GDPR For Dummies ®

Don't be afraid of the GDPR wolf! How can your business easily comply with the new data protection and privacy laws and avoid fines of up to $27M? GDPR For Dummies sets out in simple steps how small business owners can comply with the complex General Data Protection Regulations (GDPR). These regulations apply to all businesses established in the EU and to businesses established outside of the EU insofar as they process personal data about people within the EU. Inside, you'll discover how GDPR applies to your business in the context of marketing, employment, providing your services, and using service providers. Learn how to avoid fines, regulatory investigations, customer complaints, and brand damage, while gaining a competitive advantage and increasing customer loyalty by putting privacy at the heart of your business. Find out what constitutes personal data and special category data Gain consent for online and offline marketing Put your Privacy Policy in place Report a data breach before being fined 79% of U.S. businesses haven't figured out how they'll report breaches in a timely fashion, provide customers the right to be forgotten, conduct privacy impact assessments, and more. If you are one of those businesses that hasn't put a plan in place, then GDPR For Dummies is for you. Title Page......Page 3 Copyright Page......Page 4 Table of Contents......Page 7 About This Book......Page 19 Foolish Assumptions......Page 20 Part 3: Key Documentation......Page 22 Part 7: Appendixes......Page 23 What You’re Not to Read......Page 24 GDPR Facebook group......Page 25 GDPR Compliance Pack......Page 26 One-on-one legal advice......Page 27 Part 1 Getting Started with GDPR......Page 29 Chapter 1 Grasping the Fundamentals of GDPR and Data Protection......Page 31 Understanding Data Protection Laws......Page 32 The Ten Most Important Obligations of the GDPR......Page 33 Facing the Consequences......Page 34 Civil claims......Page 35 Brand damage......Page 36 Being a Market Leader......Page 37 Chapter 2 Key Changes Introduced by GDPR......Page 39 Increased Territorial Scope......Page 40 EU established data controllers......Page 42 Non-EU established controllers......Page 45 Responsibilities of the Representative......Page 47 Qualifications of the Representative......Page 48 Consent and Withdrawal of Consent......Page 49 Additional Data Subject Rights......Page 50 Liability of Processors......Page 51 Specific Protection for Children’s Data......Page 52 Accountability and Governance......Page 53 Ability to Bring a Civil Claim......Page 54 Part 2 The Key Principles of GDPR......Page 55 Chapter 3 Digging In to Data: What’s Personal, What’s Sensitive, and How It’s Processed......Page 57 Dissecting the Definition of Personal Data......Page 58 Information......Page 59 Relating to......Page 60 Identified or identifiable......Page 62 Identifier......Page 63 Anonymization......Page 67 Defining Special-Category Data......Page 68 Understanding the Processing of Data......Page 71 Processing Personal Data Lawfully......Page 72 Compatibility of purposes......Page 73 Consent......Page 74 Contractual necessity......Page 85 Legal obligation necessity......Page 86 Vital interests necessity......Page 87 Legitimate interests......Page 88 Processing special-category data......Page 92 The Consequences of Getting Processing Wrong......Page 96 Chapter 4 The Six Data Protection Principles......Page 97 Accountability......Page 98 Fairness......Page 99 Transparency......Page 100 Purpose Limitation......Page 101 Data Minimization......Page 102 Taking reasonable measures......Page 103 Storage Limitation......Page 104 Integrity and Confidentiality......Page 105 Consequences of Noncompliance with the Six Principles......Page 106 Chapter 5 Data Controllers and Data Processors......Page 107 Exploring joint controllers......Page 108 Joint controllers of Facebook Fan Pages......Page 109 Understanding Who’s a Data Processor......Page 110 Obligations on controllers......Page 112 Obligations on joint controllers......Page 114 Obligations on processors......Page 115 Obligations on the data controller to use GDPR-compliant data processors......Page 116 Liability for data controller for using a noncompliant data processor......Page 117 Liability of data processors......Page 118 Chapter 6 Transfers of Data Outside of the EEA......Page 119 Principles of Data Transfer Outside of the EEA......Page 120 Countries with an Adequacy Finding......Page 121 Becoming Part of the US Privacy Shield......Page 122 Working with Data in Transit and Onward Transfers......Page 123 Understanding Standard Contractual Clauses......Page 124 Regarding the controller-to-processor transfer......Page 125 Establishing Binding Corporate Rules......Page 126 Derogations for International Transfers......Page 127 Explicit consent......Page 128 Contractual necessity......Page 129 Legal claim necessity......Page 130 Vital interests......Page 131 Compelling legitimate interests......Page 132 Part 3 Key Documentation......Page 135 Chapter 7 Building Your Data Inventory......Page 137 Completing a Data Inventory......Page 138 Preparatory steps for data inventory......Page 139 The Data Inventory template......Page 140 Article 30: The Obligation to Keep Records of Data Processing......Page 148 Controller’s obligations......Page 150 Processor’s obligations......Page 151 Chapter 8 Penning a Privacy Notice......Page 153 Privacy Notices where you collect data directly from individuals......Page 154 Privacy Notices where you collect data from a third party or publicly available source......Page 155 Creating Your Privacy Notice......Page 157 Communicating via email......Page 160 Communicating in person......Page 161 The Consequences of Not Having an Appropriate Privacy Notice......Page 162 Chapter 9 Cookie Policy......Page 163 Defining Cookies......Page 164 Understanding the