EU General Data Protection Regulation (GDPR), third edition - An Implementation and Compliance Guide

Table of contents

1. Cover
2. Title Page
3. Copyright Page
4. About The Author
5. Contents
6. Introduction
   1. The purpose of the GDPR
   2. Structure of the Regulation
   3. Impact on the EU
   4. Implementing the GDPR
   5. Key definitions
7. Chapter 1: Scope, controllers and processors
   1. Scope of the GDPR
   2. Controller and processor
   3. Data controllers
   4. Joint controllers
   5. Data processors
   6. Controllers that are processors
   7. Controllers and processors outside the EU
   8. Records of processing
   9. Demonstrating compliance
8. Chapter 2: Six data processing principles
   1. Principle 1: Lawfulness, fairness and transparency
   2. Principle 2: Purpose limitation
   3. Principle 3: Data minimisation
   4. Principle 4: Accuracy
   5. Principle 5: Storage limitation
   6. Principle 6: Integrity and confidentiality
   7. Accountability and compliance
9. Chapter 3: Data subjects’ rights
   1. Fair processing
   2. The right to access
   3. The right to rectification
   4. The right to be forgotten
   5. The right to restriction of processing
   6. The right to data portability
   7. The right to object
   8. Rights in relation to automated decision-making
10. Chapter 4: Privacy compliance frameworks
    1. Material scope
    2. Territorial scope
    3. Governance
    4. Objectives
    5. Key processes
    6. Personal information management systems
    7. ISO/IEC 27001:2013
    8. Selecting and implementing a compliance framework
    9. Implementing the framework
11. Chapter 5: Information security as part of data protection
    1. Personal data breaches
    2. Anatomy of a data breach
    3. Sites of attack
    4. Securing your information
    5. ISO 27001
    6. Ten Steps to Cyber Security
    7. Cyber Essentials
    8. NIST standards
    9. The information security policy
    10. Assuring information security
    11. Governance of information security
    12. Information security beyond the organisation’s borders
12. Chapter 6: Lawfulness and consent
    1. Consent in a nutshell
    2. Withdrawing consent
    3. Alternatives to consent
    4. Practicalities of consent
    5. Children
    6. Special categories of personal data
    7. Data relating to criminal convictions and offences
13. Chapter 7: Subject access requests
    1. Receiving a request
    2. The information to provide
    3. Data portability
    4. Responsibilities of the data controller
    5. Processes and procedures
    6. Options for confirming the requester’s identity
    7. Records to examine
    8. Time and money
    9. Dealing with bulk subject access requests
    10. Right to refusal
    11. The process flow
14. Chapter 8: Role of the data protection officer
    1. Voluntary designation of a data protection officer
    2. Undertakings that share a DPO
    3. DPO on a service contract
    4. Publication of DPO contact details
    5. Position of the DPO
    6. Necessary resources
    7. Acting in an independent manner
    8. Protected role of the DPO
    9. Conflicts of interest
    10. Specification of the DPO
    11. Duties of the DPO
    12. The DPO and the organisation
    13. The DPO and the supervisory authority
    14. Data protection impact assessments and risk management
    15. In-house or contract
15. Chapter 9: Data mapping
    1. Objectives and outcomes
    2. Four elements of data flow
    3. Data mapping, DPIAs and risk management
16. Chapter 10: Requirements for data protection impact assessments
    1. DPIAs
    2. After the DPIA
    3. Consulting with stakeholders
    4. Who needs to be involved?
    5. Data protection by design and by default
17. Chapter 11: Risk management and DPIAs
    1. DPIAs as part of risk management
    2. Risk management standards and methodologies
    3. Risk responses
    4. Risk relationships
    5. Risk management and personal data
18. Chapter 12: Conducting DPIAs
    1. Five key stages of the DPIA
    2. Identify the need for the DPIA
    3. Objectives and outcomes
    4. Consultation
    5. Describe the information flow
    6. Identify privacy and related risks
    7. Identify and evaluate privacy solutions
    8. Sign off and record the outcome
    9. Integrating the DPIA into the project plan
19. Chapter 13: Managing personal data internationally
    1. Key requirements
    2. Adequacy decisions
    3. Safeguards
    4. Binding corporate rules
    5. Standard contractual clauses
    6. The EU-US Privacy Shield
    7. Privacy Shield Principles
    8. Limited transfers
    9. Cloud services
20. Chapter 14: Incident response management and reporting
    1. Notification
    2. Events vs incidents
    3. Types of incident
    4. Cyber security incident response plans
    5. Key roles in incident management
    6. Prepare
    7. Respond
    8. Follow up
21. Chapter 15: GDPR enforcement
    1. The hierarchy of authorities
    2. One-stop-shop mechanism
    3. Duties of supervisory authorities
    4. Powers of supervisory authorities
    5. Duties and powers of the European Data Protection Board
    6. Data subjects’ rights to redress
    7. Administrative fines
    8. The Regulation’s impact on other laws
22. Chapter 16: Transitioning and demonstrating compliance
    1. Transition frameworks
    2. Transition – understanding the changes from DPD to GDPR
    3. Using policies to demonstrate compliance
    4. Codes of conduct and certification mechanisms
23. Appendix 1: Index of the Regulation
24. Appendix 2: EU/EEA national supervisory authorities
25. Appendix 3: Implementation FAQ
26. IT Governance resources