The FAQs you want answers to
It’s hard to believe that GDPR, the landmark General Data Protection Regulation, has been in force for seven years. What began as a dense, unfamiliar piece of EU legislation has evolved into the global standard for data protection, shaping how organisations handle personal data in nearly every sector. From healthcare to hospitality, construction to consulting, it’s nearly impossible to find a part of modern business that doesn’t depend on data, and, by extension, on getting data protection right.
We’ve watched the data protection landscape grow from a novel idea into one of the most regulated and scrutinised aspects of business operations, We’ve seen how the stakes have risen. In just the past year, we’ve seen over €1 billion in GDPR fines issued, and regulators show no sign of slowing down. And GDPR isn’t standing still either. New changes are on the horizon, with big implications not just for how organisations collect and process data, but for how they use AI, engage in international data transfers, and handle growing regulatory divergence between the EU and the UK.
It’s critical to know what’s changing, why it matters and what you can do to stay compliant. From the rise of AI and its compliance challenges, to the UK’s proposed Data (Use and access) bill, you need practical guidance to keep your policies sharp, your teams trained, and your risks in check. Whether you’re a small business, a global firm, or an in-house legal team, you need to stay ahead of the GDPR curve.
We want to help you do that. This FAQ is here to provide clear, informed answers. You have the questions. We have the insights.
Our policies seem a bit out of date with so many employees working from home. Any tips to keep personal data safe remotely?
Yes. Update your data protection policy to reflect hybrid working risks. Ensure staff use company-approved devices, enable multi-factor authentication, avoid personal cloud/email accounts, and connect via secure VPNs. Regular data protection training is key to maintaining awareness.
We source staff through our Dubai office and share contractor details across countries. What are the risks of cross-border data sharing?
Sharing data internationally can trigger GDPR transfer rules. If Dubai-based staff share personal data with UK or EU colleagues, you must assess the legal basis, implement appropriate safeguards (like Standard Contractual Clauses or SCCs), and ensure data subjects are informed.
Does the employee headcount only apply to EU staff or does a foreign parent’s staffing count too?
The threshold applies to the overall organisation if it processes EU data. A foreign parent’s staff may count if it controls or influences data processing that affects EU individuals.
We run a box office for outside promoters. Can we share customer data with them?
Only if customers give clear, informed consent at the time of purchase. Include an opt-in box specifying the promoter and the purpose of sharing. Without consent, sharing this data would breach GDPR.
When will GDPR templates be released and where can we get them?
The EU hasn’t set a formal release date, but templates (like updated SCCs or DPIAs) are usually published by the European Commission or national data protection authorities. Tools are also available from providers like the European Data Protection Board (EDPB), the Information Commissioner’s Office (ICO) or trusted compliance platforms.
How can companies verify that data has truly been deleted?
Include audit clauses in contracts and request written confirmation or logs showing deletion. In some cases, you may have the right to conduct audits or request third-party verification to ensure compliance.
What percentage of the €5.65 billion in GDPR fines has actually been paid?
Exact figures vary, but a significant portion of large fines is still under appeal, meaning not all has been paid yet. That said, many companies settle or pay in instalments once rulings are finalised.
What do exemptions mean for vendor due diligence during onboarding?
Even if a vendor claims an exemption, such as small-scale processing, you remain responsible for ensuring appropriate safeguards. Always assess the nature of data processing and ensure minimum GDPR compliance through contracts or vendor questionnaires.
When will the EU GDPR changes come into force?
The European Commission’s proposals are expected to progress through legislative channels in 2025. Once adopted, a grace period which can range typically from six to 24 months, will likely apply. Monitor updates from the EDPB or your national regulator.
How does EU GDPR differ from UK GDPR?
They were nearly identical, but now they are likely diverging. The UK is considering reforms under the Data (Use and access ) bill, including removing DPO requirements and easing compliance for SMEs. EU GDPR remains stricter and more harmonised across member states.
When will GDPR templates for SMEs be available?
No official EU-wide release date has been announced. However, SMEs can access tailored resources from regulators like the ICO (UK), CNIL (France), and national chambers of commerce. Keep an eye on EDPB updates throughout 2025.
We’ve merged with a larger US company. How can we stay compliant with EU GDPR?
Start with a data mapping exercise. Review data hosting, transfer mechanisms such as SCCs or the EU-US Data Privacy Framework, marketing consents and internal policies. Ensure your US partner understands EU legal bases, rights and retention limits. Joint controller or processor agreements may be needed.
Where do I start with GDPR processes?
Begin with a data audit: What data you collect, where it’s stored, how it’s used and who accesses it. Then update your privacy notices, identify your legal bases, appoint a DPO if needed and develop key policies specifically regarding retention, breach response and managing DSARs.
Some companies receive 1,000s of DSARs as complaints. Will the deadline extension rules change?
Regulators are aware of these misuse and volume concerns. While current rules only allow limited extensions, the proposed GDPR changes include streamlining DSAR procedures. Future reforms may include more flexibility for high-volume responses, but no formal change has yet been adopted.
When do the GDPR changes come into UK law?
The UK is pursuing its own reforms through the Data (Use and access) bill, which is progressing through Parliament and could pass late 2025. These changes are separate from EU GDPR and reflect the UK’s move toward a more business-friendly regime.
Is it only EU GDPR that is changing? Will it affect changes in the UK in terms of the Data (Use and access) bill?
Yes, the current changes apply to EU GDPR only. However, the UK is watching closely. If the EU updates introduce significantly different standards, the UK may revise the Data (use and Access) Bill to ensure ongoing data adequacy or align where it benefits UK business.
How far does your responsibility go if you’re sending data within the UK but the processor uses sub-processors outside the UK/EEA?
Your responsibility doesn’t stop at the UK border. You must ensure that any overseas sub-processors meet equivalent data protection standards. This means checking contracts, securing appropriate safeguards, like SCCs, and understanding where data flows.
What role does staff training play in preventing GDPR breaches, and how can we build a culture of data protection?
Training is essential. Many breaches occur due to human error, not system flaws. Regular, role-specific training keeps staff alert to risks. A culture of data protection starts with leadership commitment, clear policies and empowering staff to report issues.
How far can we go with compliance if vendors use AI tools on their own terms?
You’re still responsible for how personal data is processed, even if a vendor uses AI. Due diligence must cover how AI is used, whether it complies with GDPR in terms of fairness and explaining its use and whether it introduces risks requiring a DPIA.
How can companies verify that data has really been deleted and not just claimed as deleted?
Ask vendors for deletion logs or certificates, ensure contract terms permit audits or third-party verification and check that backups and copies have also been erased. Transparency and verifiable processes are key to compliance.
How is AI creating new challenges for GDPR, and how are regulators responding?
AI raises issues around transparency, fairness, automated decisions, and data minimisation. Regulators are updating guidance, and the EU AI Act will sit alongside GDPR to address these risks. DPIAs and careful vendor assessments are becoming more important than ever.
If we only operate in the UK, do EU GDPR changes still matter?
If you serve or monitor EU residents, such as via a website, EU GDPR still applies. Otherwise, your focus should be on UK GDPR and the upcoming Data (Use and access) bill. It’s always a good idea to stay informed, especially if you may expand or partner internationally in the future.
Do we need SCCs or an equivalent if we send data from our UK company to our US parent company?
Yes. Although the UK has its own UK-US data bridge under the Data Protection Framework, using UK Addendum or International Data Transfer Agreement (IDTA) is still best practice if the US entity is not certified under the framework.
How quickly will VinciWorks update their LMS GDPR training?
VinciWorks regularly updates its courses in line with regulatory developments. Expect revisions after EU and UK legal updates are confirmed, as soon as clear guidance or best practice is made available. Check their website or your account for specific release schedules.
What guidance is there for training staff on Gen AI tools like OpenAI or ClosedAI?
Training should cover data privacy, copyright, bias, explainability and acceptable use. Staff must understand that Gen AI tools process data differently and may pose risks. Provide clear policies and use case-specific examples.
Does analysing customer data for trends affect GDPR compliance? Should this data be anonymised?
