Contents
Abbreviations
Table of Cases
Table of Statutes
Table of Statutory Instruments
Table of EU Regulations
Table of European Directives
Table of Treaties, Conventions and Agreements
Part 1 Data Protection: How to Comply with the
Data Protection Regime
Chapter 1 Data Protection
What is Data Protection?
The Importance of Data Protection
The Data Protection Rules
Data Protection Rules
Summary Data Protection Rules
General Criteria for Data Processing
Data Protection Overview
Lawful Processing
Definitions
Chapter 2 Sources of Data Protection Law
Introduction
UK DPA 2018
UK Secondary Legislation
EU Data Protection Law
Case Law
ICO Guides
ICO Determinations
Legal Textbooks
Legal Journals
EDPB
European Data Protection Supervisor
Council of Europe
Other Data Protection Authorities
Other Official Sources
Key/Topical Issues
Data Protection Websites and Blogs
Other Laws
Conferences
Reference
Chapter 3 Definitions
Introduction
DPA Definitions
GDPR Definitions
Two Categories of Personal Data
Conclusion
Chapter 4 History and Data Protection
Introduction
History of Data Protection
Data Protection Act
Legal Instruments
GDPR
Conclusion
Chapter 5 Principles
Introduction
When Data Protection Provisions Apply
Fair Processing Requirements
Principles of Data Protection
Chapter 6 Ordinary Personal Data Lawful Processing
Conditions
Introduction
General Lawful Processing Conditions
Special Personal Data Lawful Processing Conditions
Chapter 7 Processing Pre-Conditions: Prior Information Requirements and Transparency
Introduction
Prior Information Requirements under the EU General Data Protection Regulation (GDPR)
Conclusion
Chapter 8 Exemptions
Introduction
Exemptions under the DPA 2018
Exemptions under the GDPR
Conclusion
Chapter 9 Individual Data Subject Rights
Introduction
Principles of Data Protection
Rights for Individual Data Subjects
Recipients of Right
Access Right under the DPA 2018
Access Right
GDPR: Rectification and Erasure
Right to Data Portability
Automated Individual Decision Making Right
Compensation for Data Subjects
DPA: Requiring Data Disclosure
Jurisdiction
Complaints to ICO
Organisational Data Protection Group
Court Remedies
Different Supervisory Authorities
Plaintiff Choice of Jurisdictions and Courts
Compensation
Penalties
Sanctions
GDPR: Right to Portability
GDPR: Right to Object, Automated Decisions and Profiling
GDPR Automated Individual Decision Making, Including Profiling
Conclusion
Cases to Consider
Chapter 10 Time Limits for Compliance
Introduction
Time Limits
Conclusion
Chapter 11 Enforcement and Penalties for Non-Compliance
Introduction
Breaches, Offences and Penalties
Criminal Offences
Other Consequences of Breach
ICO Monetary Penalties
GDPR Changes re Fines and Prosecution
Civil Sanctions under the DPA
Remedies, Liability and Penalties under the GDPR
Powers and Functions of the ICO
ICO Data Enforcement, Loss/Data Breaches, Fines and Convictions
Conclusion
Chapter 12 Security of Personal Data
Introduction
Appropriate Security Measures
Ensuring Appropriate Security Measures
Security under the EDPB
Security under the GDPR
Organisational Security Awareness
Organisational Security Measures
Raising Awareness
ICO Guidance
ICO and Security Breaches
Disposal of Computer Hardware
Conclusion
Chapter 13 Outsourcing and Data Processors
Introduction
Processors and Data Security
Engaging Processors
Relying on Third Party Processors
Conclusion
Part 2 Inward Facing Organisational DP Obligations
Chapter 14 Processing Employee Personal Data
Introduction
New Inward Facing Changes
Data Protection Officer (DPO)
Inward Facing Issues
Those Covered
Compliance with the Principles of Data Protection
Ordinary Personal Data Lawful Processing Conditions
Lawful Processing and Organisation's Employees
Special Personal Data Lawful Processing Conditions
Special Data Lawful Processing and Organisationβs Employees
ICO Codes
Employees and Security
Data Access Right of Employees
Conclusion
Chapter 15 Employee Data Protection Rights
Introduction
The Data Protection Rights of Employees
Rights Under the GDPR
Conclusion
Chapter 16 Employee Considerations
Introduction
Contract
Policies
Data Protection Policy
Internet Usage Policy
Mobile and Device Usage Policies
Vehicle Use Policy
Transfers of Undertaking
Evidence
Enforceability
Data Breach
Employee Data Organisations
Location
Conclusion
Chapter 17 Employee Monitoring Issues
Introduction
Sample Legal Issues Arising
Employee Misuse of Email, Internet, etc
Contract
Employment Equality
Harassment
Online Abuse
Offline Abuse
Child Pornography
Dealing with the Employee Risks
Employee Corporate Communications Usage Policies
Focus of Organisational Communications Usage Policies
Data Protection and Employee Monitoring
Human Right
Application of Data Protection Regime
