1. INTRODUCTION

The European Union General Data Protection Regulation (GDPR) is a key regulation in the field of privacy. So, in this section, we'll cover the following:

• Which companies need to be compliant with GDPR?
• How is this book structured?
• Who is this book for?

Note: Beyond the above questions, this book elaborates on the key requirements of GDPR and provides a simple introduction to setting and monitoring your GDPR compliance project.

1.1 Which organisations need to be compliant with the GDPR?

The General Data Protection Regulation is a significant piece of legislation, applicable to the processing of personal data of individuals in the European Union. The key to understanding when the EU GDPR is applicable is to understand the meaning of "in the Union". The EU GDPR will only apply to personal data about individuals within the Union, and the nationality or habitual residence of those individuals is irrelevant.

This implies that, for example, in a situation where a U.S. company that processes personal information of EU citizens in the U.S. for a service provided in the U.S., the EU GDPR would not be applicable to that company. However, if the same company processes personal information of EU citizens or any other persons presently in the EU for a service provided in the EU, the EU GDPR would be applicable to the company. So, irrespective of whether your organisation is based in Asia, Australia, America or any other continent, the GDPR may apply if your company provides services to, and / or processes the personal data of, individuals in the EU.

Some of the most commonly impacted industries and organisations include:

1. Industries that provide services to individual customers: Industries wherein the core business is to provide services to individual customers generally include the processing of personal data on a large scale. These industries would include financial services, insurance, retail, etc. All of these companies would need to take significant steps to comply with the EU GDPR.
2. Industries that provide marketing, business, process and system support services: A significant number of organisations provide business, process or system management services. All of these companies will become processors of personal data on behalf of their controllers (by whom they are contracted). While their controllers need to be GDPR-compliant, the GDPR also demands that processors be compliant, and they have the same liability if they do not fulfil this obligation. These organisations will include cloud-based services, platform-based services, law services, analytics, event management, marketing companies, etc.
3. Automobile industry: Most automobile manufacturers love to collect and process personal data about who buys their products. But, with the GDPR being applicable, these companies would need to be more transparent with regard to what data they have, what they do with it, and why.
4. Professional organisations: Most clubs or member organisations like football clubs, fitness clubs, golf clubs, tennis clubs, etc. collect the personal data of their members. At present, these organisations may not be transparent about what they collect and why; but, with GDPR coming into effect, the transparency requirements shall apply to these companies if their members are in the EU.
5. Non-profit organisations and charities: Charities and non-profit organisations usually collect personal data. In some cases, they also keep information about the bank details of their members. At present, these organisations may not be obliged to disclose what personal data they collect and why, but with the GDPR coming into effect, the transparency requirements shall also apply to these companies if their members are in the EU.

In short, GDPR shall apply to your organization if your process personal data of individuals in EU - this is irrespective of what industry the company may be operating in. The only thing that shall matter is whether the individuals are in EU or not, and whether the data being collected or handled is personal or not.

1.2 The positive side of the GDPR

While the GDPR applies to most organisations, the benefits a company can achieve by taking steps towards compliance are often misunderstood. Some examples of GDPR requirements and their benefits include:

1. Make a register of data processing. That is, list what personal data is being captured, as well as when, for what purpose, and so on. This will bring a lot of insight into the data that exists in your company. Once your company knows all this, your investments into data analytics will become much more valuable than the typical current approach of taking your CRM systems and starting to analyse them.
2. Demonstrate transparency. Specify what data you collect, why you collect it and how you process it. Again, doing so requires a huge effort, but once done correctly, your customers will have a lot of trust in what you do and why. Once they understand this, and feel confident about your approach, they should trust your company more. And, we all know that customer trust is one of the core elements in the growth of any business.
3. Minimise the data that is collected. Now, this is easier said than done, but if a company really invests in minimising the data that is being collected, there can be immense benefits: business processes will become efficient, the costs of storing data will be reduced because you reduce the data that is captured, and so on.
4. Secure the personal data. Security of data has always been a big topic, but not every company has done enough. Now, the GDPR asks for ensuring the security of personal data, and if this is done well, it should reduce the number of personal data breaches. And, if the number of breaches is reduced, it is certainly very good for business when examined through cost, reputation, and many other perspectives.

The GDPR is not about fines, but about being transparent and accountable while protecting personal data. If you do this well, your company has an opportunity to increase customer trust, generate more business and reduce threats of personal data breaches. So, next time you have a conversation about the GDPR, start with why it will be good for your business. And, being in business yourself, you should be able to think of many more reasons than the ones listed above.

1.3 How is this book structured?

Before we begin, I would like to suggest two points that will greatly increase the value you get from this book. First and foremost, I want to emphasise that this is not a book that you read once and then forget about. To begin, read it completely once; then, refer back as you start your GDPR compliance journey.

Second, I would like to make it explicit that this is not legal advice; rather, this is my personal perspective on the GDPR for anyone willing to learn about the regulation. The content in this book is not my experience with any one organisation for which I work or have worked; it is the sum total of what I have observed and learned throughout my career thus far. Hence, expect this to provide you with general information about the GDPR and ideas on how best to implement GDPR compliance.

To make it easier for you, each chapter ends with a section called "Success factors", which will assist you in implementing the GDPR quickly and more effectively through key actions you may take. Some chapters also include a "Free tool tip", which provides a link to a completely free tool that will help you on your way toward compliance.

And, if you use this book as intended, I am confident that you will gain a better understanding of the GDPR and decide on the best compliance approach for your company.

1.4 Who is this book for?

Company executives are becoming increasingly concerned about the impact of the new General Data Protection Regulation that takes effect on 25 May 2018. Most of them understand that this new law will have a huge impact, but the extent and areas of impact are not always clear. In such situations, you need a simple and easy-to-follow explanation of the core requirements of the GDPR. Ideally, this information should include actionable suggestions. If you find yourself in need of this sort of help, then this book is your solution.

The ideal reader of this book is any person who seeks to understand the General Data Protection Regulation from a perspective of understanding core requirements. The book is particularly suited for persons in companies aspiring to become GDPR-compliant.

1.5 Additional resources

Here are some resources that will help you, together with this book, to learn about the GDPR:

• EU GDPR online courses - free online courses that will teach you GDPR basics.
• EU GDPR free downloads - a collection of white papers, checklists, diagrams, templates, etc.
• EU GDPR tools - a couple of free tools like the EU GDPR Readiness Assessment Tool and the full text of the EU GDPR.
• Conformio - a cloud-based document management system (DMS) and project management tool...