Knowledge Base

Need help? Please get in touch.

Frequently Asked Questions

We’ve put together a list of some of the frequently asked questions we’ve been asked by our customers regarding the General Data Protection Regulations.

1) What is GDPR?

GDPR stands for General Data Protection Regulation and will come into force on the 25th of May 2018. GDPR is a European privacy regulation replacing all existing Data Protection legislation. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. The current data protection legislation dates back to 1995 – a time when internet usage and cloud technology was vastly different.

2) Who does GDPR apply to?

The GDPR applies to all businesses including sole traders, located in the EU that process personal data. It also applies to non EU organisations if they offer goods or services to, or monitor the behaviour of, EU citizens. It applies to all organisations processing and holding the personal data of EU citizens, irrespective of the organisations location.

3) What is personal data?

Personal data is defined as “any information related on a natural person or ‘Data Subject’ that can be used to directly or indirectly identify a person.” Personal data can be a:

• A name
• A photo
• An email address
• Bank details
• Posts on social networking websites
• Medical information
• CCTV images
• Records of websites visited
• A computer IP address

4) What are the 6 principles of GDPR?

Personal data should be:

• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary
• Accurate and kept up-to-date
• Kept for no longer than necessary
• Processed in a confidential and secure manner

5) Where is a good place to start preparing?

A good starting point for preparing for GDPR is to create an inventory of all personal data held and answer the following questions:
• Why are you holding the data?
• What is the legal basis for holding the data?
• How is the data obtained?
• Why the data was originally gathered?
• How long is the data held for?
• How is the data saved? Is it saved securely?
• Is the data shared with anyone else and with whom?

As the GDPR requires organisations to be in a position to demonstrate compliance with its requirements, documenting the above will enable employers to:

• Identify and gaps in compliance
• Put in place processes to rectify gaps
• Produce evidence of its compliance on the new GDPR

In preparation for GDPR you must be aware of your data protection responsibilities and ensure that all employees are aware of their responsibilities when processing data. Ensure that you have an up to date data protection/privacy policies addressing the six principles of GDPR and apply it to your organisation.

6) How do I report a breach?

A breach is defined as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data. Breaches must be reported to the ICO within 72 hours, but only if the breach is likely to result in a high risk to the rights and freedoms of individuals for e.g. result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Breaches likely to result in a high risk to the rights and freedoms of individuals must also be reported to the individuals concerned.

7) What are the consequences of a GDPR breach?

Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines e.g. a company can be fined 2% of annual global turnover or €10 Million (whichever is greater) in some situations for lesser breaches.

8) Do I need a Data Protection Officer (DPO)?

The main role of the DPO will be to monitor internal compliance and it is mandatory to appoint a DPO for:

• Public Bodies
• Organisations engaged in large scale regular/systematic monitoring
• Organisations whose core activities consist of processing “special categories” of data or data relating to criminal convictions
• May be mandatory in other contexts as defined by Member State Law

9) What is Bright Contracts doing to ensure compliance with GDPR?

Data Protection has always been a priority for Bright Contracts and we’ve always aimed to act with complete integrity in this regard. We are committed to being GDPR compliant and are putting a number of security measures in place including:
• We are reviewing our privacy policy and making necessary changes where needed to ensure we are communicating accurately with our customers.
• In terms of the Bright Contracts content, we will be amending the appropriate data protection clauses in the contract and handbook. These will be completed well in advance of 25th May 2018.

10) How secure is my data in Bright Contracts?

Your Bright Contracts data files are encrypted so if someone gets a copy of your data they cannot read it. Whilst we have security measures in place to protect your data, it remains your responsibility to keep your sign in details secret and to sign out of Bright Contracts when you are not using it and to ensure there is no unauthorised access to your computer.



The new standard in payroll software, now available for employers in the UK and Ireland.

UK Website  Ireland Website

Bright Contracts

Create tailored professional employment contracts and staff handbooks. Available for employers in the UK and Ireland.

UK Website  Ireland Website