DRAFT: TASIS GDPR FAQs
FAST FAQ .......................................................................................................................................................... 3 What is the GDPR?..................................................................................................................................3 Who needs to know about the GDPR? ................................................................................................... 3 When will the GDPR come into effect? .................................................................................................. 3 What are the main principles that GDPR is based upon?....................................................................... 3 What is the “Accountability Principle” related to GDPR?....................................................................... 4 What is “Privacy by design”? .................................................................................................................. 4
COMPREHENSIVE FAQs .................................................................................................................................... 5
What rights must organisations enable under the GDPR? ..................................................................... 5
I have heard something about a right to be forgotten. What does this mean?..................................... 5
How much can organisations be fined for noncompliance? .................................................................. 5
How do I know if the data that my School is processing is covered by the GDPR?................................ 5
How would my School be impacted if I share EU personal data with a company that is not GDPR compliant? .............................................................................................................................................. 6
What, specifically, is deemed Personal Data? ........................................................................................ 6
What are Special Categories of Personal Data? ..................................................................................... 7
How does the GDPR apply to children? .................................................................................................. 8
Do we need to ask for consent to collect, store and process personal data from my employees and my customers?........................................................................................................................................ 8
Do I always need consent? ..................................................................................................................... 8
Is parental consent always required when collecting or processing children’s personal data? ............ 8
Do I always need consent for marketing and does it have to be opt in or can it be opt out? ............... 9
What ways can we justify the processing of personal data?.................................................................. 9
What lawful bases of processing should I use? .................................................................................... 10
The School has offices and personnel outside Europe. Do I only need to cover personnel in Europe? .............................................................................................................................................................. 10
Am I allowed to transfer data outside of the EU? ................................................................................ 10
Under what basis does the School facilitate the transfer of personal data outside of the EU? .......... 10
The School is based in the UK. What does that mean in the context of Brexit? .................................. 11
What are Data Processors and Data Controllers? ................................................................................ 11
Does the GDPR apply to both Controllers and Processors? ................................................................. 11
I have data retention requirements through compliance. Do these override the right to erasure? ... 11
How does the GDPR change our response to personal data breaches? .............................................. 12
How can we prevent data breaches? ................................................................................................... 12
If there is a breach relating to data, presumably I will have to report it once this has been fully investigated?......................................................................................................................................... 13
As long as I comply with the new regulation, if there is a deliberate breach by an employee the