Yes. Even internal analysis must comply with GDPR. If you don’t need to identify individuals, anonymisation or at least pseudonymisation is strongly recommended. This reduces risk and may limit obligations if data is breached.
How can organisations standardise DPIAs for quality and consistency?
Use a template tailored to your sector, ensure all DPIAs include scope, risk evaluation, mitigation steps and legal basis. Assign accountability and train relevant staff. Consider central oversight to ensure consistency across departments.
Is AI used for image refinement considered high risk?
It can be, depending on what’s being processed. If biometric or sensitive data is involved, or if outputs could influence decisions about people, a DPIA is likely required. Even basic image enhancement should be assessed for data protection risks.
Our operations are handled in India, but we’re based in the UK, US and UAE. How does GDPR apply?
If you process EU or UK personal data, GDPR applies regardless of where the operation happens. Data transfers to India require adequate safeguards such as SCCs and clear contracts defining responsibilities.
Can VinciWorks courses be edited to include our own examples?
Yes. VinciWorks offers a full edit mode tool which allows all the content in its library to be edited and adapted to companies, industry, roles and case studies. You can also add branding to better engage staff.
Will the UK’s Data (Use and access) bill be delayed if EU GDPR is being reviewed?
The Data (Use and access) bill is progressing independently, but political or adequacy concerns could cause amendments or delays. The UK is keen to modernise its framework, but won’t want to risk losing EU adequacy status, which could influence timelines.
What do these potential changes mean for a UK-based company? Will the UK follow suit?
The EU changes won’t apply in the UK directly, but UK businesses with EU clients may still need to comply with EU GDPR. The UK may also adapt parts of the EU’s approach, depending on its own reform agenda under the Data (Use and access) bill.
How should organisations adapt DPIAs for emerging technologies like AI and big data?
DPIAs must now assess not only privacy risks but also fairness, bias, transparency and the potential for automated decision-making. Use updated templates that explicitly reference AI-related risk areas and include stakeholder consultation early in the process.
Where’s the best place to start with GDPR processes?
Start with a data audit: Understand what personal data you collect, where it’s stored, who has access and why it’s needed. From there, build your policies, assign responsibility and roll out staff training. A phased approach could help keep it manageable.
Do UK companies with EU clients have to follow both UK and EU GDPR?
Yes. If you offer goods or services to EU residents or monitor their behaviour, EU GDPR applies, even from the UK. This may mean appointing an EU-based representative or DPO, even if UK law doesn’t require one.
Won’t scrapping the DPO requirement risk the UK’s adequacy with the EU?
It could. The EU may view the removal of mandatory DPOs as weakening oversight and accountability. While the UK is moving toward flexibility, divergence in governance models may trigger a reassessment of the UK’s adequacy status.
Must UK companies follow EU GDPR if they don’t send data out of the UK?
Only if they target or monitor individuals in the EU. If your services are purely UK-based and do not involve EU residents, EU GDPR does not apply. Be cautious because web presence alone can trigger applicability.
Does this affect training companies delivering sessions globally via Zoom?
Yes. If personal data such as attendee information involves EU individuals, EU GDPR applies, even if you’re UK-based. Always consider who your clients are, not just where you operate from.
How should newcomers to GDPR begin to learn what’s required?
Start with the ICO website or a reputable GDPR training course. Break it down: Focus first on lawful bases, individual rights and breach response. Use real examples to make the abstract principles concrete.
Has the EU seriously discussed suspending the Transatlantic Data Privacy Framework?
There’s no formal suspension, but legal challenges, especially under Schrems-like cases, are ongoing. Some concerns arise from political uncertainty in the US, but no official EU action has been announced.
If the UK-US Data Bridge builds on the EU-US Framework, won’t changes to one affect the other?
Yes. The UK-US bridge relies on similar principles. If the EU framework is invalidated by the courts, the UK’s version could face pressure, especially if UK standards are seen as too lenient.
How long can we retain personal data after an erasure request?
You should delete the data “without undue delay,” typically within one month. However, retention is allowed if legally required, such as for compliance and fraud prevention and must be justified and documented.
What tools can help automate GDPR compliance and what common mistakes occur in financial services?
Popular tools include OneTrust, TrustArc and DataGrail for consent, DPIAs, and DSARs. In financial services, common pitfalls include over-collection of data, lack of clear lawful basis and poor record-keeping of consents and processing activities.
Omnitrack’s GDPR registers ensure you can effectively track and record GDPR requirements with tools that centralise records, automate reminders, and support compliance. GDPR management will be efficient and thorough.
Halfway through GDPR reform, what should change in PECR or current UK data law?
Many want clearer, more modern rules on cookies and consent, especially for analytics. Simplifying DSARs and tightening rules around “legitimate interest” could also help reduce complexity and litigation risk.
Post-Brexit, are there cases where UK companies still fall under EU GDPR?
Yes. If a UK company targets or monitors individuals in the EU such as through digital services, then EU GDPR applies regardless of where the company is based or whether it stores data in the EU.
How can we best use automation and AI tools for GDPR compliance?
Use automation for repetitive tasks like DSAR management, consent tracking, data mapping and breach notifications. But always be sure to supervise AI output. Human review is key to ensure fairness, accuracy and context.
For UK universities, how do data protection changes affect alumni specifically?
Alumni data is often retained long-term for fundraising and engagement. You must ensure clear lawful bases with consent or legitimate interest, refresh privacy notices and offer clear opt-outs for marketing or profiling.
Can UK organisations set their own data retention periods for non-engaged users?
Yes but they must be proportionate, justified and documented. You should specify retention timeframes in your privacy policy and apply regular reviews to ensure old data is deleted if there’s no longer a legal or business need.
How will these GDPR changes affect our existing GDPR policies?
You’ll need to review and update policies to reflect new obligations, especially around AI, risk assessments, record-keeping and cross-border data flows. Policies should remain agile, allowing for regular updates as laws evolve.
How would the recent High Court verdict on women being defined by biology impact and influence data collection for trans people?
The verdict relates to the legal interpretation under the Equality Act, not directly to GDPR. Until further government guidance is issued, organisations should continue to collect data based on individuals’ self-identification where appropriate, ensure transparency in how and why gender data is used and apply data minimisation principles.
What if the UK is no longer seen as adequate by the EU?
If the EU revokes the UK’s adequacy status, UK companies transferring personal data to or from the EU will need to implement additional safeguards, such as Standard Contractual Clauses (SCCs), to continue lawful data flows.
How can we control personal and business mail in a personal mailbox?
Implement policies requiring separation of work and personal email accounts. Use secure, organisation-approved email platforms and ensure emails containing personal data are encrypted and access-controlled.
How active is the ICO in issuing fines for DSAR non-compliance?
The ICO has fined and reprimanded organisations for ignoring or delaying DSARs. Common triggers include failure to respond within the legal timeframe or mishandling sensitive information during the response.
What impact will the UK’s ‘roll back’ on GDPR have on the public?
The public may face reduced data protection rights and weaker recourse if companies misuse data. Divergence from EU standards could also affect the trust and security of cross-border services.
How will the industry ensure AI is used ethically?
Establishing guardrails will require regulation, ethical design principles and strong accountability measures, like impact assessments, transparency standards and human oversight, especially for high-risk AI systems.
What programming libraries can help ensure compliance?
Libraries like GDPR.js, privacy features in Django or Flask, and tools like Privado, OneTrust SDK, or Open Policy Agent can assist with consent, access control and data minimisation in development.
Where can we find GDPR summaries and updates?
The ICO (UK), EDPS (EU), and industry groups like NOYB or IAPP provide summaries, updates, and practical toolkits. LMS providers like VinciWorks provide updated resources.
How does AI affect GDPR, and how can organisations respond?
AI complicates compliance by introducing opacity, profiling risks and challenges around data minimisation and fairness. Organisations must document processing, conduct DPIAs and assess AI tools for bias and transparency.
How should NGOs handle GDPR compliance?
NGOs should treat GDPR as essential. This includes maintaining clear data handling policies, conducting DPIAs where needed, training staff and volunteers and being transparent with beneficiaries about data use.
How do we make GDPR feel relevant, not just another task?
