The General Data Protection Regulation (GDPR) has created a lot of questions for business owners and developers when it comes to what changes the GDPR will require. These questions range from simple to very complex, and you might find yourself being left with more questions after you get one answered.

Here are some of the most frequently asked questions related to the GDPR with straightforward, simple answers. If you find yourself wanting or needing more information about a topic, check the rest of our blog posts to get more in-depth and detailed guidance on the GDPR.


When does the GDPR become enforceable?

The GDPR becomes enforceable on May 25th, 2018. If your app or website is under the jurisdiction of the GDPR and not compliant, this should be your #1 priority. Along with updates to the laws, the fines for failure to comply have been increased under the GDPR. To avoid severe fines and other legal burdens, you should get compliant ASAP.

Who needs to comply with the GDPR?

Any company or organization that collects or processes the personal data of residents of the EU must comply with the GDPR. Even if your company is not located within the EU, if you collect or process data from residents of the EU, that data is protected by the GDPR.

The GDPR also applies to companies located within the EU.

Do I need to update my current Privacy Policy for the GDPR?

Probably. While it is possible that your Privacy Policy could already be compliant with the new regulations under the GDPR, this is unlikely. The GDPR added or strengthened a large number of existing rules so it is almost certain that you will need to update something in your Privacy Policy to be compliant.

Some common examples include:

  • The GDPR requires that the language used in your Privacy Policy is easy to understand. Unintelligible legalese is no longer acceptable.
  • You must give a reason why you are collecting and processing data, as well as how long you will retain that data.
  • Your Privacy Policy must be prominently displayed and easy to access.

There are many other changes in the GDPR from previous privacy laws, but these are some of the most common changes that require updates to Privacy Policies.

How does the GDPR impact my business?

If your business falls under the scope of the GDPR, it's going to mean some changes for you.

In general, here's a quick summary of what you need to be aware of when it comes to the GDPR affecting your business:

  • You'll likely need to update your Privacy Policy with content and easy to read language
  • You may need to change the way you obtain consent for collecting personal information (even simply requesting email addresses for an email newsletter or marketing)
  • You may need a DPO
  • You need to put procedures in place for the 8 rights of users
  • You'll only be able to collect data that you actually need, and need a legitimate purpose for collecting it
  • You'll likely need to start keeping records of consent, data processing methods, etc.
  • You'll need to become familiar with Privacy by Design

Depending on whether your business is considered a data controller or data processor, you will have additional requirements. Make this determination accurately and as fast as possible.

The GDPR has removed any ambiguity about obtaining consent. Prior to collecting or processing any personal data from users in the EU, active consent must be obtained. Soft opt-ins are no longer acceptable.

A checkbox or button confirming consent must clicked by the users to give their consent, and this must be done prior to collecting or processing their data.

Consent must also be obtained before using cookies as per the EU Cookies Directive.

Consent must be clear, unambiguous and affirmative before any data is collected from or processed about the user. Remember: Soft opt-ins are no longer acceptable. A soft opt-in is where information is presented that states that the user should read your Privacy Policy, but no action must be taken by the user to actually consent or opt-in.

The GDPR requires that the user click a button or check a box to give affirmative consent, rather than the implied consent of a soft opt-in.

Checkboxes or a pop-up with a button that says "I consent" or "I agree" are considered affirmative, interactive consent. If you use a checkbox, the box should not be pre-checked. The user should actively check the box to give affirmative consent.

Best practice is to include a pop-up button when the user visits your page, or a checkbox on registration pages.

Here's an example of how to use a checkbox to get consent to send an email newsletter:

Lufthansa email subscribe form with consent checkbox

Are cookies regulated under the GDPR?

Yes. Under the GDPR and the EU Cookies Directive, there are specific guidelines for the use of cookies. Consent must be given by users before cookies can be placed and used to track them.

Cookies are considered to be the collection or processing of personal information under the GDPR, meaning you must comply with all guidelines pertaining to the collection and processing of personal data under the GDPR if you use cookies to track users in the EU.

What are the penalties for breaking the laws of the GDPR?

The GDPR has increased the maximum penalty for non-compliance to €20 million or 4% of annual global turnover. A penalty this severe would only be used in extreme cases, but the point is that failing to comply with the GDPR is a serious risk to your company. The cost of becoming compliant with the GDPR is inconsequential compared to the potential fines you could face for breaking the GDPR.

What counts as personal information under the GDPR?

Personal information under the GDPR is similar to personally identifiable information (PII) in the United States. Essentially, personally identifiable information is any data that could be used to identify a real person.

This includes things like name, email address, phone number, even IP addresses and zip codes, which can be considered personal information under the GDPR.

Essentially, if a piece of information could be used to link a data subject to real person (even if it would be a hard connection to make), it is considered personal information.

What are the eight fundamental rights of the GDPR?

  1. The right to be informed gives individuals the right to know how companies are using their personal information. Under the GDPR, companies must be transparent in their practices.
  2. The right of access gives individuals the right to know what information about them is being held and processed by companies.
  3. The right of rectification gives individuals the right to have their information corrected and updated.
  4. The right to erasure gives individuals the right to have information held about them deleted and cease any processing of that information.
  5. The right to restrict processing gives individuals the right to stop or suppress the processing or their personal information.
  6. The right to data portability gives individuals the right to reuse and retain their personal information for their own purposes.
  7. The right to object gives individuals the right to object to the use of their personal information for reasons such as marketing, scientific research, historical records, or for the public interest.
  8. The rights of profiling and automated decisions gives individuals the right to refuse to be the subject in a decision with legal bearing or in decisions based on automated processes.

