Data Protection and Compliance, 2nd Edition
- Length: 400 pages
- Edition: 2
- Language: English
- Publisher: BCS
- Publication Date: 2021-11-25
- ISBN-10: 1780175248
- ISBN-13: 9781780175249
- Sales Rank: #926482 (See Top 100 Books)
Large-scale data loss and data privacy compliance breaches continue to make headline news, highlighting the need for stringent data protection policies, especially when personal or commercially sensitive information is at stake. While regulations and legislation exist to address these issues, how organisations can best tailor their compliance approaches to their own operational circumstances has remained an open question. The focus of this book is on operationalising a truly risk-based approach to data protection and compliance, i.e. not just regulatory frameworks and legalistic compliance.
Front Cover Half-Title Page BCS, THE CHARTERED INSTITUTE FOR IT Title Page Copyright Page Contents List of figures and tables Contributors Copyright notices Abbreviations Preface PART I THE BIG PICTURE 1. INTRODUCTION TO DATA PROTECTION What is data protection? Does data protection mean privacy? What is privacy? Are there exceptions to the right to privacy? What else should be protected? Protecting fundamental rights and freedoms (‘human rights’) Protecting the free movement of personal data (data flows, transfers and shares) The protected activities Protecting processing Protecting personal data undergoing processing Special category data (or ‘sensitive personal data’) Thematic priorities of data protection, trends and hot topics – supporting a risk-based approach AdTech and cookies Advanced technology and data processing techniques Advanced surveillance Artificial intelligence Automated facial recognition Connected vehicles Children Cybersecurity Data subject rights – timetable breaches Democracy HR problems International transfers Privacy and electronic communications (‘ePrivacy’) Profiling Virtual voice assistants Core law The UK Data Protection Act and its relationship to the GDPR and other EU law The Data Protection Convention Regulatory guidance and decisions Court judgments Related law Data protection penalties and litigation The regulatory bear market Summary 2. INTRODUCTION TO THE GDPR Brexit: the impacts for data protection and the impacts for this book The land mass in Europe to which the GDPR applies Recitals and articles of the GDPR Jurisdiction of the GDPR Nationality and location of people A.3.1 – processing in the context of EU establishments A.3.2 – targeting people in the EU Material scope of the GDPR The building blocks of the GDPR The actors Compliance framework – the standards of protection Data protection principles Lawful bases of processing Necessity Consent for processing Compliance framework – controls Appropriate technical and organisational measures Appropriate safeguards Prescribed controls Anonymisation and pseudonymisation Accountability Assessing appropriateness of controls Critical outcomes to be achieved Transparency Clarity of the lawful basis of processing Control Compensatory mechanisms to remedy non-compliance Regulator’s enforcement powers Data subjects’ enforcement powers Where the GDPR does not apply – exceptions and restrictions Domestic processing Restrictions and the UK DPA Brexit – the UK, Frozen and EU GDPR UK GDPR Frozen GDPR Brexit – international transfers of data Summary 3. INTRODUCTION TO EPRIVACY Regulating the electronic communications sector The relationship between data protection and ePrivacy The actors and protected parties Confidentiality of communications Exceptions to confidentiality Consent for storing or accessing information in terminal equipment Consent, transparency and the use of cookie notices and consent tools Types of cookies Cookies, behavioural advertising and real-time bidding Cookies and legal risk Direct marketing The position under PECR Postal direct marketing Opt-out, as a matter of law Financial penalties for direct marketing contraventions Processing of traffic data, location data and value added services Security and personal data breach notification Personal data breaches Expanded rules for breach notifications Interplay with the breach notification rules in the GDPR Calling line ID and directories of subscribers Law reform underway Summary 4. INTRODUCTION TO OPERATIONAL DATA PROTECTION Operational adequacy schemes – implementing data protection (operationalisation) Focus on operational adequacy schemes The three layers of an organisation Implementing data protection in the people layer Governance structures Steering committee Recruitment and onboarding Education and training Access rights and privileges Monitoring Worker discipline Flowing requirements to data processors Implementing data protection in the paper layer Data Protection by Design and Default (DPbDD, or PbD) Governance structures Records of processing activities Risk registers and assessment tools and methodologies Legitimate interests assessments Transfer assessments Transparency notices Contracts and similar documents Policies, procedures and controls frameworks Records of significant events Programme and project plans Technology architecture Assurance records Other mechanisms for assurance Implementing data protection in the technology and data layer Privacy Enhancing Technologies Regulatory sandboxes ‘The Journey to Code’ Risk management – implementing measures to assess risks to rights and freedoms and the appropriateness of controls The adequacy test The impact of the ‘consensus of professional opinion’ – what are the risks and what should be done about them? Risk management – dealing with adverse scrutiny Globalisation – implementing data protection on an international stage International transfers – adequacy, appropriate safeguards and derogations Meaning of ‘adequacy’ for the purposes of international transfers Adequacy of the UK Appropriate safeguards Derogations Wider operational challenges of international activities Impacts for micro, small and medium-sized enterprises Size of enterprise and