دانلود کتاب GDPR For Dummies

فهرست مطالب :

Title Page Copyright Page Table of Contents Introduction About This Book Foolish Assumptions How This Book Is Organized Part 1: Getting Started with GDPR Part 2: The Key Principles of GDPR Part 3: Key Documentation Part 4: Data Subject Rights, Protection, and Security Part 5: The Workplace, Marketing, and Beyond Part 6: The Part of Tens Part 7: Appendixes Icons Used in This Book What You’re Not to Read Where to Go from Here GDPR Facebook group GDPR Compliance Pack Other ways to stay in the know One-on-one legal advice Part 1 Getting Started with GDPR Chapter 1 Grasping the Fundamentals of GDPR and Data Protection Understanding Data Protection Laws The Ten Most Important Obligations of the GDPR Facing the Consequences Increased fines and sanctions Civil claims Data subject complaints Brand damage Loss of trust Being a Market Leader Chapter 2 Key Changes Introduced by GDPR Increased Territorial Scope EU established data controllers Non-EU established controllers Understanding the Representative’s Role and When to Appoint One Responsibilities of the Representative Qualifications of the Representative Consent and Withdrawal of Consent Additional Data Subject Rights Liability of Processors Specific Protection for Children’s Data Data Breach Notification Data Protection Officers Accountability and Governance Increased Fines and Sanctions Ability to Bring a Civil Claim Part 2 The Key Principles of GDPR Chapter 3 Digging In to Data: What’s Personal, What’s Sensitive, and How It’s Processed Dissecting the Definition of Personal Data Information Relating to Natural person Identified or identifiable Directly or indirectly Identifier Anonymization Pseudonymization Defining Special-Category Data Understanding the Processing of Data Processing Personal Data Lawfully Compatibility of purposes Necessity Consent Contractual necessity Legal obligation necessity Vital interests necessity Public interests necessity Legitimate interests Processing special-category data The Consequences of Getting Processing Wrong Chapter 4 The Six Data Protection Principles Accountability Lawfulness, Fairness, and Transparency Lawfulness Fairness Transparency Purpose Limitation Data Minimization Accuracy Regarding opinions Taking reasonable measures Updating personal data Storage Limitation Integrity and Confidentiality Consequences of Noncompliance with the Six Principles Chapter 5 Data Controllers and Data Processors Recognizing Who’s a Data Controller Exploring joint controllers Joint controllers of Facebook Fan Pages Understanding Who’s a Data Processor Differentiating who are subprocessors Exploring Obligations under the GDPR Obligations on controllers Obligations on joint controllers Obligations on processors Obligations on the data controller to use GDPR-compliant data processors Exploring Liabilities under the GDPR Liability for data controller for using a noncompliant data processor Liability of data processors Chapter 6 Transfers of Data Outside of the EEA Principles of Data Transfer Outside of the EEA Countries with an Adequacy Finding Becoming Part of the US Privacy Shield Working with Data in Transit and Onward Transfers Understanding Standard Contractual Clauses Determining the type of standard contractual clause to use Regarding the controller-to-processor transfer Establishing Binding Corporate Rules Derogations for International Transfers Explicit consent Contractual necessity Public interest Legal claim necessity Vital interests Open register Compelling legitimate interests Part 3 Key Documentation Chapter 7 Building Your Data Inventory Understanding the Rationale for Data Inventory Completing a Data Inventory Preparatory steps for data inventory The Data Inventory template Exploring Systems for Managing Data Article 30: The Obligation to Keep Records of Data Processing Controller’s obligations Processor’s obligations Chapter 8 Penning a Privacy Notice Learning the Rationale for a Privacy Notice Privacy Notices where you collect data directly from individuals Privacy Notices where you collect data from a third party or publicly available source Creating Your Privacy Notice Communicating Your Privacy Notice Communicating via email Communicating via your website Communicating over the phone Communicating in person The Consequences of Not Having an Appropriate Privacy Notice Chapter 9 Cookie Policy Defining Cookies Understanding the Rationale for a Cookie Policy Lawful grounds for processing personal data obtained from cookies Creating and Communicating Your Cookie Policy Assessing your cookies Writing your Cookie Policy Posting your Cookie Policy Cookie walls Using tools to communicate your Cookie Policy and obtain consent Looking into the Future of Cookies Sanctions for Not Having an Appropriate Cookie Policy Chapter 10 Drafting Data Processing and Data Sharing Agreements Understanding Data Processing Agreements What to include in the Data Processing Agreement Responsibility for the Data Processing Agreement Negotiating a Data Processing Agreement Creating a Data Processing Agreement Understanding Data Sharing Agreements Creating a Data Sharing Agreement What to Do with Your Agreements Data Processing Agreements Data Sharing Agreements Examining the Consequences of Not Having the Appropriate Agreements in Place Data Processing Agreements Data Sharing Agreements Chapter 11 Writing Opt-In Wording Understanding When to Use Opt-In Wording Opt-in particulars Opt-ins for lead magnets When to use opt-out wording The ePrivacy Directive and the soft opt-in Explicit-consent opt-in wording Creating and Communicating Your Opt-In Wording The do’s and don’ts of opt-in wording Avoiding consent fatigue Keeping records of consent Consequences of Not Having the Appropriate Opt-In Wording Chapter 12 Writing a Legitimate Interests Assessment Form Knowing When to Use a Legitimate Interests Assessment Form Completing a Legitimate Interests Assessment Form Purpose test Necessity test Balancing test What to Do with Your Legitimate Interests Assessment Form Consequences of Not Carrying Out a Legitimate Interests Assessment Chapter 13 Writing Other Documents Data Protection Impact Assessments Data Subject Access Requests and Response Records Data Subject Access