GDPR FAQ - all your questions answered (2025)

Frequently asked questions in relation to the GDPR

The General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, is a comprehensive set of rules designed to protect the privacy and security of personal data across the European Union.

The GDPR aims to standardize data protection laws across all EU member states and applies to any organization that processes the personal data of EU citizens, regardless of where the organization is based.

Despite the GDPR being in effect for several years, many businesses are still struggling with compliance.

In 2018, Gartner predicted that more than 50% of companies affected by the GDPR would not be in full compliance by the end of that year. More recent studies show that compliance remains a challenge, with a significant number of businesses still facing enforcement actions due to non-compliance.

The GDPR allows regulators to impose fines of up to €20 million or 4% of annual global turnover, whichever is higher.

The highest fines to date include:

Amazon (€746 million, 2021) – Violation of consent requirements for targeted advertising.
Meta (Facebook/Instagram/WhatsApp) (€405 million, 2022) – Improper handling of children's data.
Google (€50 million, 2019) – Lack of transparency and inadequate consent mechanisms.
TikTok (€345 million, 2023) – Violations regarding children's data privacy.

With enforcement actions increasing, organizations must take GDPR compliance seriously to avoid hefty fines and reputational damage.

Therefore, we have compiled a list of the most frequently asked questions in regards to the GDPR and provided a series of answers.

1. "The GDPR covers email and email communications - does it also include telephone communication? What if I buy a list of phone numbers and call each person?"

Before contacting individuals from a purchased list, ask yourself:

Was the data collected with proper consent?
Did individuals explicitly agree to be contacted by third parties?

If the answer to either question is “no,” then using such a list would likely violate the GDPR. Consent must be specific, informed, and freely given for each processing activity.

Additionally, if you record calls, this falls under the GDPR’s definition of data processing. Under the GDPR, businesses must justify call recording under one of the following conditions:

The individuals gave explicit consent to the recording.
Recording is necessary to fulfill a contract.
Recording is required to comply with a legal obligation.
Recording is necessary to protect the vital interests of a participant.
Recording is in the public interest or part of an official duty.
Recording is in the legitimate interests of the company, unless overridden by the individual’s rights.
Recording calls without justification or without properly informing the individuals involved can result in regulatory penalties.

2. "Are these rules or guidelines? What is the difference?"

To be clear, the GDPR is law – and not advisory.

Businesses that process personal data of European Union (EU) citizens, regardless of whether they operate in or outside the EU, must comply with the GDPR. Failure to adhere to the GDPR can result in fines of up to 20 million Euros or 4% of the group’s worldwide turnover (whichever is greater).

Less serious violations such as improper records or failing to notify the relevant authority of a breach can result in fines of 2% of the group’s annual worldwide turnover, or 10 million Euros.

3. "Who will actually issue the fines? Who would you contact to complain about a company? Who will contact you if there has been a breach (i.e. is it a European body)?"

Each EU Member State has a Supervisory Authority (SA) responsible for enforcing GDPR, issuing fines, and handling complaints. In the UK, the enforcement body is the Information Commissioner's Office (ICO).

If you wish to report a GDPR violation, you should file a complaint with your country’s relevant Data Protection Authority (DPA).

As of 2025, GDPR enforcement has resulted in over 1,200 fines across the EU, totaling more than €4 billion in penalties. The most heavily fined sectors include technology, retail, and financial services. Notably, Ireland's Data Protection Commission (DPC) and France's CNIL have been particularly active in enforcement actions against global tech companies.

4. "How does Brexit affect data protection and AI compliance?"

After Brexit, the UK adopted the UK GDPR, which is largely identical to the EU GDPR but is governed under the Data Protection Act 2018 (DPA 2018).

The UK GDPR and the DPA 2018 collectively define the UK’s data protection framework. Organizations processing data from both UK and EU residents must comply with both UK GDPR and EU GDPR, ensuring they meet the requirements of both regulatory environments.

If your company targets EU customers, you may need to appoint an EU representative for GDPR compliance purposes. Likewise, if an EU company processes UK personal data, it may need to appoint a UK representative.

A key area of concern under both frameworks is automated decision-making and AI. Under GDPR, individuals have the right not to be subject to solely automated decisions that produce legal or significant effects. This means companies using AI-driven processes, such as automated credit scoring, recruitment screening, or profiling, must implement safeguards, including human intervention, transparency, and justification for such decisions.

5. "The regulation talks about ‘data controllers’ and ‘processors’, what are they?"

In their simplest forms, data controllers are those that determine how data is used and processed. Data processors process data on behalf of a controller.

Here are some examples of data controllers: government bodies, voluntary organisations, hospitals, or even your Internet Service Provider (ISP).

Here are some examples of data processors: accountants, market research companies, surveyors – anyone who processes data on behalf of someone else (an individual or company).

For example, we – as a marketing consultancy – would be a data controller and data processor. We collect personal information from website visitors and website visitors who fill in forms and control that data, as we decide on what to keep and to use in our digital marketing efforts.

We process that data as well. Holding it, organising it, analysing it, adapting it, retrieving it, erasing, combining and much more. It could be as simple as obtaining a new lead via your website and adding that lead’s information into your CRM or editing contact records.

6. "Who is responsible for the data within marketing agencies?"

Simply put, everyone!