These eight rights represent a cornerstone of the rights of internet users to control how their personal data is used and control how their information is handled by companies under the GDPR.

What is a data controller and what is a data processor according to the GDPR?

You are most likely a data controller or both a controller and processor.

Data controllers decide the purpose, condition and methods of processing personal information.

Data processors process this personal data on the behalf of the data controller.

Most companies who handle both the collection and processing of personal data would be both the data controller and data processor.

If you use a third-party to process the data of your users, then you are the data controller and that third-party is the data processor.

Does the GDPR require my company to have a Data Protection Officer?

A company is required to have a Data Protection Officer if it:

  • Is a public authority,
  • Monitors subjects on a large scale, or
  • Processes sensitive personal data on a large scale

If your company engages in any of these activities and is located or has users in the EU, then it must appoint a Data Protection Officer.

What constitutes a "large scale" under the GDPR?

While the GDPR does not specifically define what is meant by "large scale," it can be assumed that an operation involving a large quantity or wide variety of personal information, collection from a large geographical area, collection from a large portion of the population in a given country or region, or an extensive collection with potentially lasting effects may be considered "large scale."

Most small business probably don't need to worry about it, but if there is any question, it would be safer to appoint a Data Protection Officer and follow any other regulations required by companies that collect or process data on a "large scale."

I run a small business. Do I need to comply with the GDPR?

Yes. The GDPR affects the collection and processing of personal data, regardless of the size of the business collecting or processing that data.

Small businesses and even individuals with a website are regulated under the GDPR.

However, there are some exceptions for smaller businesses. For example, if your business has fewer than 250 employees, you aren't required to maintain a record of processing activities you're responsible for, unless the processing is "likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data [...] or personal data relating to criminal convictions and offences."

Note that the other requirements of the GDPR will still apply to your small business, such as having a clearly readable Privacy Policy and obtaining consent.

Have Subject Access Requests changed under the GDPR?

There have been a few changes to Subject Access Requests under the GDPR, most notably:

  • You can no longer charge an administration fee under normal circumstances.
  • Subject Access Requests must be completed within 30 days (previously 40 days).
  • Potential fines have been increased as per the new maximum penalties under the GDPR.

It is beneficial to have a system in place for handling Subject Access Requests. Do not procrastinate on processing a request as unforeseen complications and delays could easily push you past the 30 day limit, which would subject you to penalties.

Especially if you have not processed Subject Access Requests in the past, you should have a plan and train those involved of their duties to ensure you can respond to a request within the given time frame.

What information does the GDPR require that I provide in response to a Subject Access Request?

A Subject Access Request response generally answers the following:

  • What information about an individual a company possesses
  • What information about an individual is being processed
  • Why this information is being processed
  • Who has access to this data (including any sharing, transferring, and disclosures)
  • If this data is being used for automated processes (and if so, how)

Under the GDPR, Subject Access Requests must be answered within 30 days and include answers to the above questions in an intelligible format, along with copies of that data.

Are GDPR regulations different for children and minors?

Children under the age of 16 require consent to be given by a parent or guardian in scenarios where consent is needed, such as collecting personal information and using cookies for tracking purposes.

There are also additional regulations for companies that are specifically geared toward children or minors. It should be made clear whether or not a website, app, or service is intended for adults or children to avoid ambiguity that could be interpreted contrary to the intention of the company and require the enhanced protection required for those under the age of 16.

Appropriate measures should be taken to confirm the age of your users such as checkboxes, birthdate entry, or more strict requirements in some cases.

Does the GDPR require me to register my company?

The Data Protection Act of 1998 required registration by certain companies. If you were required to register under those regulations, then you will probably need to register under the Data Protection Regulations of 2018.

If you were registered under the previous regulation, you should not need to register again.

Are there any restrictions on the collection or processing of personal data under the GDPR?

Yes. There are a few guidelines for how and why personal data should be collected and processed under the GDPR.

Personal data should be:

  • Collected for specific and obvious reasons
  • Collected and processed in a transparent manner
  • Limited to what is needed to complete a legitimate task
  • Accurate and up to date
  • Held only as long as needed
  • Handled only by necessary personnel in a secure manner

These are some basic guidelines set forth by the GDPR that should be followed.

A special sort of data referred to as "sensitive data" includes the following categories:

  • Race
  • Ethnic origin
  • Political opinions
  • Religious beliefs
  • Philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Data about one's sex life
  • Data about one's sexual orientation

There are special regulations covering the collection and processing of such data under the GDPR. For the most part, these types of special data should not be collected or processed without a good reason and explicit consent.

Is the UK still covered under the GDPR after Brexit?

While the UK may be leaving the European Union, for the time being they are still included.

That means that the UK is currently considered part of the EU and should be treated as such.

Also, the scope of the GDPR extends beyond the EU, affecting any entity that collects or processes the personal data of residents of the EU. This means that even a company in the UK that is no longer part of the EU after the conclusion of Brexit will still be under the jurisdiction of the GDPR if they collect or process personal data from any residents of the EU.

What countries are under the protection of the GDPR?

All countries within the EU are protected by the GDPR. This list currently includes:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • the UK

As mentioned above, the UK is currently still under the protection of the GDPR despite Brexit, so at least for now, consider the UK included.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy