book

EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide

Name: EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide
Author: IT Governance Privacy Team
ISBN: 9781849288378

by IT Governance Privacy Team

November 2016

Intermediate to advanced

312 pages

6h 1m

English

IT Governance Publishing

Read now

Unlock full access

Cover
Title
Copyright
About the Author
Contents
Introduction
The purpose of the GDPRStructure of the RegulationImpact on the EUImplementing the GDPRKey definitions
Chapter 1: Privacy Compliance Frameworks
Material scopeTerritorial scopeGovernanceObjectivesKey processesPersonal information management systemsISO/IEC 27001:2013Selecting and implementing a compliance frameworkImplementing the framework
Chapter 2: Role of the Data Protection Officer
Voluntary designation of a Data Protection OfficerUndertakings that share a DPODPO on a service contractPublication of DPO contact detailsPosition of the DPONecessary resourcesActing in an independent mannerProtected role of the DPOConflicts of interestSpecification of the DPODuties of the DPOThe DPO and the organisationThe DPO and the supervisory authorityData protection impact assessments and risk managementIn house or contract
Chapter 3: Common Data Security Failures
Personal data breachesAnatomy of a data breachSites of attackSecuring your informationISO 27001Ten Steps to Cyber SecurityCyber EssentialsNIST standardsThe information security policyAssuring information securityGovernance of information securityInformation security beyond the organisation’s borders
Chapter 4: Six Data Protection Principles
Principle 1: Lawfulness, fairness and transparencyPrinciple 2: Purpose limitationPrinciple 3: Data minimisationPrinciple 4: AccuracyPrinciple 5: Storage limitationPrinciple 6: Integrity and confidentialityAccountability and compliance

Chapter 5: Requirements for Data Protection Impact Assessments
Data protection impact assessmentsWhen to conduct a DPIAWho needs to be involvedData protection by design and by default
Chapter 6: Risk Management and DPIAs
DPIAs as part of risk managementRisk management standards and methodologiesRisk responsesRisk relationshipsRisk management and personal data
Chapter 7: Data Mapping
Objectives and outcomesFour elements of data flowData mapping, DPIAs and risk management
Chapter 8: Conducting DPIAs
Reasons for conducting a DPIAObjectives and outcomesConsultationFive key stages of the DPIAIntegrating the DPIA into the project plan
Chapter 9: Data Subjects’ Rights
Fair processingThe right to accessThe right to rectificationThe right to be forgottenThe right to restriction of processingThe right to data portabilityThe right to objectThe right to appropriate decision making
Chapter 10: Consent
Consent in a nutshellWithdrawing consentAlternatives to consentPracticalities of consentChildrenSpecial categories of personal dataData relating to criminal convictions and offences
Chapter 11: Subject Access Requests
The information to provideData portabilityResponsibilities of the data controllerProcesses and proceduresOptions for confirming the requester’s identityRecords to examineTime and moneyDealing with bulk subject access requestsRight to refusal
Chapter 12: Controllers and Processors
Data controllersJoint controllersData processorsControllers that are processorsControllers and processors outside the EURecords of processingDemonstrating compliance
Chapter 13: Managing Personal Data Internationally
Key requirementsAdequacy decisionsSafeguardsBinding corporate rulesThe EU-US Privacy ShieldPrivacy Shield PrinciplesLimited transfersCloud services
Chapter 14: Incident Response Management and Reporting
NotificationEvents vs incidentsTypes of incidentCyber security incident response plansKey roles in incident managementPrepareRespondFollow up
Chapter 15: GDPR Enforcement
The hierarchy of authoritiesOne-stop-shop mechanismDuties of supervisory authoritiesPowers of supervisory authoritiesDuties and powers of the European Data Protection BoardData subjects’ rights to redressAdministrative finesThe Regulation’s impact on other laws
Chapter 16: Transitioning and Demonstrating Compliance
Transition frameworksTransition – understanding the changes from DPD to GDPRUsing policies to demonstrate complianceCodes of conduct and certification mechanisms
Appendix 1: Index of the Regulation
Appendix 2: EU/EEA National Supervisory Authorities
Appendix 3: Implementation FAQs
ITG Resources

Overview

An in-depth guide to the changes your organization needs to make to comply with the EU GDPR.

The EU General Data Protection Regulation (GDPR) will supersede the 1995 EU Data Protection Directive (DPD) and all EU member states’ national laws based on it – including the UK Data Protection Act 1998 – in May 2018.

All organizations – wherever they are in the world – that process the personally identifiable information (PII) of EU residents must comply with the Regulation. Failure to do so could result in fines of up to €20 million or 4% of annual global turnover.

US organizations that process EU residents’ personal data can comply with the GDPR via the EU-US Privacy Shield, which replaced the EU-US Safe Harbor framework in 2016. The Privacy Shield is based on the DPD, and will likely be updated once the GDPR is applied in May 2018.

This book provides a detailed commentary on the GDPR, explains the changes you need to make to your data protection and information security regimes, and tells you exactly what you need to do to avoid severe financial penalties.

Product overview

EU GDPR – An Implementation and Compliance Guide is a clear and comprehensive guide to this new data protection law, explaining the Regulation, and setting out the obligations of data processors and controllers in terms you can understand.

Topics covered include:

The role of the data protection officer (DPO) – including whether you need one and what they should do.
Risk management and data protection impact assessments (DPIAs), including how, when and why to conduct a DPIA.
Data subjects’ rights, including consent and the withdrawal of consent; subject access requests and how to handle them; and data controllers’ and processors’ obligations.
International data transfers to “third countries” – including guidance on adequacy decisions and appropriate safeguards; the EU-US Privacy Shield; international organizations; limited transfers; and Cloud providers.
How to adjust your data protection processes to transition to GDPR compliance, and the best way of demonstrating that compliance.
A full index of the Regulation to help you find the articles and stipulations relevant to your organization.

The GDPR will have a significant impact on organizational data protection regimes around the world. EU GDPR – An implementation and Compliance Guide shows you exactly what you need to do to comply with the new law.

About the authors

IT Governance is a leading global provider of IT governance, risk management, and compliance expertise, and we pride ourselves on our ability to deliver a broad range of integrated, high-quality solutions that meet the real-world needs of our international client base.

Our privacy team – led by Alan Calder, Richard Campo, and Adrian Ross – has substantial experience in privacy, data protection, compliance, and information security. This experience, and our understanding of the background and drivers for the GDPR, are combined in this manual to provide the world’s first guide to implementing the new data protection regulation.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide - Second edition

Healthcare Information Privacy and Security: Regulatory Compliance and Data Security in the Age of Electronic Health Records

Bernard Peter Robichau

Publisher Resources

ISBN: 9781849288378

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills