GDPR For Dummies

Title Page
Copyright Page
Table of Contents
Introduction
	About This Book
	Foolish Assumptions
	How This Book Is Organized
		Part 1: Getting Started with GDPR
		Part 2: The Key Principles of GDPR
		Part 3: Key Documentation
		Part 4: Data Subject Rights, Protection, and Security
		Part 5: The Workplace, Marketing, and Beyond
		Part 6: The Part of Tens
		Part 7: Appendixes
	Icons Used in This Book
	What You’re Not to Read
	Where to Go from Here
		GDPR Facebook group
		GDPR Compliance Pack
		Other ways to stay in the know
		One-on-one legal advice
Part 1 Getting Started with GDPR
	Chapter 1 Grasping the Fundamentals of GDPR and Data Protection
		Understanding Data Protection Laws
		The Ten Most Important Obligations of the GDPR
		Facing the Consequences
			Increased fines and sanctions
			Civil claims
			Data subject complaints
			Brand damage
			Loss of trust
		Being a Market Leader
	Chapter 2 Key Changes Introduced by GDPR
		Increased Territorial Scope
			EU established data controllers
			Non-EU established controllers
		Understanding the Representative’s Role and When to Appoint One
			Responsibilities of the Representative
			Qualifications of the Representative
		Consent and Withdrawal of Consent
		Additional Data Subject Rights
		Liability of Processors
		Specific Protection for Children’s Data
		Data Breach Notification
		Data Protection Officers
		Accountability and Governance
		Increased Fines and Sanctions
		Ability to Bring a Civil Claim
Part 2 The Key Principles of GDPR
	Chapter 3 Digging In to Data: What’s Personal, What’s Sensitive, and How It’s Processed
		Dissecting the Definition of Personal Data
			Information
			Relating to
			Natural person
			Identified or identifiable
			Directly or indirectly
			Identifier
			Anonymization
			Pseudonymization
		Defining Special-Category Data
		Understanding the Processing of Data
		Processing Personal Data Lawfully
			Compatibility of purposes
			Necessity
			Consent
			Contractual necessity
			Legal obligation necessity
			Vital interests necessity
			Public interests necessity
			Legitimate interests
			Processing special-category data
		The Consequences of Getting Processing Wrong
	Chapter 4 The Six Data Protection Principles
		Accountability
		Lawfulness, Fairness, and Transparency
			Lawfulness
			Fairness
			Transparency
		Purpose Limitation
		Data Minimization
		Accuracy
			Regarding opinions
			Taking reasonable measures
			Updating personal data
		Storage Limitation
		Integrity and Confidentiality
		Consequences of Noncompliance with the Six Principles
	Chapter 5 Data Controllers and Data Processors
		Recognizing Who’s a Data Controller
			Exploring joint controllers
			Joint controllers of Facebook Fan Pages
		Understanding Who’s a Data Processor
			Differentiating who are subprocessors
		Exploring Obligations under the GDPR
			Obligations on controllers
			Obligations on joint controllers
			Obligations on processors
			Obligations on the data controller to use GDPR-compliant data processors
		Exploring Liabilities under the GDPR
			Liability for data controller for using a noncompliant data processor
			Liability of data processors
	Chapter 6 Transfers of Data Outside of the EEA
		Principles of Data Transfer Outside of the EEA
		Countries with an Adequacy Finding
		Becoming Part of the US Privacy Shield
		Working with Data in Transit and Onward Transfers
		Understanding Standard Contractual Clauses
			Determining the type of standard contractual clause to use
			Regarding the controller-to-processor transfer
		Establishing Binding Corporate Rules
		Derogations for International Transfers
			Explicit consent
			Contractual necessity
			Public interest
			Legal claim necessity
			Vital interests
			Open register
			Compelling legitimate interests
Part 3 Key Documentation
	Chapter 7 Building Your Data Inventory
		Understanding the Rationale for Data Inventory
		Completing a Data Inventory
			Preparatory steps for data inventory
			The Data Inventory template
		Exploring Systems for Managing Data
		Article 30: The Obligation to Keep Records of Data Processing
			Controller’s obligations
			Processor’s obligations
	Chapter 8 Penning a Privacy Notice
		Learning the Rationale for a Privacy Notice
			Privacy Notices where you collect data directly from individuals
			Privacy Notices where you collect data from a third party or publicly available source
		Creating Your Privacy Notice
		Communicating Your Privacy Notice
			Communicating via email
			Communicating via your website
