When is the GDPR coming into effect?
The GDPR was approved and adopted by the EU Parliament and it will come into force on May 25th, 2018.

What “personal data” means?
This is any data used to identify a specific individual. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address etc.

What is “sensitive personal data”?
This is data that not only identifies someone as a specific person, but it adds additional data to their profile. Things like health – both mental and psychical, political views, union membership, opinion. All these adds define the individual and must be protected.

Who does the GDPR affect?
The GDPR applies to all organisations collecting data on EU-residents. It doesn’t matter if they are EU-based companies are not. If you’re located in the US, and gather data on EU subjects, you will need to follow these rules. To be honest, you might as well just use these rules no matter where you’re located. This way you’ll never run into a problem with them at some later date.

What is the difference between a data processor and a data controller?
A controller is the organisation that initially collects the data and determines what is the purpose for collecting it, who else needs to see or use it, how will it be transferred etc. The controllers are the ones ultimately responsible for the data.  A processor acts on behalf of the controller, to do some additional processing or work with the data collected by the controller. Think of a payment processor – they take some personal information to pay for an order.

What is meant by “explicit consent”? 
This means you must have the person sign a form, click a checkbox, click a button, swipe etc. – somehow there has to be a clear action to prove the consent has been given. Also, you need to ask the consent separately for each processing activity, you cannot have them grouped together as before.

Do I need to appoint a Data Protection Officer (DPO)?
The simple answer is no. However, if you’re a government department, no matter what level of government (city, regional, federal), or you engage in large scale systematic monitoring or processing sensitive personal data, such as direct marketing or CCTV recording of people, then you do not need to appoint a DPO.