ILO Code
EDPB/WP29
Employment Contracts, Terms, Policies
Processing Compliance Rules
The Rights of Employee Data Subjects
Monitoring Case
Conclusion
Part 3 Outward Facing Organisational DP Obligations
Chapter 18 Outward Facing Issues
Introduction
New Outward Facing Changes
Data Protection Officer
Data Protection by Design and by Default
Types of Outward Facing Personal Data
How to be Outward Facing Compliant
Compliance with the Outward Facing Principles
Customers, etc, and Ordinary Personal Data Lawful Processing Conditions
Customers, etc, Special Personal Data Lawful Processing Conditions
Customers, etc, and Security Requirements
Direct Marketing
Consequences of Non-Compliance
Users Versus Customers
Conclusion
Chapter 19 Data Protection and Privacy by Design
Introduction
Background
Principles of PbD
GDPR
ICO
EDPB
Commercial Adoption
Conclusion
Chapter 20 Enforcement Powers
Introduction
Enforcement Notices
Assessment Notices
Powers of Entry and Inspection
Request for Audit
Information Notices
Information Orders
Failure to Comply
Unlawful Obtaining Etc of Personal Data
Re-identifying De-identified Personal Data
Re-identification and Testing
Power of ICO to Impose Monetary Penalty
Prohibition of Requirement to Produce Certain Records
Tasks
Powers
General Conditions for Imposing Administrative Fines
Penalties
Conclusion
Chapter 21 Transfers of Personal Data
Introduction
Transfer Ban
Adequate Protection Exception
Exceptions
Creating Adequacy
Binding Corporate Rules
GDPR: The New Transfers Regime
Issues
Establishing if the Ban Applies
Checklist for Compliance
Brexit
Conclusion
Chapter 22 ePrivacy and Electronic Communications
Introduction
Background
Scope of the ePD
Marketing
Marketing Protection for Organisations
Conclusion
Chapter 23 Electronic Direct Marketing and Spam
Introduction
Direct Marketing (DM)
PECR
ICO Monetary Penalties
Civil Sanctions
Call and Fax Opt Out Registers
The Spam Problem
Related Issues
Cases
Conclusion
Part 4 New UK Regime
Chapter 24 Background to the New UK Regime
Introduction
Brexit, DPA, and EU
Queen's Speech
Background Briefing Document
Digital Charter and Internet Safety
The Ministerial Statement
'Final' Brexit Negotiations in Transition Period
Brexit Guides
Data and the European Union (Withdrawal) Act 2018
EUWA Details
EUWA Official Explanatory Commentary
New ICO Guidance Update
Preparation
EDPS Guidance
Commission
EDPB
Brexit and EU (Withdrawal Agreement) Act 2020
Conclusion
Chapter 25 The New Data Protection Act
Introduction
Repeal
Breakdown
Specific Changes from GDPR
Comment
Future
Part 5 New EU Regime
Chapter 26 New Regime
Introduction
Formal Nature of Regulations and Directives
Review Policy
Importance
Fundamental Right
Innovations
Enhanced Provisions and Changes
The New Data Protection Regime
Main Provisions and Changes of GDPR
Communicating Data Breach to Data Subject
Data Protection Officer
Conclusion
Part 6 Particular Issues
Chapter 27 Data Breach
Introduction
Data Breach Incidents in Context
Notification of a Data Breach to Supervisory Authority
Communication of a Data Breach to Data Subject
Employee Data Breaches
NotificationΒ Timelines
Notification Processes
Data Security Standards
Incident Response
Conclusion
Chapter 28 Data Protection Impact Assessment
Data Protection Impact Assessment and Prior Consultation
Data Protection Impact Assessment
Prior Consultation
Conclusion
Chapter 29 Social Media
Introduction
Controllers and Joint Controllers
Investigations
Social Media and Leveson
Social Media Data Transfers: Processors
Apps: Social Media Data Transfers
Awareness
Tagging and Identification
Transparency and User Friendly Tools
Abuse, Attacks, Threats, Trolling, Victims
Employment and Social Media
Electronic Evidence
The Rights of Data Subjects
Consent and Social Media
Website Discretion, Liability and Obligations
Third Party Controllers and EU Data Subjects
Specific Processing Risks
Rights
GDPR
Chapter 30 Leveson, the Press and Data Protection
Introduction
DPA 1998, s 32
Leveson Recommendations
Comparison
Conclusion
Chapter 31 Data Protection Officer
Introduction
New Role of DPO
Tasks and Role
Summary
Chapter 32 Brexit, Privacy Shield and Schrems
Introduction
Issues and Questions
Privacy Shield
Standard Contract Clauses
Conclusion
Chapter 33 Other Data Protection Issues
Introduction
New Regime
Medical and Health Data
Genome Data
Body Scanners
Investigation, Discovery and Evidence
Cloud
New Hardware Devices, New Software
Internet of Things
On-Site/Off-Site
Online Abuse
Drones
Increasing Actions
AI, Big Data and Data Ethics
Codes and Certification
Politics
Conclusion
Appendices
Reference Links
Legislative Links
Forms and Documents Links
Complying with Data Protection
Objections to Marketing
Audit Checklist
Procedures
Index
