Cover
Title
Copyright
About the Author
Contents
Introduction
The purpose of the GDPR
Structure of the Regulation
Impact on the EU
Implementing the GDPR
A note on the UK and Brexit
Key definitions
Part 1: Core considerations for the GDPR
Chapter 1: Scope, controllers and processors
Scope of the GDPR
Controller and processor
Data controllers
Joint controllers
Data processors
Controllers that are processors
Controllers and processors outside the EU
Records of processing
Demonstrating compliance
Chapter 2: Data processing principles
Principle 1: Lawfulness, fairness and transparency
Principle 2: Purpose limitation
Principle 3: Data minimisation
Principle 4: Accuracy
Principle 5: Storage limitation
Principle 6: Integrity and confidentiality
Accountability and compliance
Chapter 3: Data subjects' rights
Fair processing
The right to access
The right to rectification
The right to be forgotten
The right to restriction of processing
The right to data portability
The right to object
Rights in relation to automated decision-making
Part 2: Building compliance
Chapter 4: Privacy compliance frameworks
Material scope
Territorial scope
Governance
Objectives
Key processes
Personal information management systems
ISO/IEC 27001: 2013
Selecting and implementing a compliance framework
Implementing the framework
Chapter 5: Information security as part of data protection
Personal data breaches
Anatomy of a data breach
Sites of attack
Securing your information
ISO 27001
NIST standards
Ten Steps to Cyber Security
Cyber Essentials
The information security policy
Assuring information security
Governance of information security
Information security beyond the organisation's borders
Chapter 6: Lawfulness and consent
Consent in a nutshell
Withdrawing consent
Alternatives to consent
Practicalities of consent
Children
Special categories of personal data
Data relating to criminal convictions and offences
Chapter 7: Subject access requests
Receiving a request
The information to provide
Data portability
Responsibilities of the data controller
Processes and procedures
Options for confirming the requester's identity
Records to examine
Time and money
Dealing with bulk subject access requests
Right to refusal
The process flow
Chapter 8: Role of the data protection officer
Voluntary designation of a data protection officer
Undertakings that share a DPO
DPO on a service contract
Publication of DPO contact details
Position of the DPO
Necessary resources
Acting in an independent manner
Protected role of the DPO
Conflicts of interest
Specification of the DPO
Duties of the DPO
The DPO and the organisation
The DPO and the supervisory authority
Data protection impact assessments and risk management
In-house or contract
Chapter 9: Data mapping
Objectives and outcomes
Four elements of data flow
Data mapping, DPIAs and risk management
Part 3: Data protection impact assessments and risk management
Chapter 10: Requirements for data protection impact assessments
DPIAs
Consulting with stakeholders
Who needs to be involved?
Data protection by design and by default
Chapter 11: Risk management and DPIAs
DPIAs as part of risk management
Risk management standards and methodologies
Risk responses
Risk relationships
Risk management and personal data
Chapter 12: Conducting DPIAs
Five key stages of the DPIA
Identify the need for the DPIA
Objectives and outcomes
Consultation
Describe the information flow
Identify privacy and related risks
Identify and evaluate privacy solutions
Sign off and record the outcome
Integrating the DPIA into the project plan
Part 4: International transfers and incident management
Chapter 13: Managing personal data internationally
Key requirements
Adequacy decisions
Safeguards
Binding corporate rules
Standard contractual clauses
Limited transfers
Cloud services
Chapter 14: Incident response management and reporting
Notification
Events vs incidents
Types of incident
Cyber security incident response plans
Key roles in incident management
Prepare
Respond
Follow up
Part 5: Enforcement and transitioning to compliance
Chapter 15: GDPR enforcement
The hierarchy of authorities
One-stop-shop mechanism
Duties of supervisory authorities
Powers of supervisory authorities
Duties and powers of the European Data Protection Board
Data subjects' rights to redress
Administrative fines
The Regulation's impact on other laws
Chapter 16: Transitioning and demonstrating Compliance
Transition frameworks
Using policies to demonstrate compliance
Codes of conduct and certification mechanisms
Appendix 1: Index of the Regulation
Appendix 2: EU/EEA national supervisory authorities
Appendix 3: Implementation FAQ
IT Governance resources
Publishing services
Certified GDPR training and staff awareness
IT Governance training centre
Professional services and consultancy
Newsletter