Frequently asked questions
The GDPR was approved and adopted by the EU Parliament in April 2016. After 2 years, the regulation took effect and the GDPR came into force on 25th May 2018.
Any data which can personally identify an individual - whether by itself or when combined with other pieces of information - is considered personal data. If that information has the potential to cause harm then it is considered a special category of personal data - things like bank details, sexual orientation, or political opinions, for example.
The GDPR applies to any companies who process the personal data of subjects residing in the EU, regardless of where the company itself is located.
There are two thresholds depending on the kind and severity of the breach. The lower threshold is 2% of annual income or €10 million and the higher threshold is 4% of annual income or €20 million. The fine that a company receives depends on what part of the legislation that they have breached. These rules apply to both controllers and processors.
No matter the size of your company; how many employees you have, customers you serve, or what your annual turnover is, the GDPR applies to you.
That magic 250 employee threshold is only mentioned once in the regulation and that’s in relation to record keeping. The GDPR requires that you keep detailed records of all processing activities - including records of consent, decision making, privacy notices etc. - but with fewer than 250 employees, you don’t need to. However, the rest of the GDPR still applies in full.