size of risk Financial resources, cost and risk Security and connection to wider legal and operational frameworks Summary PART II CORE LAW 5. THE PRINCIPLES OF DATA PROTECTION A constant presence in data protection law The duty of compliance (accountability) Lawfulness, fairness and transparency – the first principle Lawfulness Fairness Transparency Purpose limitation – the second principle Expanded purposes – archiving in the public interest Expanded purposes – scientific and historical research Expanded purposes – statistics Compatibility Data minimisation – the third principle Accuracy – the fourth principle Storage limitation – the fifth principle Integrity and confidentiality (including security) – the sixth principle Accountability – the seventh principle Lawfulness of processing of personal data (Article 6) Categorising the lawful bases of processing Consent Contract Legal obligation Vital interests Public task Legitimate interests Lawfulness of processing – special category personal data and criminal convictions and offences The ban on processing special category personal data – enhanced sensitivity, risks and legal requirement Summary 6. THE RIGHTS OF DATA SUBJECTS Informing and empowering the protected party Transparency and information rights General obligation of transparency – GDPR A. Obtaining transparency – GDPR A.13 and The right of access to information – A. Personal data breaches – Article Rights over data processing Right to rectification – A. Right to erasure, or ‘the right to be forgotten’ – A. Right to restriction of processing – A. Right to data portability – A. Right to object – A. Right not to be subject to automated decision making, including profiling – A. Remedies and rights of redress Summary PART III OPERATING INTERNATIONALLY 7. NATIONAL SUPERVISION WITHIN AN INTERNATIONAL FRAMEWORK National regulatory systems and divergences GDPR solution for international processing Establishment of supervisory authorities General conditions for members of supervisory authorities Independence Interference Supervisory authority competence Member competence Tasks Monitoring Promotion and awareness Advice and administration Rights, complaints and enforcement Powers Lead supervisory authorities Cross-border processing Cooperation and mutual assistance Choosing a lead supervisory authority Appointing an EU Representative Summary 8. TRANSFERRING DATA BETWEEN THE GDPR LAND MASS AND THIRD COUNTRIES Why regulate international transfers? What is a transfer? General principles for transfers Transfers on the basis of an adequacy decision Elements considered in assessing adequacy Adequacy decisions issued UK adequacy Partial adequacy decisions Ongoing monitoring of adequacy decisions Transfers subject to appropriate safeguards Standard contractual clauses Derogations for specific situations Relying on the derogations in practice Compelling legitimate interests Litigation on international data transfers Schrems I – Safe Harbor decision declared invalid Schrems II – Privacy Shield declared invalid and SCCs declared valid subject to certain conditions Navigating international data transfers EDPB’s six-step recommendations Supplementary measures A practical approach to international transfers Getting to know your ‘special characteristics’ Understanding the ‘zone of precedent’ Knowing your ‘adverse scrutineers’ Achieving operational adequacy Upscaling protections Considering options for deregulatory effects Summary 9. DATA PROTECTION BEYOND THE GDPR LAND MASS Multi-jurisdictional frameworks protecting rights and freedoms including data protection The Universal Declaration of Human Rights The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data APEC Privacy Framework National laws beyond the GDPR land mass Notable new legislation Comparative review between the GDPR and key international laws United States California Virginia Brazil India China Data localisation Examples of localisation laws Coping strategies for organisations operating globally Examples of coping mechanisms Summary PART IV DELIVERY 10. MECHANISMS TO SUPPORT OPERATIONAL COMPLIANCE Mechanisms within the GDPR Technical and organisational measures Organisational measures Technical measures Codes of conduct and certification mechanisms Risk assessments Data protection policies An overarching data protection policy Policies covering specific GDPR obligations Procedures Reflecting operational realities Records of processing activities – a baseline for accountability Minimum content of ROPAs Wider benefits of ROPAs Data Protection by Design and Default A formula for compliance Design Default Data protection impact assessment Likely to result in a high risk Minimum features of a DPIA Data protection officer Requirement to appoint a DPO Tasks of the DPO Position of the DPO Contracts Article 28 processor contracts Joint controller contracts Summary 11. PROGRAMMATIC APPROACHES FOR DELIVERING DATA PROTECTION BY DESIGN AND DEFAULT The origins of Data Protection by Design and Default Data Protection by Design and Default in the GDPR The design element The default element The need for DPbDD – compelling events that trigger data protection transformation Embarking upon a transformation journey to achieve DPbDD A vision statement – laying the foundations for DPbDD Difference between data protection programmes and projects The beginning of work – building a business case The beginning of work – developing the brief Managing the work Initiating the work The workplans and workstreams Governance frameworks required by DPbDD for accountability purposes Roles and responsibilities – who will do what? Management structures and reporting lines Setting a target operating model Summary 12. BEING ACCOUNTABLE FOR RECORDS OF PROCESSING, LEGITIMATE INTERESTS AND RISK MANAGEMENT Accountability for our decisions, actions and behaviours Accountability as a core principle of data protection Demonstrating accountability – an ongoing obligation, not a moment-in-time issue End-to-end accountability – from idea to reality Accountability in