Book description
This comprehensive guide for those with little or no legal knowledge provides detailed analysis of current data protection laws. It enables the reader to operationalise a truly risk-based approach to data protection and compliance, beyond just emphasis on regulatory frameworks and legalistic compliance.
Table of contents
- Front Cover
- Half-Title Page
- BCS, THE CHARTERED INSTITUTE FOR IT
- Title Page
- Copyright Page
- Contents
- List of figures and tables
- Contributors
- Copyright notices
- Abbreviations
- Preface
-
PART I THE BIG PICTURE
-
1. INTRODUCTION TO DATA PROTECTION
- What is data protection?
- Does data protection mean privacy?
- What else should be protected?
- The protected activities
-
Thematic priorities of data protection, trends and hot topics – supporting a risk-based approach
- AdTech and cookies
- Advanced technology and data processing techniques
- Advanced surveillance
- Artificial intelligence
- Automated facial recognition
- Connected vehicles
- Children
- Cybersecurity
- Data subject rights – timetable breaches
- Democracy
- HR problems
- International transfers
- Privacy and electronic communications (‘ePrivacy’)
- Profiling
- Virtual voice assistants
- Core law
- Data protection penalties and litigation
- Summary
-
2. INTRODUCTION TO THE GDPR
- Brexit: the impacts for data protection and the impacts for this book
- Recitals and articles of the GDPR
- Jurisdiction of the GDPR
- Material scope of the GDPR
- The building blocks of the GDPR
- The actors
- Compliance framework – the standards of protection
- Compliance framework – controls
- Critical outcomes to be achieved
- Compensatory mechanisms to remedy non-compliance
- Where the GDPR does not apply – exceptions and restrictions
- Brexit – the UK, Frozen and EU GDPR
- Summary
-
3. INTRODUCTION TO EPRIVACY
- Regulating the electronic communications sector
- The relationship between data protection and ePrivacy
- The actors and protected parties
- Confidentiality of communications
- Direct marketing
- Processing of traffic data, location data and value added services
- Security and personal data breach notification
- Calling line ID and directories of subscribers
- Law reform underway
- Summary
-
4. INTRODUCTION TO OPERATIONAL DATA PROTECTION
- Operational adequacy schemes – implementing data protection (operationalisation)
- The three layers of an organisation
- Implementing data protection in the people layer
-
Implementing data protection in the paper layer
- Data Protection by Design and Default (DPbDD, or PbD)
- Governance structures
- Records of processing activities
- Risk registers and assessment tools and methodologies
- Legitimate interests assessments
- Transfer assessments
- Transparency notices
- Contracts and similar documents
- Policies, procedures and controls frameworks
- Records of significant events
- Programme and project plans
- Technology architecture
- Assurance records
- Other mechanisms for assurance
- Implementing data protection in the technology and data layer
- Risk management – implementing measures to assess risks to rights and freedoms and the appropriateness of controls
- Globalisation – implementing data protection on an international stage
- Impacts for micro, small and medium-sized enterprises
- Security and connection to wider legal and operational frameworks
- Summary
-
1. INTRODUCTION TO DATA PROTECTION
-
PART II CORE LAW
-
5. THE PRINCIPLES OF DATA PROTECTION
- A constant presence in data protection law
- The duty of compliance (accountability)
- Lawfulness, fairness and transparency – the first principle
- Purpose limitation – the second principle
- Data minimisation – the third principle
- Accuracy – the fourth principle
- Storage limitation – the fifth principle
- Integrity and confidentiality (including security) – the sixth principle
- Accountability – the seventh principle
- Lawfulness of processing of personal data (Article 6)
- Lawfulness of processing – special category personal data and criminal convictions and offences
- Summary
- 6. THE RIGHTS OF DATA SUBJECTS
-
5. THE PRINCIPLES OF DATA PROTECTION
-
PART III OPERATING INTERNATIONALLY
- 7. NATIONAL SUPERVISION WITHIN AN INTERNATIONAL FRAMEWORK
-
8. TRANSFERRING DATA BETWEEN THE GDPR LAND MASS AND THIRD COUNTRIES
- Why regulate international transfers?
- What is a transfer?
- General principles for transfers
- Transfers on the basis of an adequacy decision
- Transfers subject to appropriate safeguards
- Derogations for specific situations
- Litigation on international data transfers
- Navigating international data transfers
- A practical approach to international transfers
- Summary
-
9. DATA PROTECTION BEYOND THE GDPR LAND MASS
- Multi-jurisdictional frameworks protecting rights and freedoms including data protection
- National laws beyond the GDPR land mass
- Comparative review between the GDPR and key international laws
- United States
- Brazil
- India
- China
- Data localisation
- Coping strategies for organisations operating globally
- Summary
-
PART IV DELIVERY
- 10. MECHANISMS TO SUPPORT OPERATIONAL COMPLIANCE
-
11. PROGRAMMATIC APPROACHES FOR DELIVERING DATA PROTECTION BY DESIGN AND DEFAULT
- The origins of Data Protection by Design and Default
- Data Protection by Design and Default in the GDPR
- The need for DPbDD – compelling events that trigger data protection transformation
- Embarking upon a transformation journey to achieve DPbDD
- Governance frameworks required by DPbDD for accountability purposes
- Summary
-
12. BEING ACCOUNTABLE FOR RECORDS OF PROCESSING, LEGITIMATE INTERESTS AND RISK MANAGEMENT
- Accountability for our decisions, actions and behaviours
- Accountability as a core principle of data protection
- Demonstrating accountability – an ongoing obligation, not a moment-in-time issue
- End-to-end accountability – from idea to reality
-
Accountability in practice
- Records of processing activities
- ROPAs – continuing obligations
- Understanding data
- Producing the ROPA on request
- Benefits of extended records of processing – going beyond A.
- Developing records of processing – discovery and analysis
- Technology-assisted data discovery
- ROPAs and Data Protection by Design and Default
- Gated development – upskilling
- Organisation type
- A combination of all the above
- Exemptions
- Being accountable for legitimate interests
- Being accountable for risk management
- Being accountable for adverse scrutiny
- Being accountable for an accumulation of evidence
- Summary
-
13. ‘THE JOURNEY TO CODE’
- The Journey to Code – working towards achieving compliance within technology and data themselves
- The Journey has commenced
- The nature of the problem
- A technology reference architecture for The Journey to Code
- Privacy management technology
- Data intelligence technology
- Principles and rights technology
- Producers of technology and data processing systems
- What comes next on The Journey to Code?
- Summary
-
PART V ADVERSE SCRUTINY
-
14. HOW TO PREPARE FOR THE RISKS OF CHALLENGE AND ‘ADVERSE SCRUTINY’
- Challenge and scrutiny are inevitable
- Challenge and scrutiny designed into regulatory law
- The continuum of challenge and scrutiny
-
Modelling challenge and scrutiny risks
- Situations in the GDPR calling for risk assessments
- Risk scenarios and context-specific risk modelling
- The special characteristics and how they relate to modelling
- Modelling – challenge and scrutiny as reactive events
- Tiers of visibility – catalysts of challenge and scrutiny
- Modelling the domino effect of challenge and scrutiny
- Other interests to be considered when modelling challenge and scrutiny risks
- The relative impacts of challengers and scrutineers
- Outcomes versus structures and artefacts
- Summary
- 15. COMPLAINTS, RIGHTS REQUESTS, REGULATORY INVESTIGATIONS AND LITIGATION
- 16. REGULATORY ACTION
-
17. HANDLING PERSONAL DATA BREACHES
- The legal obligation to be secure
- Operational security
-
Personal data breaches, breach notification and communications
- Philosophies within breach notification and communications – transparency and its effects
- Personal data breach definition
- Breach of security
- Incident detection and response
- Types of personal data breaches – risks to rights and freedoms
- Timetables for notification and communications
- Risks to rights and freedoms and the carve-out for encrypted data
- Interests of law enforcement
- A.34 communications and disproportionate effort
- Contents of notifications and communications
- Ordering A.34 communications
- Breach logs
- Summary
-
14. HOW TO PREPARE FOR THE RISKS OF CHALLENGE AND ‘ADVERSE SCRUTINY’
- Glossary
- Index
- Back Cover
Product information
- Title: Data Protection and Compliance, 2nd Edition
- Author(s):
- Release date: November 2021
- Publisher(s): BCS, The Chartered Institute for IT
- ISBN: 9781780175263
You might also like
book
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition
This bestselling guide is the ideal companion for anyone carrying out a GDPR (General Data Protection …
book
Data Protection and Information Lifecycle Management
The Definitive Guide to Protecting Enterprise Data Your enterprise data is your most critical asset. If …
book
Data Privacy and GDPR Handbook
The definitive guide for ensuring data privacy and GDPR compliance Privacy regulation is increasingly rigorous around …
book
Privacy, Regulations, and Cybersecurity
Protect business value, stay compliant with global regulations, and meet stakeholder demands with this privacy how-to …