book

Data Privacy and GDPR Handbook

by Sanjay Sharma

November 2019

Beginner to intermediate

496 pages

15h 32m

English

Wiley

Read now

Unlock full access

1.1 Questions and Challenges of Data Privacy1.2 The Conundrum of Voluntary Information1.3 What Is Data Privacy?1.4 Doctrine of Information Privacy1.5 Notice-and-Choice versus Privacy-as-Trust1.6 Notice-and-Choice in the US1.7 Enforcement of Notice-and-Choice Privacy Laws1.8 Privacy-as-Trust: An Alternative Model71.9 Applying Privacy-as-Trust in Practice: The US Federal Trade Commission1.10 Additional Challenges in the Era of Big Data and Social Robots1.11 The General Data Protection Regulation (GDPR)1.12 Chapter OverviewNotes
2.1 Privacy as One’s Castle2.2 Extending Beyond the “Castle”2.3 Formation of Privacy Tort Laws2.4 The Roots of Privacy in Europe and the Commonwealth2.5 Privacy Encroachment in the Digital Age2.6 The Gramm-Leach-Bliley Act Tilted the Dynamic against Privacy2.7 Emergence of Economic Value of Individual Data for Digital Businesses2.8 Legislative Initiatives to Protect Individuals’ Data Privacy2.9 The EU Path2.10 End of the Wild West?2.11 Data as an Extension of Personal Privacy2.12 Cambridge Analytica: A Step Too Far2.13 The Context of Privacy in Law EnforcementSummaryNotes
3.1 When Does GDPR Apply?3.2 The Key Players under GDPR3.3 Territorial Scope of GDPR3.4 Operation of Public International LawNotes
4.1 Accountability4.2 The Data Controller4.3 Technical and Organizational Measures4.4 Duty to Maintain Records of Processing Activities4.5 Data Protection Impact Assessments4.6 The Data Protection Officer4.7 Data Protection by Design and Default4.8 Data Security during Processing4.9 Personal Data Breaches4.10 Codes of Conduct and Certifications4.11 The Data ProcessorNotes
5.1 The Central Principles of Processing5.2 Legal Grounds for Data Processing5.3 International Data Transfers5.4 Intragroup Processing Privileges5.5 Cooperation Obligation on EU Bodies5.6 Foreign Law in Conflict with GDPRNotes
6.1 The Controller’s Duty of Transparency6.2 The Digital Miranda Rights6.3 The Right of Access6.4 Right of Rectification6.5 Right of Erasure6.6 Right to Restriction6.7 Right to Data Portability6.8 Rights Relating to Automated Decision Making6.9 Restrictions on Data Subject RightsNotes
7.1 In-House Mechanisms7.2 Data Subject Representation7.3 The Supervisory Authorities7.4 Judicial Remedies7.5 Alternate Dispute Resolution7.6 Forum Selection Clauses7.7 Challenging the Existing LawNotes
8.1 Allocating Liability8.2 Compensation8.3 Administrative Fines8.4 Processing Injunctions8.5 Specific PerformanceNotes
9.1 Member State Legislations9.2 Processing in the “Public Interest”9.3 Public Interest and the Rights of a Data Subject9.4 Organizational Exemptions and Responsibilities9.5 Public Documents and Data9.6 Archiving9.7 Handling Government Subpoenas9.8 Public Interest Restrictions on GDPR9.9 Processing and Freedom of Information and Expression9.10 State Use of Encrypted Data9.11 Employee Data ProtectionNotes

10.1 Step 1: Establish a “Point Person”10.2 Step 2: Internal Data Audit10.3 Step 3: Budgeting10.4 Step 4: Levels of Compliance Needed10.5 Step 5: Sizing Up the Compliance Department10.6 Step 6: Curating the Department to Your Needs10.7 Step 7: Bring Processor Partners into Compliance10.8 Step 8: Bring Affiliates into Compliance10.9 Step 9: The Security of Processing10.10 Step 10: Revamping Confidentiality Procedures10.11 Step 11: Record Keeping10.12 Step 12: Educate Employees on New Protocols10.13 Step 13: Privacy Policies and User Consent10.14 Step 14: Get Certified10.15 Step 15: Plan for the Worst Case Scenario10.16 ConclusionNotes
11.1 Social Networking as an Explosive Global Phenomenon11.2 Facebook Is Being Disparaged for Its Data Privacy Practices11.3 Facebook Has Consistently Been in Violation of GDPR Standards11.4 The Charges against Facebook11.5 What Is Facebook?11.6 A Network within the Social Network11.7 No Shortage of “Code of Conduct” Policies11.8 Indisputable Ownership of Online Human Interaction11.9 Social Networking as a Mission11.10 Underlying Business Model11.11 The Apex of Sharing and Customizability11.12 Bundling of Privacy Policies11.13 Covering All Privacy Policy Bases11.14 Claims of Philanthropy11.15 Mechanisms for Personal Data Collection11.16 Advertising: The Big Revenue Kahuna11.17 And Then There Is Direct Marketing11.18 Our Big (Advertiser) Brother11.19 A Method to Snooping on Our Clicks11.20 What Do We Control (or Think We Do)?11.21 Even Our Notifications Can Produce Revenue11.22 Extent of Data Sharing11.23 Unlike Celebrities, We Endorse without Compensation11.24 Whatever Happened to Trust11.25 And to Security of How We Live11.26 Who Is Responsible for Security of Our Life Data?11.27 And Then There Were More11.28 Who Is Responsible for Content?11.29 Why Should Content Be Moderated?11.30 There Are Community Standards11.31 Process for Content Moderation11.32 Prospective Content Moderation “Supreme Court”11.33 Working with Governmental Regimes11.34 “Live” Censorship11.35 Disinformation and “Fake” News11.36 ConclusionNotes
12.1 The Lead Supervisory Authority12.2 Facebook nicht spricht Deutsch12.3 Where Is the Beef? Fulfilling the Information Obligation12.4 Data Processing Purpose Limitation12.5 Legitimate Interests Commercial “Restraint” Needed12.6 Privacy by Design?12.7 Public Endorsement of Personalized Shopping12.8 Customizing Data Protection12.9 User Rights versus Facebook’s Obligations12.10 A Digital Blueprint and a GDPR Loophole12.11 Investigations Ahead12.12 Future ProjectsNotes
13.1 Our Second Brain13.2 Utopian or Dystopian?13.3 Digital Empowerment: Leveling the Playing FieldNotes
20142015201620172018Notes

Content preview from Data Privacy and GDPR Handbook

5Material Requisites for Processing under GDPR

Success depends upon previous preparation, and without such preparation there is sure to be failure.

— Confucius

Once the technical and organizational measures are put in place within the business to protect data, it is important to focus on the activity of “processing” itself. GDPR places numerous restrictions and rules on daily processing of data and the external interactions with consumers and foreign nations. Unlike previous laws surrounding data processing, which allowed for an expansive collection of information, GDPR is centralized around reducing data harvesting by sanctioning specific types of international data transfers along with ensuring compliance within the EU.

5.1 The Central Principles of Processing

Article 5 of GDPR lays down the essential matters that must be considered when personal data is being processed. Failing to follow these principles could result in a €20 million fine or 4% of the global annual turnover, requiring careful compliance. The term legitimacy in processing requires compliance with all existing law, which includes written common law, legislation, judgments, municipal decrees, constitutional principles, fundamental rights, and even other legal principles.¹ Essentially, the test is whether a court determining the case would consider the source as a law. Legitimacy is a fluid concept, which can change depending on the technology or societal/cultural attitudes.² The provisions lay the groundwork ...