book

Data Privacy and GDPR Handbook

by Sanjay Sharma

November 2019

Beginner to intermediate

496 pages

15h 32m

English

Wiley

Read now

Unlock full access

1.1 Questions and Challenges of Data Privacy1.2 The Conundrum of Voluntary Information1.3 What Is Data Privacy?1.4 Doctrine of Information Privacy1.5 Notice-and-Choice versus Privacy-as-Trust1.6 Notice-and-Choice in the US1.7 Enforcement of Notice-and-Choice Privacy Laws1.8 Privacy-as-Trust: An Alternative Model71.9 Applying Privacy-as-Trust in Practice: The US Federal Trade Commission1.10 Additional Challenges in the Era of Big Data and Social Robots1.11 The General Data Protection Regulation (GDPR)1.12 Chapter OverviewNotes
2.1 Privacy as One’s Castle2.2 Extending Beyond the “Castle”2.3 Formation of Privacy Tort Laws2.4 The Roots of Privacy in Europe and the Commonwealth2.5 Privacy Encroachment in the Digital Age2.6 The Gramm-Leach-Bliley Act Tilted the Dynamic against Privacy2.7 Emergence of Economic Value of Individual Data for Digital Businesses2.8 Legislative Initiatives to Protect Individuals’ Data Privacy2.9 The EU Path2.10 End of the Wild West?2.11 Data as an Extension of Personal Privacy2.12 Cambridge Analytica: A Step Too Far2.13 The Context of Privacy in Law EnforcementSummaryNotes
3.1 When Does GDPR Apply?3.2 The Key Players under GDPR3.3 Territorial Scope of GDPR3.4 Operation of Public International LawNotes
4.1 Accountability4.2 The Data Controller4.3 Technical and Organizational Measures4.4 Duty to Maintain Records of Processing Activities4.5 Data Protection Impact Assessments4.6 The Data Protection Officer4.7 Data Protection by Design and Default4.8 Data Security during Processing4.9 Personal Data Breaches4.10 Codes of Conduct and Certifications4.11 The Data ProcessorNotes
5.1 The Central Principles of Processing5.2 Legal Grounds for Data Processing5.3 International Data Transfers5.4 Intragroup Processing Privileges5.5 Cooperation Obligation on EU Bodies5.6 Foreign Law in Conflict with GDPRNotes
6.1 The Controller’s Duty of Transparency6.2 The Digital Miranda Rights6.3 The Right of Access6.4 Right of Rectification6.5 Right of Erasure6.6 Right to Restriction6.7 Right to Data Portability6.8 Rights Relating to Automated Decision Making6.9 Restrictions on Data Subject RightsNotes
7.1 In-House Mechanisms7.2 Data Subject Representation7.3 The Supervisory Authorities7.4 Judicial Remedies7.5 Alternate Dispute Resolution7.6 Forum Selection Clauses7.7 Challenging the Existing LawNotes
8.1 Allocating Liability8.2 Compensation8.3 Administrative Fines8.4 Processing Injunctions8.5 Specific PerformanceNotes
9.1 Member State Legislations9.2 Processing in the “Public Interest”9.3 Public Interest and the Rights of a Data Subject9.4 Organizational Exemptions and Responsibilities9.5 Public Documents and Data9.6 Archiving9.7 Handling Government Subpoenas9.8 Public Interest Restrictions on GDPR9.9 Processing and Freedom of Information and Expression9.10 State Use of Encrypted Data9.11 Employee Data ProtectionNotes