Having a clear view of your business’ data across the department is key to ensuring you meet the requirements of the GDPR. Good data governance needs to be driven from the top down (I’m looking at you, C-Suite) and on that basis, starts with the seniors in the business driving it forward.

That said, the GDPR does require that certain businesses, organisations and institutions appoint a DPO (Data Protection Officer) to oversee the business’ data management.

Under the GDPR you must appoint a data protection officer if you:

Are a public authority (except for courts acting in their judicial capacity);
Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
Carry out large-scale processing of special categories of data or data relating to criminal convictions and offices

You may appoint a single data protection officer to act on behalf of a group of companies or public authorities. Any organisation can appoint a DPO, regardless of whether the GDPR requires you to do so.

7. "What happens if I lose a laptop/company mobile phone/USB that has sensitive data on it – who do I report it to?"

Firstly, you only need to notify the relevant supervisory authority of a breach where it is likely to risk the rights and freedoms of individuals, such as their human rights and freedom of expression, for example.

Supervisory authorities differ from country to country, but in the UK, it’s the ICO – the Information Commissioner’s Office – based in Wilmslow, Cheshire, but with offices in Scotland, Wales and Northern Ireland.

For example, if the breach will have a detrimental effect on individuals, resulting in (and the ICO states) discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

For example, if a breach of customer details leaves customers open to identity theft, that must be reported. Individuals must be notified immediately if it’s a high-risk breach, as well as the relevant supervisory authority. For those in the UK, this means telling the individual and informing the ICO.

8. "Will data providers now go out of business? Surely they can sell GDPR-compliant data lists?"

Perhaps, but more likely they will have to work harder and therefore costs will increase. Data providers will need to reassess the way in which they build their lists.

They will need to obtain consent from each individual on the list so they can compile that information – and they will also need to obtain separate consent from them so they can sell that list to third parties. It’s a lot of work, but it can be done.

9. "Is double opt-in a guidance or a law? Does GDPR include ‘double opt-in’? I.e. A website visitor said “OK” passively, but do I need to confirm their consent? Surely single consent is enough?"

No, double opt-in is not a legal requirement under GDPR. However, it is considered best practice because it provides stronger evidence of consent.

Organizations must ensure that consent is:

Freely given, specific, informed, and unambiguous.
An active choice (e.g., no pre-ticked boxes).
Easily withdrawable.

However, different jurisdictions within and outside the EU have varying interpretations of opt-in requirements:

Germany: Has the strictest interpretation in the EU. Double opt-in is effectively required for email marketing due to the burden of proof requirements in German law. Courts have consistently ruled that single opt-in is insufficient to prove consent.
Austria: Similar to Germany, Austrian courts strongly prefer double opt-in. While not strictly required by law, it is considered the safest way to ensure compliance.
China (PIPL - Personal Information Protection Law): Implemented in 2021, China's PIPL has stringent consent requirements. While double opt-in is not explicitly required, companies often implement it as a best practice due to strict enforcement.
Brazil (LGPD - Lei Geral de Proteção de Dados): Similar to GDPR, LGPD requires clear, affirmative consent but does not mandate double opt-in. However, due to the burden of proof on businesses, many companies adopt double opt-in to ensure compliance.

Given these regional differences, organizations operating across multiple jurisdictions should consider implementing double opt-in as a global best practice to avoid regulatory risk and ensure compliance.

10. "What about my contact database? Can I still email these people?"

The GDPR states that you are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. So, make sure you update your consent mechanisms if needs be!

We hope you have found this GDPR FAQ document to be useful and would be very happy if you were to share it with others through social media. Of course, this is a living document and it will be routinely updated up until the commencement of the GDPR to ensure absolute accuracy.

11. "What are the legal/lawful bases for processing?"

Under GDPR, there are six lawful bases/grounds for processing. At least one of these must apply whenever you process personal data (to find out more about personal data, please see ‘What is personal data/information).

No single legal basis is better than another but the legal basis you choose will depend on your business and your requirements.

The six legal bases are as follows:

Consent: the individual – the data subject – has consented to the processing of their data
Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject.
Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Public interests: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interests: processing is necessary for the purpose of the legitimate interested pursued by the controller or by the third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

12. "What is personal data vs sensitive data vs highly sensitive data?"

Personal data refers to any information related to an identifiable person who can be directly or indirectly identified by reference to an identifier.

Examples of personal data include:

Name
Email address
Identification number
Location data
Online identifiers (e.g., IP address, cookie ID)

Sensitive personal data (or special category data) requires additional protection measures due to its sensitive nature. Processing this type of data typically requires a clear legal basis and, in most cases, explicit consent.

Examples of sensitive personal data include:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic and biometric data (for identification purposes)
Health-related information
Sexual orientation or sex life

Highly sensitive data refers to information that could cause severe harm if disclosed or misused. While GDPR does not explicitly define this category, many organizations apply stricter security measures to protect it.

Examples of highly sensitive data include:

National insurance or social security numbers
Passport or driver's license details
Financial account numbers and credit card details
Authentication credentials (e.g., passwords, security answers)
Highly confidential business or legal documents

Organizations handling sensitive or highly sensitive data must implement strong encryption, strict access controls, and enhanced compliance monitoring to prevent unauthorized access or data breaches.

13. "What is the right to be forgotten?"

The right to be forgotten – also known as the right to erasure – is where individuals have the right for their personal data to be erased completely. Individuals can make a request for erasure verbally or in writing.