Contents – EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide

CONTENTS

Introduction

The purpose of the GDPR

Structure of the Regulation

Impact on the EU

Implementing the GDPR

Key definitions

Chapter 1: Privacy Compliance Frameworks

Material scope

Territorial scope

Governance

Objectives

Key processes

Personal information management systems

ISO/IEC 27001:2013

Selecting and implementing a compliance framework

Implementing the framework

Chapter 2: Role of the Data Protection Officer

Voluntary designation of a Data Protection Officer

Undertakings that share a DPO

DPO on a service contract

Publication of DPO contact details

Position of the DPO

Necessary resources

Acting in an independent manner

Protected role of the DPO

Conflicts of interest

Specification of the DPO

Duties of the DPO

The DPO and the organisation

The DPO and the supervisory authority

Data protection impact assessments and risk management

In house or contract

Chapter 3: Common Data Security Failures

Personal data breaches

Anatomy of a data breach

Sites of attack

Securing your information

ISO 27001

Ten Steps to Cyber Security

Cyber Essentials

NIST standards

The information security policy

Assuring information security

Governance of information security

Information security beyond the organisation’s borders

Chapter 4: Six Data Protection Principles

Principle 1: Lawfulness, fairness and transparency

Principle 2: Purpose limitation

Principle 3: Data minimisation

Principle 4: Accuracy

Principle 5: Storage limitation

Principle 6: Integrity and confidentiality

Accountability and compliance

Chapter 5: Requirements for Data Protection Impact Assessments

Data protection impact assessments

When to conduct a DPIA

Who needs to be involved

Data protection by design and by default

Chapter 6: Risk Management and DPIAs

DPIAs as part of risk management

Risk management standards and methodologies

Risk responses

Risk relationships

Risk management and personal data

Chapter 7: Data Mapping

Objectives and outcomes

Four elements of data flow

Data mapping, DPIAs and risk management

Chapter 8: Conducting DPIAs

Reasons for conducting a DPIA

Objectives and outcomes

Consultation

Five key stages of the DPIA

Integrating the DPIA into the project plan

Chapter 9: Data Subjects’ Rights

Fair processing

The right to access

The right to rectification

The right to be forgotten

The right to restriction of processing

The right to data portability

The right to object

The right to appropriate decision making

Chapter 10: Consent

Consent in a nutshell

Withdrawing consent

Alternatives to consent

Practicalities of consent

Children

Special categories of personal data

Data relating to criminal convictions and offences

Chapter 11: Subject Access Requests

The information to provide

Data portability

Responsibilities of the data controller

Processes and procedures

Options for confirming the requester’s identity

Records to examine

Time and money

Dealing with bulk subject access requests

Right to refusal

Chapter 12: Controllers and Processors

Data controllers

Joint controllers

Data processors

Controllers that are processors

Controllers and processors outside the EU

Records of processing

Demonstrating compliance

Chapter 13: Managing Personal Data Internationally

Key requirements

Adequacy decisions

Safeguards

Binding corporate rules

The EU-US Privacy Shield

Privacy Shield Principles

Limited transfers

Cloud services

Chapter 14: Incident Response Management and Reporting

Notification

Events vs incidents

Types of incident

Cyber security incident response plans

Key roles in incident management

Prepare

Respond

Follow up

Chapter 15: GDPR Enforcement

The hierarchy of authorities

One-stop-shop mechanism

Duties of supervisory authorities

Powers of supervisory authorities

Duties and powers of the European Data Protection Board

Data subjects’ rights to redress

Administrative fines

The Regulation’s impact on other laws

Chapter 16: Transitioning and Demonstrating Compliance

Transition frameworks

Transition – understanding the changes from DPD to GDPR

Using policies to demonstrate compliance

Codes of conduct and certification mechanisms

Appendix 1: Index of the Regulation

Appendix 2: EU/EEA National Supervisory Authorities

Appendix 3: Implementation FAQs

ITG Resources