Tie training and policies to real-world risks, like fines, reputational damage or personal stories. Use relatable case studies and show how GDPR protects both the organisation and individuals.
How do we include volunteers in compliance?
Volunteers should receive simplified but clear training. Ensure they only access data they need, sign confidentiality agreements and understand reporting procedures for data breaches.
What are data protection considerations for remote or overseas working?
Ensure data is accessed securely with VPNs and encrypted drives, retention policies are followed and that local laws are checked if data is accessed or stored outside the UK/EU. Have offboarding protocols for leavers.
How can large organisations manage manual data cleanses without HR platforms?
Implement a scheduled data audit and retention review process. Allocate responsibilities clearly and monitor outcomes through regular reporting.
How can global companies align GDPR with other regulations?
Use a data governance framework that maps overlapping requirements across jurisdictions. Implement “highest common denominator” policies and assess local laws for conflict or additional duties.
Could US political developments impact the Transatlantic Data Framework?
Yes. If future US policies or court rulings weaken privacy protections, the EU may suspend data flows again. Businesses should monitor developments and prepare alternative transfer mechanisms.
Is a Data Protection Policy replacing a GDPR Policy?
No. A Data Protection Policy supports GDPR compliance and should align with it. Smaller businesses should still document how they meet GDPR requirements, even in a simplified form.
What GDPR areas cause the most trouble for medium firms?
DSAR handling, vendor management and lawful basis documentation are common pain points. Many also struggle with regular training and keeping data mapping up to date.
What’s required in a data sharing agreement?
It must outline the purpose of data sharing, legal basis, roles of each party, data subjects’ rights and security measures. Use clear, accessible language and review regularly.
If a business fails to respond to a GDPR request, how can it be escalated?
First, raise it internally with the business. If no resolution follows, report it to the ICO (UK) or relevant EU data protection authority. Keep all records of the request and follow-up attempts.
Are other countries adopting GDPR-like laws?
Yes. Brazil (LGPD), India (DPDP), California (CPRA), and others have introduced laws inspired by GDPR. This trend supports global alignment but requires nuanced local implementation.
Any enforcement against UK councils or councillors?
Yes. The ICO has issued fines and reprimands for unlawful disclosures, misuse of personal data, and data breaches. Public authorities are under heightened scrutiny due to their access to sensitive data.
Will AI tools ever be GDPR-compliant?
AI tools can be GDPR-compliant if designed with privacy by design, transparency, and fairness. However, machine learning poses ongoing risks that must be actively managed through audits and human oversight.
What are major compliance issues if AI is automated?
Risks include lack of transparency, inability to correct errors, automated decision-making without human review and unlawful processing. DPIAs, clear accountability and explainability tools are key controls.
How do exemptions affect vendor due diligence?
Even if exemptions apply, organisations must ensure vendors have robust privacy policies, security controls and can meet data subject rights. Exemptions reduce scope but not responsibility.
Our company merged with a larger US firm. How do we stay GDPR-compliant?
Conduct a data protection audit post-merger. Identify data flows, review hosting arrangements, ensure Standard Contractual Clauses are in place and train all teams on GDPR. Align marketing and privacy policies to EU standards.
How should staff be trained on GenAI tools such as OpenAI or Closed AI?
Focus on responsible use, transparency, bias, data minimisation and risks of inputting sensitive information. Provide use-case examples and clearly state what is and isn’t permitted.
Has there been real discussion about suspending the Transatlantic Framework, or is it speculation?
While concerns exist, there’s been no official EU move to suspend it. However, legal challenges are ongoing, and businesses should prepare contingency plans.
The global reach of GDPR means that any company and firm that offers goods or services in the EU is required to comply. Training will ensure that you can do that. Our GDPR courses include an in-browser editing tool that lets you customise the courses to reflect your information security challenges and best practices.
Omnitrack’s GDPR registers ensure you can effectively track and record GDPR requirements with tools that centralise records, automate reminders, and support compliance. GDPR management will be efficient and thorough.
Listen to our webinar, GDPR: 7 years on. We cover everything you need to know about what’s coming to GDPR and so much more.
