the key moments in realising the breadth of the GDPR. The number of spreadsheets of sales leads, sales reports, staff data and reports exported from CRM, accounts and line of business systems in any orgainsation is enormous and this data will be scattered across every computer, tablet and phone in the organisation... including the old ones sitting in a cupboard at the back of the store room.

A thorough audit of all the data stored on every device in the business should be top of any business's agenda for working towards compliance with the GDPR. Wherever possible simply delete old spreadsheets that contain personal data; it's far simpler and safer to simply not have the data if it's no longer needed.

It does, but potentially in a different way to the rest of the software in your business. For most software any personal data stored in the system should be maintained and processed in accordance with the individual's rights and the Data Processing Principles and this is true for accounting software too. However, the right to be forgotten may potentially apply differently to accounting software as it is likely to be forming part of your statutory record keeping responsibilities. You can read more about this in the Consent And Lawful Data Processing section of our GDPR Guide.

It does indeed, your Customer Relationship Management (CRM) software is probably the place to start when assessing what personal data you are holding about individuals, and especially when considering how you can apply the principles of data minimisation. Most CRM systems have many, many fields for ancillary data about customers (everything from where they went on holiday to the names of their children) that some sales staff will no doubt have been using.

Data related to race and ethnicity bring additional record-keeping responsibilities to organisations of all sizes so it's particularly important to only have that data if it is actually needed, but the same goes for all personal data - if you don't need it then get rid of it and get rid of the fields for storing it too if at all possible so that people don't start recording that data again later. It's a definite truth of software that if there's a box to enter data in, sooner or later someone will forget they are no longer supposed to use it and fill it in.

There's more about data minimisation in the Data Processing Principles section of our GDPR Guide about the different categories of personal data in the What Data Does GDPR Apply To section.

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts

Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646