Frequently asked questions

Frequently asked questions

whostolemydata

What is the GDPR?

The GDPR is a data privacy regulation designed to align data privacy laws across Europe and to protect and empower all EU citizens regarding their data privacy. GDPR came into force on 25 May 2018. This regulation is directly binding and creates one single set of data protection law across all 28 European member states. There is a plethora of marketing campaigns referencing GDPR and compliance - and as such the compliance industry is in a state of flux.

Who has to comply with the GDPR ?

The GDPR must be complied with by an organisation, entity, company or business that processes personal data. Personal data means any information that, whether combined or discrete, identifies a specific individual - known as the Data Subject. This can be in relation to his or her private, professional or public life. This may be anything from name, home address, photo, email address, bank details, social media posts, websites, medical information, or even an IP address.

Who can use personal data and who takes responsibility for it?

In considering any organisation's role within the context of the GDPR, there are two key roles responsible for data

Data Processor - Those who maintain and process personal data records.
Data Controller - Those who define how personal data is processed and for what purpose
The GDPR aims to ensure that any data stored by a Data Controller for lawful purposes is kept secure within its organisation. The Data Processor in turn may only process the data for a lawful purpose and in accordance with the Data Controller's instructions.

How can a claim under the GDPR arise?

GDPR claims can arise from almost any business, company, organisation, or commercial activity that uses or benefits from the collection and processing of personal data. The key change arising from the GDPR legislation is the right for a Data Subject to claim compensation in respect of any breach of the regulations. Crucially, Article 82 stipulates that a Data Subject can claim compensation for any "material or non material damage". This means that there is no requirement to prove that loss has actually occurred - and brings to light an almost limitless possibility of claims, as data processing activities are construed in the widest sense possible and apply to almost any scenario where an organisation handles personal data. Due to the autonomous and electronic nature of modern data processing activites (for example, payroll, insurance calculations, credit decisions, or security updates) incidents of a data breach or breach of the regulations are rarely in isolation. This gives rise to a new business stream for high-volume claims processors and solicitors. High profile cases are already being decided in the English Courts involving Google, and the supermarket chain Morrisons.

How many people could be affected?

Estimates suggest that some 13 million people were affected by PPI claims. GDPR claims are not limited to people who have bought credit cards or financial products - the scope extends to anyone whose personal data has been used in almost any context.The GDPR claims industry has a market potential over 25 times the size of the PPI claims industry - some 300 million people. Any EU citizen, or citizen living in the EU, is a potential claimant.