GDPR For Dummies
1st Edition
Published on 19. November 2019
464 pages
978-1-119-54614-6 (ISBN)
Description
Don't be afraid of the GDPR wolf!
How can your business easily comply with the new data protection and privacy laws and avoid fines of up to $27M? GDPR For Dummies sets out in simple steps how small business owners can comply with the complex General Data Protection Regulations (GDPR). These regulations apply to all businesses established in the EU and to businesses established outside of the EU insofar as they process personal data about people within the EU.
Inside, you'll discover how GDPR applies to your business in the context of marketing, employment, providing your services, and using service providers. Learn how to avoid fines, regulatory investigations, customer complaints, and brand damage, while gaining a competitive advantage and increasing customer loyalty by putting privacy at the heart of your business.
* Find out what constitutes personal data and special category data
* Gain consent for online and offline marketing
* Put your Privacy Policy in place
* Report a data breach before being fined
79% of U.S. businesses haven't figured out how they'll report breaches in a timely fashion, provide customers the right to be forgotten, conduct privacy impact assessments, and more. If you are one of those businesses that hasn't put a plan in place, then GDPR For Dummies is for you.
How can your business easily comply with the new data protection and privacy laws and avoid fines of up to $27M? GDPR For Dummies sets out in simple steps how small business owners can comply with the complex General Data Protection Regulations (GDPR). These regulations apply to all businesses established in the EU and to businesses established outside of the EU insofar as they process personal data about people within the EU.
Inside, you'll discover how GDPR applies to your business in the context of marketing, employment, providing your services, and using service providers. Learn how to avoid fines, regulatory investigations, customer complaints, and brand damage, while gaining a competitive advantage and increasing customer loyalty by putting privacy at the heart of your business.
* Find out what constitutes personal data and special category data
* Gain consent for online and offline marketing
* Put your Privacy Policy in place
* Report a data breach before being fined
79% of U.S. businesses haven't figured out how they'll report breaches in a timely fashion, provide customers the right to be forgotten, conduct privacy impact assessments, and more. If you are one of those businesses that hasn't put a plan in place, then GDPR For Dummies is for you.
More details
Other editions
Additional editions
Content
- Intro
- Title Page
- Copyright Page
- Table of Contents
- Introduction
- About This Book
- Foolish Assumptions
- How This Book Is Organized
- Part 1: Getting Started with GDPR
- Part 2: The Key Principles of GDPR
- Part 3: Key Documentation
- Part 4: Data Subject Rights, Protection, and Security
- Part 5: The Workplace, Marketing, and Beyond
- Part 6: The Part of Tens
- Part 7: Appendixes
- Icons Used in This Book
- What You're Not to Read
- Where to Go from Here
- GDPR Facebook group
- GDPR Compliance Pack
- Other ways to stay in the know
- One-on-one legal advice
- Part 1 Getting Started with GDPR
- Chapter 1 Grasping the Fundamentals of GDPR and Data Protection
- Understanding Data Protection Laws
- The Ten Most Important Obligations of the GDPR
- Facing the Consequences
- Increased fines and sanctions
- Civil claims
- Data subject complaints
- Brand damage
- Loss of trust
- Being a Market Leader
- Chapter 2 Key Changes Introduced by GDPR
- Increased Territorial Scope
- EU established data controllers
- Non-EU established controllers
- Understanding the Representative's Role and When to Appoint One
- Responsibilities of the Representative
- Qualifications of the Representative
- Consent and Withdrawal of Consent
- Additional Data Subject Rights
- Liability of Processors
- Specific Protection for Children's Data
- Data Breach Notification
- Data Protection Officers
- Accountability and Governance
- Increased Fines and Sanctions
- Ability to Bring a Civil Claim
- Part 2 The Key Principles of GDPR
- Chapter 3 Digging In to Data: What's Personal, What's Sensitive, and How It's Processed
- Dissecting the Definition of Personal Data
- Information
- Relating to
- Natural person
- Identified or identifiable
- Directly or indirectly
- Identifier
- Anonymization
- Pseudonymization
- Defining Special-Category Data
- Understanding the Processing of Data
- Processing Personal Data Lawfully
- Compatibility of purposes
- Necessity
- Consent
- Contractual necessity
- Legal obligation necessity
- Vital interests necessity
- Public interests necessity
- Legitimate interests
- Processing special-category data
- The Consequences of Getting Processing Wrong
- Chapter 4 The Six Data Protection Principles
- Accountability
- Lawfulness, Fairness, and Transparency
- Lawfulness
- Fairness
- Transparency
- Purpose Limitation
- Data Minimization
- Accuracy
- Regarding opinions
- Taking reasonable measures
- Updating personal data
- Storage Limitation
- Integrity and Confidentiality
- Consequences of Noncompliance with the Six Principles
- Chapter 5 Data Controllers and Data Processors
- Recognizing Who's a Data Controller
- Exploring joint controllers
- Joint controllers of Facebook Fan Pages
- Understanding Who's a Data Processor
- Differentiating who are subprocessors
- Exploring Obligations under the GDPR
- Obligations on controllers
- Obligations on joint controllers
- Obligations on processors
- Obligations on the data controller to use GDPR-compliant data processors
- Exploring Liabilities under the GDPR
- Liability for data controller for using a noncompliant data processor
- Liability of data processors
- Chapter 6 Transfers of Data Outside of the EEA
- Principles of Data Transfer Outside of the EEA
- Countries with an Adequacy Finding
- Becoming Part of the US Privacy Shield
- Working with Data in Transit and Onward Transfers
- Understanding Standard Contractual Clauses
- Determining the type of standard contractual clause to use
- Regarding the controller-to-processor transfer
- Establishing Binding Corporate Rules
- Derogations for International Transfers
- Explicit consent
- Contractual necessity
- Public interest
- Legal claim necessity
- Vital interests
- Open register
- Compelling legitimate interests
- Part 3 Key Documentation
- Chapter 7 Building Your Data Inventory
- Understanding the Rationale for Data Inventory
- Completing a Data Inventory
- Preparatory steps for data inventory
- The Data Inventory template
- Exploring Systems for Managing Data
- Article 30: The Obligation to Keep Records of Data Processing
- Controller's obligations
- Processor's obligations
- Chapter 8 Penning a Privacy Notice
- Learning the Rationale for a Privacy Notice
- Privacy Notices where you collect data directly from individuals
- Privacy Notices where you collect data from a third party or publicly available source
- Creating Your Privacy Notice
- Communicating Your Privacy Notice
- Communicating via email
- Communicating via your website
- Communicating over the phone
- Communicating in person
- The Consequences of Not Having an Appropriate Privacy Notice
- Chapter 9 Cookie Policy
- Defining Cookies
- Understanding the Rationale for a Cookie Policy
- Lawful grounds for processing personal data obtained from cookies
- Creating and Communicating Your Cookie Policy
- Assessing your cookies
- Writing your Cookie Policy
- Posting your Cookie Policy
- Cookie walls
- Using tools to communicate your Cookie Policy and obtain consent
- Looking into the Future of Cookies
- Sanctions for Not Having an Appropriate Cookie Policy
- Chapter 10 Drafting Data Processing and Data Sharing Agreements
- Understanding Data Processing Agreements
- What to include in the Data Processing Agreement
- Responsibility for the Data Processing Agreement
- Negotiating a Data Processing Agreement
- Creating a Data Processing Agreement
- Understanding Data Sharing Agreements
- Creating a Data Sharing Agreement
- What to Do with Your Agreements
- Data Processing Agreements
- Data Sharing Agreements
- Examining the Consequences of Not Having the Appropriate Agreements in Place
- Data Processing Agreements
- Data Sharing Agreements
- Chapter 11 Writing Opt-In Wording
- Understanding When to Use Opt-In Wording
- Opt-in particulars
- Opt-ins for lead magnets
- When to use opt-out wording
- The ePrivacy Directive and the soft opt-in
- Explicit-consent opt-in wording
- Creating and Communicating Your Opt-In Wording
- The do's and don'ts of opt-in wording
- Avoiding consent fatigue
- Keeping records of consent
- Consequences of Not Having the Appropriate Opt-In Wording
- Chapter 12 Writing a Legitimate Interests Assessment Form
- Knowing When to Use a Legitimate Interests Assessment Form
- Completing a Legitimate Interests Assessment Form
- Purpose test
- Necessity test
- Balancing test
- What to Do with Your Legitimate Interests Assessment Form
- Consequences of Not Carrying Out a Legitimate Interests Assessment
- Chapter 13 Writing Other Documents
- Data Protection Impact Assessments
- Data Subject Access Requests and Response Records
- Data Subject Access Requests (DSAR)
- Response to a DSAR
- Data Breach Records
- Data Protection Policies
- Data Retention Policies
- Additional Privacy Notices
- Part 4 Data Subject Rights, Protection, and Security
- Chapter 14 Data Subject Rights
- General Matters Relating to Data Subject Rights
- Territorial scope of data subject rights
- Form in which a right is exercised
- Deadline for replying to requests
- Charging a fee
- Requesting identification
- Refusing to comply
- Requests by or on behalf of others or from children
- Exemptions
- The consequences of failing to respond correctly
- Enforcement actions
- Defining the Eight Data Subject Rights
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights relating to automated decision-making and profiling
- Data Subject Access Rights (DSARs)
- Key changes to DSARs under GDPR
- Exemptions to data being provided as part of a DSAR
- Responding to a Data Subject Access Request
- Searching for relevant personal data
- The Right to Be Forgotten
- When the right to be forgotten applies
- When the right to be forgotten doesn't apply
- Notifying third parties to whom you have transferred data
- Erasing data from backup systems
- Children's data
- Search engine results
- Chapter 15 Data Protection by Design and by Default
- Defining by Design and by Default
- Data protection by design