Requests (DSAR) Response to a DSAR Data Breach Records Data Protection Policies Data Retention Policies Additional Privacy Notices Part 4 Data Subject Rights, Protection, and Security Chapter 14 Data Subject Rights General Matters Relating to Data Subject Rights Territorial scope of data subject rights Form in which a right is exercised Deadline for replying to requests Charging a fee Requesting identification Refusing to comply Requests by or on behalf of others or from children Exemptions The consequences of failing to respond correctly Enforcement actions Defining the Eight Data Subject Rights The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights relating to automated decision-making and profiling Data Subject Access Rights (DSARs) Key changes to DSARs under GDPR Exemptions to data being provided as part of a DSAR Responding to a Data Subject Access Request Searching for relevant personal data The Right to Be Forgotten When the right to be forgotten applies When the right to be forgotten doesn’t apply Notifying third parties to whom you have transferred data Erasing data from backup systems Children’s data Search engine results Chapter 15 Data Protection by Design and by Default Defining by Design and by Default Data protection by design Data protection by default Conducting a Data Protection Impact Assessment The DPIA process When to consult your supervisory authority Code of conduct Understanding the Data Protection Officer What a DPO is The DPO’s responsibilities When a DPO is required DPO protections DPO contractors Chapter 16 Data Security Reviewing Data Security Confidentiality Integrity Availability Article 32 Security Obligations Identifying Your Data Assets Protecting Your Data Technical controls Procedural controls Personnel controls Physical controls Handling Security Incidents Detecting security incidents Responding to security incidents Recovering from security incidents Conducting regular testing and assessments Introducing Security-Related Frameworks ISO 27001:2013 ISO 27005:2018 Cyber Essentials (Plus) NIST Cybersecurity Framework Data Controller and Data Processor Liabilities The role of subprocessors Doing your due diligence Breaches caused by data processors Sanctions for data breaches caused by data processors Chapter 17 Data Breaches and Reporting Obligations Understanding What Constitutes a Breach Categorizing breaches Assessing Data Breaches Addressing potential consequences Weighing risk factors Becoming aware of the breach Investigating the breach Responding to a breach Sending Notifications Notifying the supervisory authority Notifying data subjects Keeping Internal Records Data Processors and Data Breaches Sanctions for Data Breaches Part 5 The Workplace, Marketing, and Beyond Chapter 18 GDPR and the Workplace Choosing Appropriate Lawful Grounds of Processing for Employee Data Lawful grounds of processing for employee data Lawful grounds of processing for candidate data Lawful grounds of processing for data about former employees Writing and Communicating an Employee Privacy Notice What to include What to do with it Managing subject access requests from employees Understanding exemptions Responding to an employee DSAR Monitoring Employees Types of employee monitoring Principles for employee monitoring Identifying legitimate monitoring Recognizing monitoring that isn’t legitimate CCTV Chapter 19 Keeping Your Marketing GDPR-Compliant Marketing, Defined General Matters Regarding the GDPR and Marketing The lawful grounds for processing B2B marketing and B2C marketing Opt-outs and suppression lists The inter-relationship with the ePrivacy Directive The consequences of getting it wrong Online Marketing Facebook marketing Display advertising Behavioral advertising Email and text marketing Affiliate marketing Automated calling Offline Marketing Prospecting and networking Events Exhibitions Referrals Postal marketing Non-automated calls Chapter 20 Children, Charities, and Associations Children Differences for children under the GDPR Consent of parents and children Additional rights of children Charities Fundraising and marketing Wealth screening and data matching Religious charities and door- to-door preaching Volunteers Security Data protection fee ICO risk review report for charities Associations Chapter 21 Supervisory Authorities, Remedies, Liabilities, and Penalties Introducing Supervisory Authorities Finding Your Supervisory Authority and Lead Authority Supervisory authority Lead authority Reporting Data Breaches to Your Supervisory Authority Powers of Supervisory Authorities Investigatory powers Corrective powers Authorization and advisory powers Remedies, Liabilities, and Penalties Data subject complaints Judicial remedies The data controller’s and data processor’s liability to provide compensation A 2-tiered system of fines Other penalties Part 6 The Part of Tens Chapter 22 Ten GDPR Resources Suzanne Dibble’s resources Supervisory Authorities and EDPB Websites The EU Commission International Association of Privacy Professionals (IAPP) Privacy Shield Searchable Database Easily Readable Online Text of the GDPR Cookie Consent Tools GDPR Compliance Platforms OneTrust TrustArc GDPR Mentor GDPR Enforcement Tracker Book Contributors’ Resources Chapter 23 Ten Must-Have Skills for the DPO Experience in Privacy and Security Risk Assessment Knowledge of Data Protection Law and Practices Ability to Work Independently Ability to Work Autonomously Ability to Communicate Effectively Ability to Negotiate Adeptly Maintain Cultural Awareness and Sensitivity Demonstrate Leadership Ability to Embrace Change Display Business and Interpersonal Acumen Chapter 24 Ten Ways to Train Employees to Be Good Stewards of Data Understand That One Size Doesn’t Fit All Assess Individuals’ Learning Styles Develop Engaging Training Teach the Basics to All Staff Provide Detailed Training per Function Train on Internal Systems and Procedures Reinforce Training with Reminders around the Workplace Spread Out Training across Multiple Sessions Encourage a Culture of Openness Adopt a Culture of Privacy Part 7 Appendixes Appendix A Upcoming Changes to Data Protection Laws Appendix B List of Supervisory Authorities Appendix C GDPR Checklist Appendix D Glossary Index