			Communicating over the phone
			Communicating in person
		The Consequences of Not Having an Appropriate Privacy Notice
	Chapter 9 Cookie Policy
		Defining Cookies
		Understanding the Rationale for a Cookie Policy
			Lawful grounds for processing personal data obtained from cookies
		Creating and Communicating Your Cookie Policy
			Assessing your cookies
			Writing your Cookie Policy
			Posting your Cookie Policy
			Cookie walls
			Using tools to communicate your Cookie Policy and obtain consent
		Looking into the Future of Cookies
		Sanctions for Not Having an Appropriate Cookie Policy
	Chapter 10 Drafting Data Processing and Data Sharing Agreements
		Understanding Data Processing Agreements
			What to include in the Data Processing Agreement
			Responsibility for the Data Processing Agreement
			Negotiating a Data Processing Agreement
		Creating a Data Processing Agreement
		Understanding Data Sharing Agreements
		Creating a Data Sharing Agreement
		What to Do with Your Agreements
			Data Processing Agreements
			Data Sharing Agreements
		Examining the Consequences of Not Having the Appropriate Agreements in Place
			Data Processing Agreements
			Data Sharing Agreements
	Chapter 11 Writing Opt-In Wording
		Understanding When to Use Opt-In Wording
			Opt-in particulars
			Opt-ins for lead magnets
			When to use opt-out wording
			The ePrivacy Directive and the soft opt-in
			Explicit-consent opt-in wording
		Creating and Communicating Your Opt-In Wording
			The do’s and don’ts of opt-in wording
			Avoiding consent fatigue
			Keeping records of consent
		Consequences of Not Having the Appropriate Opt-In Wording
	Chapter 12 Writing a Legitimate Interests Assessment Form
		Knowing When to Use a Legitimate Interests Assessment Form
		Completing a Legitimate Interests Assessment Form
			Purpose test
			Necessity test
			Balancing test
		What to Do with Your Legitimate Interests Assessment Form
		Consequences of Not Carrying Out a Legitimate Interests Assessment
	Chapter 13 Writing Other Documents
		Data Protection Impact Assessments
		Data Subject Access Requests and Response Records
			Data Subject Access Requests (DSAR)
			Response to a DSAR
		Data Breach Records
		Data Protection Policies
		Data Retention Policies
		Additional Privacy Notices
Part 4 Data Subject Rights, Protection, and Security
	Chapter 14 Data Subject Rights
		General Matters Relating to Data Subject Rights
			Territorial scope of data subject rights
			Form in which a right is exercised
			Deadline for replying to requests
			Charging a fee
			Requesting identification
			Refusing to comply
			Requests by or on behalf of others or from children
			Exemptions
			The consequences of failing to respond correctly
			Enforcement actions
		Defining the Eight Data Subject Rights
			The right to be informed
			The right of access
			The right to rectification
			The right to erasure
			The right to restrict processing
			The right to data portability
			The right to object
			Rights relating to automated decision-making and profiling
		Data Subject Access Rights (DSARs)
			Key changes to DSARs under GDPR
			Exemptions to data being provided as part of a DSAR
			Responding to a Data Subject Access Request
			Searching for relevant personal data
		The Right to Be Forgotten
			When the right to be forgotten applies
			When the right to be forgotten doesn’t apply
			Notifying third parties to whom you have transferred data
			Erasing data from backup systems
			Children’s data
			Search engine results
	Chapter 15 Data Protection by Design and by Default
		Defining by Design and by Default
			Data protection by design
			Data protection by default
		Conducting a Data Protection Impact Assessment
			The DPIA process
			When to consult your supervisory authority
			Code of conduct
		Understanding the Data Protection Officer
			What a DPO is
			The DPO’s responsibilities
			When a DPO is required
			DPO protections
			DPO contractors
	Chapter 16 Data Security
		Reviewing Data Security
			Confidentiality
			Integrity
			Availability
		Article 32 Security Obligations
		Identifying Your Data Assets
		Protecting Your Data
			Technical controls
			Procedural controls
			Personnel controls
			Physical controls
		Handling Security Incidents
			Detecting security incidents
			Responding to security incidents
			Recovering from security incidents
			Conducting regular testing and assessments
		Introducing Security-Related Frameworks
			ISO 27001:2013
			ISO 27005:2018
			Cyber Essentials (Plus)
