O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide - Second edition

Book Description

The updated second edition of the bestselling guide to the changes your organisation needs to make to comply with the EU GDPR.

“The clear language of the guide and the extensive explanations, help to explain the many doubts that arise reading the articles of the Regulation.”

Giuseppe G. Zorzino

The EU General Data Protection Regulation (GDPR) will supersede the 1995 EU Data Protection Directive (DPD) and all EU member states’ national laws based on it – including the UK Data Protection Act 1998 – in May 2018.

All organisations – wherever they are in the world – that process the personal data of EU residents must comply with the Regulation. Failure to do so could result in fines of up to €20 million or 4% of annual global turnover.

This book provides a detailed commentary on the GDPR, explains the changes you need to make to your data protection and information security regimes, and tells you exactly what you need to do to avoid severe financial penalties.

Product overview

Now in its second edition, EU GDPR – An Implementation and Compliance Guide is a clear and comprehensive guide to this new data protection law, explaining the Regulation, and setting out the obligations of data processors and controllers in terms you can understand.

Topics covered include:

  • The role of the data protection officer (DPO) – including whether you need one and what they should do.
  • Risk management and data protection impact assessments (DPIAs), including how, when and why to conduct a DPIA.
  • Data subjects’ rights, including consent and the withdrawal of consent; subject access requests and how to handle them; and data controllers’ and processors’ obligations.
  • International data transfers to “third countries” – including guidance on adequacy decisions and appropriate safeguards; the EU-US Privacy Shield; international organisations; limited transfers; and Cloud providers.
  • How to adjust your data protection processes to transition to GDPR compliance, and the best way of demonstrating that compliance.
  • A full index of the Regulation to help you find the articles and stipulations relevant to your organisation.

New for the second edition:

  • Additional definitions.
  • Further guidance on the role of the DPO.
  • Greater clarification on data subjects’ rights.
  • Extra guidance on data protection impact assessments.
  • More detailed information on subject access requests (SARs).
  • Clarification of consent and the alternative lawful bases for processing personal data.
  • New appendix: implementation FAQ.
  • The GDPR will have a significant impact on organisational data protection regimes around the world. EU GDPR – An Implementation and Compliance Guide shows you exactly what you need to do to comply with the new law.

Table of Contents

  1. Cover
  2. Title
  3. Copyright
  4. About the Author
  5. Contents
  6. Introduction
    1. The purpose of the GDPR
    2. Structure of the Regulation
    3. Impact on the EU
    4. Implementing the GDPR
    5. Key definitions
  7. Chapter 1: Privacy Compliance Frameworks
    1. Material scope
    2. Territorial scope
    3. Governance
    4. Objectives
    5. Key processes
    6. Personal information management systems
    7. ISO/IEC 27001:2013
    8. Selecting and implementing a compliance framework
    9. Implementing the framework
  8. Chapter 2: Role of the Data Protection Officer
    1. Voluntary designation of a Data Protection Officer
    2. Undertakings that share a DPO
    3. DPO on a service contract
    4. Publication of DPO contact details
    5. Position of the DPO
    6. Necessary resources
    7. Acting in an independent manner
    8. Protected role of the DPO
    9. Conflicts of interest
    10. Specification of the DPO
    11. Duties of the DPO
    12. The DPO and the organisation
    13. The DPO and the supervisory authority
    14. Data protection impact assessments and risk management
    15. In house or contract
  9. Chapter 3: Common Data Security Failures
    1. Personal data breaches
    2. Anatomy of a data breach
    3. Sites of attack
    4. Securing your information
    5. ISO 27001
    6. Ten Steps to Cyber Security
    7. Cyber Essentials
    8. NIST standards
    9. The information security policy
    10. Assuring information security
    11. Governance of information security
    12. Information security beyond the organisation’s borders
  10. Chapter 4: Six Data Protection Principles
    1. Principle 1: Lawfulness, fairness and transparency
    2. Principle 2: Purpose limitation
    3. Principle 3: Data minimisation
    4. Principle 4: Accuracy
    5. Principle 5: Storage limitation
    6. Principle 6: Integrity and confidentiality
    7. Accountability and compliance
  11. Chapter 5: Requirements for Data Protection Impact Assessments
    1. Data protection impact assessments
    2. When to conduct a DPIA
    3. Who needs to be involved
    4. Data protection by design and by default
  12. Chapter 6: Risk Management and DPIAs
    1. DPIAs as part of risk management
    2. Risk management standards and methodologies
    3. Risk responses
    4. Risk relationships
    5. Risk management and personal data
  13. Chapter 7: Data Mapping
    1. Objectives and outcomes
    2. Four elements of data flow
    3. Data mapping, DPIAs and risk management
  14. Chapter 8: Conducting DPIAs
    1. Reasons for conducting a DPIA
    2. Objectives and outcomes
    3. Consultation
    4. Five key stages of the DPIA
    5. Integrating the DPIA into the project plan
  15. Chapter 9: Data Subjects’ Rights
    1. Fair processing
    2. The right to access
    3. The right to rectification
    4. The right to be forgotten
    5. The right to restriction of processing
    6. The right to data portability
    7. The right to object
    8. The right to appropriate decision making
  16. Chapter 10: Consent
    1. Consent in a nutshell
    2. Withdrawing consent
    3. Alternatives to consent
    4. Practicalities of consent
    5. Children
    6. Special categories of personal data
    7. Data relating to criminal convictions and offences
  17. Chapter 11: Subject Access Requests
    1. The information to provide
    2. Data portability
    3. Responsibilities of the data controller
    4. Processes and procedures
    5. Options for confirming the requester’s identity
    6. Records to examine
    7. Time and money
    8. Dealing with bulk subject access requests
    9. Right to refusal
  18. Chapter 12: Controllers and Processors
    1. Data controllers
    2. Joint controllers
    3. Data processors
    4. Controllers that are processors
    5. Controllers and processors outside the EU
    6. Records of processing
    7. Demonstrating compliance
  19. Chapter 13: Managing Personal Data Internationally
    1. Key requirements
    2. Adequacy decisions
    3. Safeguards
    4. Binding corporate rules
    5. The EU-US Privacy Shield
    6. Privacy Shield Principles
    7. Limited transfers
    8. Cloud services
  20. Chapter 14: Incident Response Management and Reporting
    1. Notification
    2. Events vs incidents
    3. Types of incident
    4. Cyber security incident response plans
    5. Key roles in incident management
    6. Prepare
    7. Respond
    8. Follow up
  21. Chapter 15: GDPR Enforcement
    1. The hierarchy of authorities
    2. One-stop-shop mechanism
    3. Duties of supervisory authorities
    4. Powers of supervisory authorities
    5. Duties and powers of the European Data Protection Board
    6. Data subjects’ rights to redress
    7. Administrative fines
    8. The Regulation’s impact on other laws
  22. Chapter 16: Transitioning and Demonstrating Compliance
    1. Transition frameworks
    2. Transition – understanding the changes from DPD to GDPR
    3. Using policies to demonstrate compliance
    4. Codes of conduct and certification mechanisms
  23. Appendix 1: Index of the Regulation
  24. Appendix 2: EU/EEA National Supervisory Authorities
  25. Appendix 3: Implementation FAQs
  26. ITG Resources