- Data protection by default
- Conducting a Data Protection Impact Assessment
- The DPIA process
- When to consult your supervisory authority
- Code of conduct
- Understanding the Data Protection Officer
- What a DPO is
- The DPO's responsibilities
- When a DPO is required
- DPO protections
- DPO contractors
- Chapter 16 Data Security
- Reviewing Data Security
- Confidentiality
- Integrity
- Availability
- Article 32 Security Obligations
- Identifying Your Data Assets
- Protecting Your Data
- Technical controls
- Procedural controls
- Personnel controls
- Physical controls
- Handling Security Incidents
- Detecting security incidents
- Responding to security incidents
- Recovering from security incidents
- Conducting regular testing and assessments
- Introducing Security-Related Frameworks
- ISO 27001:2013
- ISO 27005:2018
- Cyber Essentials (Plus)
- NIST Cybersecurity Framework
- Data Controller and Data Processor Liabilities
- The role of subprocessors
- Doing your due diligence
- Breaches caused by data processors
- Sanctions for data breaches caused by data processors
- Chapter 17 Data Breaches and Reporting Obligations
- Understanding What Constitutes a Breach
- Categorizing breaches
- Assessing Data Breaches
- Addressing potential consequences
- Weighing risk factors
- Becoming aware of the breach
- Investigating the breach
- Responding to a breach
- Sending Notifications
- Notifying the supervisory authority
- Notifying data subjects
- Keeping Internal Records
- Data Processors and Data Breaches
- Sanctions for Data Breaches
- Part 5 The Workplace, Marketing, and Beyond
- Chapter 18 GDPR and the Workplace
- Choosing Appropriate Lawful Grounds of Processing for Employee Data
- Lawful grounds of processing for employee data
- Lawful grounds of processing for candidate data
- Lawful grounds of processing for data about former employees
- Writing and Communicating an Employee Privacy Notice
- What to include
- What to do with it
- Managing subject access requests from employees
- Understanding exemptions
- Responding to an employee DSAR
- Monitoring Employees
- Types of employee monitoring
- Principles for employee monitoring
- Identifying legitimate monitoring
- Recognizing monitoring that isn't legitimate
- CCTV
- Chapter 19 Keeping Your Marketing GDPR-Compliant
- Marketing, Defined
- General Matters Regarding the GDPR and Marketing
- The lawful grounds for processing
- B2B marketing and B2C marketing
- Opt-outs and suppression lists
- The inter-relationship with the ePrivacy Directive
- The consequences of getting it wrong
- Online Marketing
- Facebook marketing
- Display advertising
- Behavioral advertising
- Email and text marketing
- Affiliate marketing
- Automated calling
- Offline Marketing
- Prospecting and networking
- Events
- Exhibitions
- Referrals
- Postal marketing
- Non-automated calls
- Chapter 20 Children, Charities, and Associations
- Children
- Differences for children under the GDPR
- Consent of parents and children
- Additional rights of children
- Charities
- Fundraising and marketing
- Wealth screening and data matching
- Religious charities and door- to-door preaching
- Volunteers
- Security
- Data protection fee
- ICO risk review report for charities
- Associations
- Chapter 21 Supervisory Authorities, Remedies, Liabilities, and Penalties
- Introducing Supervisory Authorities
- Finding Your Supervisory Authority and Lead Authority
- Supervisory authority
- Lead authority
- Reporting Data Breaches to Your Supervisory Authority
- Powers of Supervisory Authorities
- Investigatory powers
- Corrective powers
- Authorization and advisory powers
- Remedies, Liabilities, and Penalties
- Data subject complaints
- Judicial remedies
- The data controller's and data processor's liability to provide compensation
- A 2-tiered system of fines
- Other penalties
- Part 6 The Part of Tens
- Chapter 22 Ten GDPR Resources
- Suzanne Dibble's resources
- Supervisory Authorities and EDPB Websites
- The EU Commission
- International Association of Privacy Professionals (IAPP)
- Privacy Shield Searchable Database
- Easily Readable Online Text of the GDPR
- Cookie Consent Tools
- GDPR Compliance Platforms
- OneTrust
- TrustArc
- GDPR Mentor
- GDPR Enforcement Tracker
- Book Contributors' Resources
- Chapter 23 Ten Must-Have Skills for the DPO
- Experience in Privacy and Security Risk Assessment
- Knowledge of Data Protection Law and Practices
- Ability to Work Independently
- Ability to Work Autonomously
- Ability to Communicate Effectively
- Ability to Negotiate Adeptly
- Maintain Cultural Awareness and Sensitivity
- Demonstrate Leadership
- Ability to Embrace Change
- Display Business and Interpersonal Acumen
- Chapter 24 Ten Ways to Train Employees to Be Good Stewards of Data
- Understand That One Size Doesn't Fit All
- Assess Individuals' Learning Styles
- Develop Engaging Training
- Teach the Basics to All Staff
- Provide Detailed Training per Function
- Train on Internal Systems and Procedures
- Reinforce Training with Reminders around the Workplace
- Spread Out Training across Multiple Sessions
- Encourage a Culture of Openness
- Adopt a Culture of Privacy
- Part 7 Appendixes
- Appendix A Upcoming Changes to Data Protection Laws
- Appendix B List of Supervisory Authorities
- Appendix C GDPR Checklist
- Appendix D Glossary
- Index
- EULA
