Our data privacy FAQs

Our most popular questions are below.

If your question isn’t answered by the FAQ’s below, we suggest that you contact us directly using the details on this web site.

Frequently asked questions

We get asked many questions about data protection legislation and information security.

Data protection legislation has existed in the United Kingdom for over twenty years.  However, the update to the legislation in 2018, has resulted in more and more emphasis being placed on compliance due to the penalties that are now imposed on organisations that are found to be non-compliant.

Information security is now more important due to the penalties associated with data protection legislation but also the increase in threats due to the exponential increase in cyber related crime.

What's the difference between EU GDPR and UK GDPR?

The United Kingdom General Data Protection Regulation (UK-GDPR) is essentially the same law as the European GDPR, it was only initially changed to accommodate domestic areas of law post BREXIT.

It was drafted from the EU GDPR law text and revised so as to read United Kingdom instead of Union and domestic law rather than EU law.

This means that the core definitions and legal terminology now famous from the European GDPR, such as personal data and the rights of data subjects, controller and processor (and their need for legal bases for processing, such as prior consent) are all to be found in the UK-GDPR.

However, the UK-GDPR does expand on – and deviate from – the EU GDPR in significant ways that will make changes to the legal landscape of data protection in the UK.

These changes are found in the UK government’s Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC regulation).

This regulation changes and shapes the European GDPR into the domestic UK-GDPR, as well as revising the Data Protection Act 2018.

What are the potential penalties of having a data breach?

In nearly all organisations the risk exposure of a data breach is extremely high.  The financial penalties associated with these can also be between 2% and 4% of your organisations global turnover or £20 million, whichever is the higher.

Therefore, you should be ensuring that you are compliant with the legislation and you are also doing everything possible to mitigate the risk of a data breach.

Do I legally require a Data Protection Officer (DPO)?

Many organisations are legally bound to engage a Data Protection Officer (DPO).  There are a list of criteria on the Information Commissioners website (ICO).

However, in summary, if you are a public authority, process special category data or you process significant amounts of data, then you are required to appoint a DPO.

In most cases, if you are processing personal data it is at the very minimum a ‘best practice’ requirements to appoint a DPO.

How do we become GDPR compliant?

This is a very common question but it is actually a difficult answer.

There is not a set checklist of things that an organisations has to do in order to demonstrate compliance.

Of course, all of the articles within the legislation have to be complied with but that will differ from organisation to organisation in the method of compliance.

We suggest taking our GDPR compliance training course where we explain what is involved in more detail.  In summary, a compliance framework of documentation, processes and technology requirements form the basis of a compliant approach to managing personal data aligned to the legislation.

Obviously, Data Privacy Services can support you on your journey.

Do small businesses have to be compliant?

The simple answer is ‘yes’ all organisations that process personal data have to be compliant.  There are no exemptions for small businesses.

That said; all businesses that process personal data should ensure that they comply with all articles in the legisaltion.

What is personal data?

Personal data is classified as ‘Personal Identifiable Information’ (PII) of a natural living person (i.e. not a deceased person).

Typically, this information includes, name, address, phone number, email address, tax reference numbers, passport number, bank account information etc.

Can I enable my organisation to be compliant or do we have to outsource the work?

Of course, assuming that you have the time, knowledge and access to the right documentation.

However, being candid, it is very difficult to understand how to relate to the legislation and apply the requirements to your own business.

Our training course on GDPR compliance will greatly assist this, however hiring a professional consultancy such as Data Privacy Services will make this simpler and less of an overhead on internal staff members.

What information security requirements need to be addressed?

Again, this will vary depending upon the processing that you do and the way that you do it.

The legal requirement (as per Articles 5 and 32) is that organisations do ‘everything in their power’ to keep data safe. 

This means that from a pragmatic perspective, organisations have to do whatever they can financially afford and what is also technically feasible to do.

Again, this can vary but the base position is as follows:

  1. You can be fined up to £20 Million or 4% of your global group turnover, whichever is the higher.
  2. Individuals in the organisation can face litigation if found to have been negligent.

The regulator regularly publishes details of fines imposed and audits undertaken on their website (

Do we have to comply with a Data Subject Access Request (DSAR)?

The simple answer is ‘yes’, unless the request meets the criteria for exclusion.

However, normally all requests have to be reviewed and responded to within one calendar month unless the requests are of a complex nature where the time may be extended for up to three calendar months.

How do I train to become a DPO?

We offer a very applicable training course that is ideal if you are looking to train as a Data Protection Officer (DPO).

DPO training is focused on what a DPO needs to do in relation to managing and maintain data protection compliance in a typical organisation.

However, please note, DPO’s cannot have a conflict of interest with another role that individual may have within that organisation.

Is it easy to get cyber security insurance?

Simple answer is ‘no’.  Not unless you are wiling to pay a very high annual premium.

Obtaining cyber security insurance can be difficult and often requires significant preparation and investment in the right technology.

Data Privacy Services can assist your organisation to get ready for cyber security insurance.

Is ISO27001 worth having?

Yes it is.

Simply reason is that it covers the security risks relating to all parts of the organisation.

This greatly reduces your risk relating to people, processes and technology.

There are many growing commercial benefits associated with your organisation having this standard in place.  More and more businesses are now requiring their suppliers to have such certifications.

Need more information? Get in touch today.

Our data privacy FAQs
Does your organisation currently have a DPO?

Request a callback

Schedule a call with us using Microsoft Teams

Request a callback