			NIST Cybersecurity Framework
		Data Controller and Data Processor Liabilities
			The role of subprocessors
			Doing your due diligence
			Breaches caused by data processors
			Sanctions for data breaches caused by data processors
	Chapter 17 Data Breaches and Reporting Obligations
		Understanding What Constitutes a Breach
			Categorizing breaches
		Assessing Data Breaches
			Addressing potential consequences
			Weighing risk factors
			Becoming aware of the breach
			Investigating the breach
			Responding to a breach
		Sending Notifications
			Notifying the supervisory authority
			Notifying data subjects
		Keeping Internal Records
		Data Processors and Data Breaches
		Sanctions for Data Breaches
Part 5 The Workplace, Marketing, and Beyond
	Chapter 18 GDPR and the Workplace
		Choosing Appropriate Lawful Grounds of Processing for Employee Data
			Lawful grounds of processing for employee data
			Lawful grounds of processing for candidate data
			Lawful grounds of processing for data about former employees
		Writing and Communicating an Employee Privacy Notice
			What to include
			What to do with it
			Managing subject access requests from employees
			Understanding exemptions
			Responding to an employee DSAR
		Monitoring Employees
			Types of employee monitoring
			Principles for employee monitoring
			Identifying legitimate monitoring
			Recognizing monitoring that isn’t legitimate
			CCTV
	Chapter 19 Keeping Your Marketing GDPR-Compliant
		Marketing, Defined
		General Matters Regarding the GDPR and Marketing
			The lawful grounds for processing
			B2B marketing and B2C marketing
			Opt-outs and suppression lists
			The inter-relationship with the ePrivacy Directive
			The consequences of getting it wrong
		Online Marketing
			Facebook marketing
			Display advertising
			Behavioral advertising
			Email and text marketing
			Affiliate marketing
			Automated calling
		Offline Marketing
			Prospecting and networking
			Events
			Exhibitions
			Referrals
			Postal marketing
			Non-automated calls
	Chapter 20 Children, Charities, and Associations
		Children
			Differences for children under the GDPR
			Consent of parents and children
			Additional rights of children
		Charities
			Fundraising and marketing
			Wealth screening and data matching
			Religious charities and door- to-door preaching
			Volunteers
			Security
			Data protection fee
			ICO risk review report for charities
		Associations
	Chapter 21 Supervisory Authorities, Remedies, Liabilities, and Penalties
		Introducing Supervisory Authorities
		Finding Your Supervisory Authority and Lead Authority
			Supervisory authority
			Lead authority
		Reporting Data Breaches to Your Supervisory Authority
		Powers of Supervisory Authorities
			Investigatory powers
			Corrective powers
			Authorization and advisory powers
		Remedies, Liabilities, and Penalties
			Data subject complaints
			Judicial remedies
			The data controller’s and data processor’s liability to provide compensation
			A 2-tiered system of fines
			Other penalties
Part 6 The Part of Tens
	Chapter 22 Ten GDPR Resources
		Suzanne Dibble’s resources
		Supervisory Authorities and EDPB Websites
		The EU Commission
		International Association of Privacy Professionals (IAPP)
		Privacy Shield Searchable Database
		Easily Readable Online Text of the GDPR
		Cookie Consent Tools
		GDPR Compliance Platforms
			OneTrust
			TrustArc
			GDPR Mentor
		GDPR Enforcement Tracker
		Book Contributors’ Resources
	Chapter 23 Ten Must-Have Skills for the DPO
		Experience in Privacy and Security Risk Assessment
		Knowledge of Data Protection Law and Practices
		Ability to Work Independently
		Ability to Work Autonomously
		Ability to Communicate Effectively
		Ability to Negotiate Adeptly
		Maintain Cultural Awareness and Sensitivity
		Demonstrate Leadership
		Ability to Embrace Change
		Display Business and Interpersonal Acumen
	Chapter 24 Ten Ways to Train Employees to Be Good Stewards of Data
		Understand That One Size Doesn’t Fit All
		Assess Individuals’ Learning Styles
		Develop Engaging Training
		Teach the Basics to All Staff
		Provide Detailed Training per Function
		Train on Internal Systems and Procedures
		Reinforce Training with Reminders around the Workplace
		Spread Out Training across Multiple Sessions
		Encourage a Culture of Openness
		Adopt a Culture of Privacy
Part 7 Appendixes
	Appendix
A Upcoming Changes to Data Protection Laws
	Appendix
B List of Supervisory Authorities
	Appendix
C GDPR Checklist
	Appendix
D Glossary
Index