GDPR – How to Achieve and Maintain Compliance

Cover
Half Title
Title Page
Copyright Page
Table of Contents
The Authors
Acknowledgements
Introduction
	Structure of this book
	Italic text
	The journey of GDPR to statute
	Penalties
	Practical application
	GDPR history
	Key roles defined
	GDPR principles
	Your GDPR project
Section 1: Does the GDPR apply to you?
	What information is covered by the GDPR?
	The GDPR is not just a European issue
	Can you choose a Supervisory Authority (SA)?
	Does the GDPR affect your whole organization?
	Pan-national data
Section 2: GDPR principles
	Consent
Section 3: Key roles
	Data Protection Officer (DPO)
	The role of the Data Protection Officer
	Data controller
	How to determine whether an organization is a data controller or a data processor
	Data processor
	Sub-processor
Section 4: Rights of the data subject
	The right to be informed
Section 5: Your GDPR project
	GDPR tools
	GDPR: a breakdown
	Create an action plan and from your project team(s)
	The role of IT
	Review what data your suppliers hold
	Audit your suppliers
	Create a data privacy governance structure
	Review your right to process
	Check your incident response plan
	Disaster Recovery and Business Continuity Plan
	Transitioning to BAU
	Change management
	Controller obligations in BAU
	Data subject rights in BAU
	Risk management and information security in BAU
	HR and communications in BAU
Section 6: Information security best practice
	The need for a robust information security framework
	ISO27001/2:2013
	Implementing ISO27001
	The ISO2700 series of standards
	NIST security framework
	Cyber essentials
	Security testing
	Vulnerability scanning
	Penetration testing
	Tiger Attack
	Risk
	Understanding risk
	Assessing your suppliers for security
	Key areas of security you should consider
Section 7: Awareness
	Information security policy
	Induction
	Refresh and update
	Awareness
	Security testing
	Incident response plan
	Whistle-blowing policy/Hot-line
Section 8: Data handling and management
	Data holdings and retention
	Understand the value of your data
	Data ownership
	Data Protection Impact Assessment – DPIA
	Data protection by design and default
	The data flows
	Reflections
	Data coming in
	Data going out
	Risk assessment
	Risks to the individual
	Anonymization and pseudonymization
	Data retention
	Binding corporate rules
	Lawful processing
	Lawfulness of processing special categories of data
	Consent
	Transferring data outside of the EU
	Defensive data
	Data protection by design and default
Section 9: Data breaches
	Penalties
	Compensation
	Breaches
	Incident response plan
	Who should be involved?
	Victim or villain?
	Monitoring
	Perimeter
	Security testing
Section 10: Your technology environment
	Introduction
	Website
	Intranet
	Extranet
	Mobile apps
	Social media
	On-line file sharing
	Bring your own device – BYOD
	Backend systems
	Legacy systems
	Where do you process your data?
Section 11: Assessing your suppliers
	Assessing your suppliers for security
	Sample Information Security Questionnaire
Section 12: Direct marketing
	Introduction
	Direct marketing
	Market research
	Consent
	Implied consent
	Children
	Telephone and text marketing
	Lists
	Profiling
	Summary
Section 13: Privacy Notice(s)
Section 14: The Regulation
	The EU General Data Protection Regulation
	Article 1 Subject Matter and Objectives
	Article 2 Material Scope
	Article 3 Territorial Scope
	Article 4 Definitions
	Article 5 Principles relating to processing of Personal Information
	Article 6 Lawfulness of Processing
	Article 7 Conditions for Consent
	Article 8 Conditions applicable to child’s consent in relation to information society services
	Article 9 Processing of special categories of personal data
	Article 10 Processing of personal data relating to criminal convictions and offences
	Article 11 Processing which does not require identification
	Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
	Article 13 Information to be provided where personal data are collected from the data subject
	Article 14 Information to be provided where personal data have not been obtained from the data subject
	Article 15 Right of access by the data subject
	Article 16 Right to rectification
	Article 17 Right to erasure (‘right to be forgotten’)
	Article 18 Right to restriction of processing
	Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing
	Article 20 Right to data portability
	Article 21 Right to Object
	Article 22 Automated individual decision-making, including profiling
	Article 23 Restrictions
	Article 24 Responsibility of the controller
	Article 25 Data protection by design and by default
	Article 26 Joint Controllers
	Article 27 Representatives of controllers or processors not established in the Union
	Article 28 The Processor
	Article 29 Processing under the authority of the controller or processor
	Article 30 Records of processing Activities
	Article 31 Cooperation with the supervisory authority
	Article 32 Security of Processing
	Article 33 Notification of a personal data breach to the supervisory authority
	Article 34 Communication of a personal data breach to the data subject
	Article 35 Data Protection Impact Assessment
	Article 36 Prior Consultation
	Article 37 Designation of the data protection officer
	Article 38 Position of the data protection officer
	Article 39 Tasks of the data protection officer
	Article 40 Codes of Conduct
	Article 41 Monitoring of approved codes of conduct
	Article 42 Certification
	Article 43 Certification Bodies
	Article 44 General principle for transfers
	Article 45 Transfers on the basis of an adequacy decision
	Article 46 Transfers subject to appropriate safeguards
	Article 47 Binding corporate rules
	Article 48 Transfers or disclosures not authorised by Union law
	Article 49 Derogations for specific situations
	Article 50 International cooperation for the protection of personal data
	Article 51 Supervisory Authority
	Article 52 Independence
	Article 53 General conditions for the members of the supervisory authority
	Article 54 Rules on the establishment of the supervisory authority
	Article 55 Competence
	Article 56 Competence of the lead supervisory authority
	Article 57 Tasks
	Article 58 Powers
	Article 59 Activity Reports
	Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned
	Article 61 Mutual Assistance
	Article 62 Joint operations of supervisory authorities
	Article 63 Consistency Mechanism
	Article 64 Opinion of the Board
	Article 65 Dispute resolution by the Board
	Article 66 Urgency Procedure
	Article 67 Exchange of Information
	Article 68 European Data Protection Board
	Article 69 Independence
	Article 70 Tasks of the Board
	Article 71 Reports
	Article 72 Procedure
	Article 73 Chair
	Article 74 Tasks of the Chair
	Article 75 Secretariat
	Article 76 Confidentiality
	Article 77 Right to lodge a complaint with a supervisory authority
	Article 78 Right to an effective judicial remedy against a supervisory authority
	Article 79 Right to an effective judicial remedy against a controller or processor
	Article 80 Representation of data subjects
	Article 81 Suspension of Proceedings
	Article 82 Right to compensation and liability
	Article 83 General conditions for imposing administrative
	Article 84 Penalties
	Article 85 Processing and freedom of expression and information
	Article 86 Processing and public access to official documents
	Article 87 Processing of the national identification number
	Article 88 Processing in the context of employment
	Article 89 Safeguards and derogations relating to
processing for archiving purposes in the public interest,
scientific or historical research purposes or statistical
purposes
	Article 90 Obligations of secrecy
	Article 91 Existing data protection rules of churches and religious associations
	Article 92 Exercise of the Delegation
	Article 93 Committee Procedure
	Article 94 Repeal of Directive 95/46/EC
	Article 95 Relationship with Directive 2002/58/EC
	Article 96 Relationship with previously concluded Agreements
	Article 97 Commission Reports
	Article 98 Review of other Union legal acts on data protection
	Article 99 Entry into force and application
Index