GDPR FAQs & Resources

As a leading provider of HR Compliance eLearning, our experts are often asked about the GDPR. We've collected all of those questions and answered them for you below...

Related Videos


When did the GDPR come into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. After 2 years, the regulation took effect and the GDPR came into force on 25th May 2018.

What is personal data?

Any data which can personally identify an individual - whether by itself or when combined with other pieces of information - is considered personal data. If that information has the potential to cause harm then it is considered a special category of personal data - things like bank details, sexual orientation, or political opinions, for example.

Who does the GDPR apply to?

The GDPR applies to any companies who process the personal data of subjects residing in the EU, regardless of where the company itself is located.

What are the possible penalties/fines of GDPR?

There are two thresholds depending on the kind and severity of the breach. The lower threshold is 2% of annual income or €10 million and the higher threshold is 4% of annual income or €20 million. The fine that a company receives depends on what part of the legislation that they have breached. These rules apply to both controllers and processors.

Does my workplace need a data protection officer (DPO)?

A data protection officer (DPO) needs to be assigned if your company carries out certain types of data processing - if you work as a public body or authority, if you systematically monitor individuals, or if you carry out large scale processing of special categories of personal data.

What effect, if any, does Brexit have on GDPR?

This is not an easy question to answer and relies on a number of variables. Let’s consider three broad outcomes and their potential impact on the GDPR.

Outcome 1: The UK remains in the EU. In this event, we’ll still be an EU country and so the GDPR will continue to apply in full.

Outcome 2: The UK leaves the EU with a deal in place. The effects on the GDPR would be contingent on the contents of whatever deal had been brokered between the UK government and the European Council but it is wholly likely that such a deal will involve data legislation. The UK introduced the Data Protection Act 2018 which is (almost) a complete carbon copy of the GDPR. As such, our data laws are in line with the EU’s, so it is very likely that very little will change in this case.

Outcome 3: The UK leaves the EU without a deal in place. This is where things get tricky. As mentioned above, the UK has very similar, almost identical data legislation in place. So very little is likely to change with regards to data processed and shared within the UK or to countries outside of the EEA.

However, to countries in the EEA, the UK will suddenly become a “third country” meaning that sharing data with us is restricted. There are only three ways that making a restricted transfer is allowed -

If the target country is covered by an Adequacy Decision. The UK is not and is very unlikely to be by the time we leave the EU.

If there are certain appropriate safeguards in place. These safeguards are listed in Article 46 of the GDPR; or

The transfer is covered by an exemption laid out in Article 49 of the GDPR.

This means that you will be able to share data with countries in the EEA but they will not be able to share with you unless one of the three conditions above have been satisfied.

Am I exempt from the GDPR if I have fewer than 250 employees at my company?

No matter the size of your company; how many employees you have, customers you serve, or what your annual turnover is, the GDPR applies to you.

That magic 250 employee threshold is only mentioned once in the regulation and that’s in relation to record keeping. The GDPR requires that you keep detailed records of all processing activities - including records of consent, decision making, privacy notices etc. - but with fewer than 250 employees, you don’t need to. However, the rest of the GDPR still applies in full.

FAQs regarding our GDPR courses

How long do these courses take?

The GDPR Essentials Training takes 35 minutes to complete and the GDPR Training for Management takes 40 minutes to complete.

Why is this training important?

This training is important to give you an understanding of the regulation and the tools you need to remain compliant at all times.

What approvals do these courses have?

Both of these courses are CPD Accredited.

How long are my certificates valid for?

It is up to the training administrator of the employee as to when training needs to be refreshed. However, to stay up-to-date with legislation, we recommend that training should be renewed every year.

What devices can I complete the course on?

Our courses can be completed on a range of devices, they’re compatible with desktops, laptops, mobile phones, iPads and other tablets.

Does this course work towards legislation compliance?

These courses work towards compliance with the GDPR.

Documents and resources

  • Rights over your personal data

    The GDPR covers personal data about an identifiable, living person. It can be anything from a name, a photo, an email address, a person’s bank details, posts on social media, medical information, addresses… and this is not an exhaustive list!

  • Data Protection Principles

    Everyone who uses personal data must follow strict rules and you’ll learn about these as the principles of data protection. They’re important, as they help you and your organisation ensure that personal data is used in a way that protects the rights of the people whose data it is, and following them is key to complying with the GDPR.

  • Day to Day good practice for GDPR

    If your job involves handling personal information then you have a responsibility to ensure that this data is kept private and confidential. For example, can your screen be seen by anyone looking through a window or by passers-by?

  • GDPR Accountability checklist

    Accountability is arguably the most important principle of the GDPR. Accountability is all about demonstrating that you’re
    complying with the GDPR. This useful checklist entails the things that you have accountability for with the GDPR.

An Overview of the GDPR

The GDPR was enforced on the 25th of May 2018 and was introduced to unify and strengthen data protection for everyone.

  • See a breakdown of the regulations and learn about its key principles
  • Learn how the GDPR impacts different sectors including Education, Care and Hospitality
  • Includes a range of frequently asked questions surrounding the regulation
  • Allow us to demystify a range of GDPR misconceptions
  • Learn how Brexit may affect the GDPR
  • See how iHASCO can help your organisation with its GDPR Training needs

White Paper