10.1 Step 1: Establish a “Point Person”10.2 Step 2: Internal Data Audit10.3 Step 3: Budgeting10.4 Step 4: Levels of Compliance Needed10.5 Step 5: Sizing Up the Compliance Department10.6 Step 6: Curating the Department to Your Needs10.7 Step 7: Bring Processor Partners into Compliance10.8 Step 8: Bring Affiliates into Compliance10.9 Step 9: The Security of Processing10.10 Step 10: Revamping Confidentiality Procedures10.11 Step 11: Record Keeping10.12 Step 12: Educate Employees on New Protocols10.13 Step 13: Privacy Policies and User Consent10.14 Step 14: Get Certified10.15 Step 15: Plan for the Worst Case Scenario10.16 ConclusionNotes
11.1 Social Networking as an Explosive Global Phenomenon11.2 Facebook Is Being Disparaged for Its Data Privacy Practices11.3 Facebook Has Consistently Been in Violation of GDPR Standards11.4 The Charges against Facebook11.5 What Is Facebook?11.6 A Network within the Social Network11.7 No Shortage of “Code of Conduct” Policies11.8 Indisputable Ownership of Online Human Interaction11.9 Social Networking as a Mission11.10 Underlying Business Model11.11 The Apex of Sharing and Customizability11.12 Bundling of Privacy Policies11.13 Covering All Privacy Policy Bases11.14 Claims of Philanthropy11.15 Mechanisms for Personal Data Collection11.16 Advertising: The Big Revenue Kahuna11.17 And Then There Is Direct Marketing11.18 Our Big (Advertiser) Brother11.19 A Method to Snooping on Our Clicks11.20 What Do We Control (or Think We Do)?11.21 Even Our Notifications Can Produce Revenue11.22 Extent of Data Sharing11.23 Unlike Celebrities, We Endorse without Compensation11.24 Whatever Happened to Trust11.25 And to Security of How We Live11.26 Who Is Responsible for Security of Our Life Data?11.27 And Then There Were More11.28 Who Is Responsible for Content?11.29 Why Should Content Be Moderated?11.30 There Are Community Standards11.31 Process for Content Moderation11.32 Prospective Content Moderation “Supreme Court”11.33 Working with Governmental Regimes11.34 “Live” Censorship11.35 Disinformation and “Fake” News11.36 ConclusionNotes
12.1 The Lead Supervisory Authority12.2 Facebook nicht spricht Deutsch12.3 Where Is the Beef? Fulfilling the Information Obligation12.4 Data Processing Purpose Limitation12.5 Legitimate Interests Commercial “Restraint” Needed12.6 Privacy by Design?12.7 Public Endorsement of Personalized Shopping12.8 Customizing Data Protection12.9 User Rights versus Facebook’s Obligations12.10 A Digital Blueprint and a GDPR Loophole12.11 Investigations Ahead12.12 Future ProjectsNotes
13.1 Our Second Brain13.2 Utopian or Dystopian?13.3 Digital Empowerment: Leveling the Playing FieldNotes
20142015201620172018Notes

Content preview from Data Privacy and GDPR Handbook

AppendixCompendium of Data Breaches

These data breaches are analyzed using the three pillars of GDPR data protection:

Privacy by design (tokenization, anonymization, etc.)
Security in processing (anti-virus and cyber-security)
Notification of breach (72 hours)

2014

UPS

Breach date: Between January 20 and August 11, 2014. UPS learned of the threat on July 31, 2014.
Notification date: August 21, 2014.
Type: Malware attack using “memory scraping” software.
Targeted data: Names, addresses, e-mails, phone numbers, and card information.
Motive for the breach: Theft.
Damages and data subjects affected: The hackers affected over 100,000 transactions over the period of breach and attacked 51 stores in 24 states.
Preventive measures: The store’s systems were not linked to one another electronically, so the damage was contained to only 1% of the company’s systems. UPS investigated the breach after reading a government notification on malware attacks.
Curative measures and liability: UPS said that it is providing identity protection and credit monitoring help to affected customers. The company additionally increased its protection on other stores. UPS also published a list of affected stores, including the breach inception date and duration. The company was lauded by some for its “well-written data breach notification.”
GDPR compliance: While it is unclear whether UPS had “privacy-by-design” implemented or whether they maintained security in their processing, at the time they were ...