practice Records of processing activities ROPAs – continuing obligations Understanding data Producing the ROPA on request Benefits of extended records of processing – going beyond A. Developing records of processing – discovery and analysis Technology-assisted data discovery ROPAs and Data Protection by Design and Default Gated development – upskilling Organisation type A combination of all the above Exemptions Being accountable for legitimate interests Being accountable for the balancing exercise Considerations within legitimate interests Legitimate interests and the right to object to direct marketing Legitimate interests and data subject rights Being accountable for risk management Being accountable for ATOM Risk of failure baked into design Being accountable for the 4-Ts Being accountable for embedding data protection risk management into change methodologies Being accountable for recognised controls Being accountable for assurance Being accountable for adverse scrutiny Being accountable for an accumulation of evidence Production of evidence under pressure and scenario testing Summary 13. ‘THE JOURNEY TO CODE’ The Journey to Code – working towards achieving compliance within technology and data themselves The Journey has commenced The nature of the problem Email example Malicious technology and code A technology reference architecture for The Journey to Code The Core Privacy Technology Value Chain Privacy management technology The rise of privacy management technologies Arguments for the use of privacy management technology Drawbacks associated with privacy management technology Data intelligence technology Native and third-party data intelligence technology Third-party integrated data intelligence technology Principles and rights technology Producers of technology and data processing systems A regulatory gap Solutions to the regulatory gap The risk of a litigation culture emerging What comes next on The Journey to Code? ‘Your mission, should you choose to accept it’ Summary PART V ADVERSE SCRUTINY 14. HOW TO PREPARE FOR THE RISKS OF CHALLENGE AND ‘ADVERSE SCRUTINY’ Challenge and scrutiny are inevitable Challenge and scrutiny designed into regulatory law Adverse scrutiny The supervisory authority The data subject A legal duty to understand the risks of challenge and scrutiny The continuum of challenge and scrutiny Why a continuum? Examples of internal challengers and scrutineers Moral spectrum Examples of external challengers and scrutineers Modelling challenge and scrutiny risks Situations in the GDPR calling for risk assessments Risk scenarios and context-specific risk modelling The special characteristics and how they relate to modelling Modelling – challenge and scrutiny as reactive events Tiers of visibility – catalysts of challenge and scrutiny Modelling the domino effect of challenge and scrutiny Other interests to be considered when modelling challenge and scrutiny risks The relative impacts of challengers and scrutineers The impacts of data subject challenge and scrutiny Privacy activists The impacts of data protection regulators Outcomes versus structures and artefacts Examples of structures and artefacts Root cause analysis for operational failure Confidence testing and sentiment analysis Summary 15. COMPLAINTS, RIGHTS REQUESTS, REGULATORY INVESTIGATIONS AND LITIGATION Awareness levels driving scrutiny and challenge Accountability Accounting for readiness to deal with challenge and scrutiny Dealing with complaints Point of contact Managing complaints and concerns received direct from data subjects Managing complaints escalated to a supervisory authority How to respond Dealing with regulatory investigations (investigatory powers) Information Notices Assessment Notices Investigations and prosecutions of criminal offences Exercise of data subject rights Escalation of problems – rights requests leading to adversity Timing Extensions Manifestly unfounded or excessive requests Compliance orders Litigation Subject access and litigation Data protection and litigation Compensation and liability Mass claims Summary 16. REGULATORY ACTION The impacts of national laws and other contingencies on GDPR enforcement powers When can regulatory powers be used? The investigatory phase of regulatory action Powers in Article Warnings of potential infringements – action to prevent things going wrong Reprimands Enforcement Notices Withdrawal of certification Financial penalties Determination of penalties Mitigating factors Reputational impact Appeals against regulatory action Preparing for the risk of regulatory action Preparation through understanding the true extent of regulator powers – privilege example Disposition – the stance and style to adopt when faced with regulatory action Summary 17. HANDLING PERSONAL DATA BREACHES The legal obligation to be secure Relationship to ePrivacy Relationship to cybersecurity The protections to be achieved under GDPR A.5.1.f Protections to be achieved under GDPR A. Security of the full data processing environment Processing data for security purposes as a legitimate interest Accountability for security Operational security Expanded requirements for security found outside the GDPR The state of the art Costs of implementation The nature, scope, context and purpose of processing The risks of varying likelihood and severity Required outcomes Appropriateness – what risks will the law tolerate? Personal data breaches, breach notification and communications Philosophies within breach notification and communications – transparency and its effects Personal data breach definition Breach of security Incident detection and response Types of personal data breaches – risks to rights and freedoms Timetables for notification and communications Risks to rights and freedoms and the carve-out for encrypted data Interests of law enforcement A.34 communications and disproportionate effort Contents of notifications and communications Ordering A.34 communications Breach logs Summary Glossary Index Back Cover
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.