EU General Data Protection Regulation (GDPR), third edition An Implementation and Compliance Guide

All organisations - wherever they are in the world - that process the personal data of EU residents must comply with the GDPR (General Data Protection Regulation). Failure to do so could cost them up to €20 million or 4% of annual global turnover in fines, whichever is greater. Now in its third edit...

Full description

Saved in:
Bibliographic Details
Main Author IT Governance, I. T
Format eBook
LanguageEnglish
Published Ely IT Governance Publishing 31.10.2019
IT Governance Ltd
Edition3
Subjects
Data protection-Law and legislation-European Union countries
Law
Technology
Online AccessGet full text
ISBN9781787781917
1787781917
DOI10.2307/j.ctvr7fcwb

Cover

Table of Contents:
  • Front Matter ABOUT THE AUTHOR Table of Contents INTRODUCTION CHAPTER 1:: SCOPE, CONTROLLERS AND PROCESSORS CHAPTER 2:: SIX DATA PROCESSING PRINCIPLES CHAPTER 3:: DATA SUBJECTS’ RIGHTS CHAPTER 4:: PRIVACY COMPLIANCE FRAMEWORKS CHAPTER 5:: INFORMATION SECURITY AS PART OF DATA PROTECTION CHAPTER 6:: LAWFULNESS AND CONSENT CHAPTER 7:: SUBJECT ACCESS REQUESTS CHAPTER 8:: ROLE OF THE DATA PROTECTION OFFICER CHAPTER 9:: DATA MAPPING CHAPTER 10:: REQUIREMENTS FOR DATA PROTECTION IMPACT ASSESSMENTS CHAPTER 11:: RISK MANAGEMENT AND DPIAs CHAPTER 12:: CONDUCTING DPIAs CHAPTER 13:: MANAGING PERSONAL DATA INTERNATIONALLY CHAPTER 14:: INCIDENT RESPONSE MANAGEMENT AND REPORTING CHAPTER 15:: GDPR ENFORCEMENT CHAPTER 16:: TRANSITIONING AND DEMONSTRATING COMPLIANCE APPENDIX 1: APPENDIX 2: APPENDIX 3: IT GOVERNANCE RESOURCES
  • Integrating the DPIA into the project plan -- Chapter 13: Managing personal data internationally -- Key requirements -- Adequacy decisions -- Safeguards -- Binding corporate rules -- Standard contractual clauses -- The EU-US Privacy Shield -- Privacy Shield Principles -- Limited transfers -- Cloud services -- Chapter 14: Incident response management and reporting -- Notification -- Events vs incidents -- Types of incident -- Cyber security incident response plans -- Key roles in incident management -- Prepare -- Respond -- Follow up -- Chapter 15: GDPR enforcement -- The hierarchy of authorities -- One-stop-shop mechanism -- Duties of supervisory authorities -- Powers of supervisory authorities -- Duties and powers of the European Data Protection Board -- Data subjects' rights to redress -- Administrative fines -- The Regulation's impact on other laws -- Chapter 16: Transitioning and demonstrating compliance -- Transition frameworks -- Transition - understanding the changes from DPD to GDPR -- Using policies to demonstrate compliance -- Codes of conduct and certification mechanisms -- Appendix 1: Index of the Regulation -- Appendix 2: EU/EEA national supervisory authorities -- Appendix 3: Implementation FAQ -- IT Governance resources
  • Cover -- Title -- Copyright -- About The Author -- Contents -- Introduction -- The purpose of the GDPR -- Structure of the Regulation -- Impact on the EU -- Implementing the GDPR -- Key definitions -- Chapter 1: Scope, controllers and processors -- Scope of the GDPR -- Controller and processor -- Data controllers -- Joint controllers -- Data processors -- Controllers that are processors -- Controllers and processors outside the EU -- Records of processing -- Demonstrating compliance -- Chapter 2: Six data processing principles -- Principle 1: Lawfulness, fairness and transparency -- Principle 2: Purpose limitation -- Principle 3: Data minimisation -- Principle 4: Accuracy -- Principle 5: Storage limitation -- Principle 6: Integrity and confidentiality -- Accountability and compliance -- Chapter 3: Data subjects' rights -- Fair processing -- The right to access -- The right to rectification -- The right to be forgotten -- The right to restriction of processing -- The right to data portability -- The right to object -- Rights in relation to automated decision- making -- Chapter 4: Privacy compliance frameworks -- Material scope -- Territorial scope -- Governance -- Objectives -- Key processes -- Personal information management systems -- ISO/ IEC 27001: 2013 -- Selecting and implementing a compliance framework -- Implementing the framework -- Chapter 5: Information security as part of data protection -- Personal data breaches -- Anatomy of a data breach -- Sites of attack -- Securing your information -- ISO 27001 -- Ten Steps to Cyber Security -- Cyber Essentials -- NIST standards -- The information security policy -- Assuring information security -- Governance of information security -- Information security beyond the organisation's borders -- Chapter 6: Lawfulness and consent -- Consent in a nutshell -- Withdrawing consent
  • Alternatives to consent -- Practicalities of consent -- Children -- Special categories of personal data -- Data relating to criminal convictions and offences -- Chapter 7: Subject access requests -- Receiving a request -- The information to provide -- Data portability -- Responsibilities of the data controller -- Processes and procedures -- Options for confirming the requester's identity -- Records to examine -- Time and money -- Dealing with bulk subject access requests -- Right to refusal -- The process flow -- Chapter 8: Role of the data protection officer -- Voluntary designation of a data protection officer -- Undertakings that share a DPO -- DPO on a service contract -- Publication of DPO contact details -- Position of the DPO -- Necessary resources -- Acting in an independent manner -- Protected role of the DPO -- Conflicts of interest -- Specification of the DPO -- Duties of the DPO -- The DPO and the organisation -- The DPO and the supervisory authority -- Data protection impact assessments and risk management -- In-house or contract -- Chapter 9: Data mapping -- Objectives and outcomes -- Four elements of data flow -- Data mapping, DPIAs and risk management -- Chapter 10: Requirements for data protection impact assessments -- DPIAs -- After the DPIA -- Consulting with stakeholders -- Who needs to be involved? -- Data protection by design and by default -- Chapter 11: Risk management and DPIAs -- DPIAs as part of risk management -- Risk management standards and methodologies -- Risk responses -- Risk relationships -- Risk management and personal data -- Chapter 12: Conducting DPIAs -- Five key stages of the DPIA -- Identify the need for the DPIA -- Objectives and outcomes -- Consultation -- Describe the information flow -- Identify privacy and related risks -- Identify and evaluate privacy solutions -- Sign off and record the outcome