Rationale for a Cookie Policy......Page 165 Lawful grounds for processing personal data obtained from cookies......Page 166 Assessing your cookies......Page 167 Writing your Cookie Policy......Page 169 Posting your Cookie Policy......Page 170 Cookie walls......Page 172 Using tools to communicate your Cookie Policy and obtain consent......Page 173 Looking into the Future of Cookies......Page 174 Sanctions for Not Having an Appropriate Cookie Policy......Page 175 Chapter 10 Drafting Data Processing and Data Sharing Agreements......Page 177 What to include in the Data Processing Agreement......Page 178 Negotiating a Data Processing Agreement......Page 180 Creating a Data Processing Agreement......Page 183 Understanding Data Sharing Agreements......Page 184 Creating a Data Sharing Agreement......Page 185 Data Processing Agreements......Page 186 Data Processing Agreements......Page 187 Data Sharing Agreements......Page 188 Chapter 11 Writing Opt-In Wording......Page 189 Opt-in particulars......Page 190 Opt-ins for lead magnets......Page 192 When to use opt-out wording......Page 193 The ePrivacy Directive and the soft opt-in......Page 194 Explicit-consent opt-in wording......Page 195 The do’s and don’ts of opt-in wording......Page 198 Avoiding consent fatigue......Page 201 Consequences of Not Having the Appropriate Opt-In Wording......Page 202 Chapter 12 Writing a Legitimate Interests Assessment Form......Page 205 Knowing When to Use a Legitimate Interests Assessment Form......Page 206 Necessity test......Page 207 Balancing test......Page 208 Consequences of Not Carrying Out a Legitimate Interests Assessment......Page 212 Data Protection Impact Assessments......Page 213 Data Subject Access Requests (DSAR)......Page 215 Response to a DSAR......Page 216 Data Breach Records......Page 217 Data Protection Policies......Page 218 Data Retention Policies......Page 219 Additional Privacy Notices......Page 220 Part 4 Data Subject Rights, Protection, and Security......Page 221 Chapter 14 Data Subject Rights......Page 223 Territorial scope of data subject rights......Page 224 Deadline for replying to requests......Page 225 Charging a fee......Page 226 Refusing to comply......Page 227 Exemptions......Page 228 The consequences of failing to respond correctly......Page 229 The right to be informed......Page 230 The right to rectification......Page 232 The right to restrict processing......Page 233 The right to data portability......Page 234 Rights relating to automated decision-making and profiling......Page 235 Key changes to DSARs under GDPR......Page 237 Responding to a Data Subject Access Request......Page 240 The Right to Be Forgotten......Page 242 When the right to be forgotten applies......Page 243 When the right to be forgotten doesn’t apply......Page 244 Erasing data from backup systems......Page 245 Search engine results......Page 246 Chapter 15 Data Protection by Design and by Default......Page 247 Data protection by design......Page 248 Data protection by default......Page 250 The DPIA process......Page 251 When to consult your supervisory authority......Page 254 What a DPO is......Page 255 When a DPO is required......Page 256 DPO protections......Page 258 DPO contractors......Page 259 Reviewing Data Security......Page 261 Confidentiality......Page 263 Integrity......Page 264 Article 32 Security Obligations......Page 265 Identifying Your Data Assets......Page 267 Protecting Your Data......Page 268 Technical controls......Page 269 Personnel controls......Page 270 Handling Security Incidents......Page 271 Detecting security incidents......Page 272 Responding to security incidents......Page 273 Recovering from security incidents......Page 274 Conducting regular testing and assessments......Page 276 ISO 27001:2013......Page 277 ISO 27005:2018......Page 278 Cyber Essentials (Plus)......Page 279 NIST Cybersecurity Framework......Page 280 Data Controller and Data Processor Liabilities......Page 281 The role of subprocessors......Page 282 Sanctions for data breaches caused by data processors......Page 283 Chapter 17 Data Breaches and Reporting Obligations......Page 285 Understanding What Constitutes a Breach......Page 286 Categorizing breaches......Page 287 Assessing Data Breaches......Page 288 Addressing potential consequences......Page 289 Weighing risk factors......Page 290 Becoming aware of the breach......Page 291 Investigating the breach......Page 292 Responding to a breach......Page 293 Sending Notifications......Page 294 Notifying the supervisory authority......Page 295 Notifying data subjects......Page 296 Data Processors and Data Breaches......Page 300 Sanctions for Data Breaches......Page 301 Part 5 The Workplace, Marketing, and Beyond......Page 303 Chapter 18 GDPR and the Workplace......Page 305 Lawful grounds of processing for employee data......Page 306 Lawful grounds of processing for data about former employees......Page 308 What to include......Page 309 Managing subject access requests from employees......Page 310 Understanding exemptions......Page 311 Responding to an employee DSAR......Page 314 Types of employee monitoring......Page 315 Principles for employee monitoring......Page 316 Identifying legitimate monitoring......Page 319 Recognizing monitoring that isn’t legitimate......Page 320 CCTV......Page 323 Chapter 19 Keeping Your Marketing GDPR-Compliant......Page 329 Marketing, Defined......Page 330 The lawful grounds for processing......Page 332 B2B marketing and B2C marketing......Page 334 Opt-outs and suppression lists......Page 335 The inter-relationship with the ePrivacy Directive......Page 337 The consequences of getting it wrong......Page 338 Facebook marketing......Page 339 Behavioral advertising......Page 343 Email and text marketing......Page 346 Prospecting and networking......Page 348 Referrals......Page 350 Postal marketing......Page 351 Non-automated calls......Page 352 Chapter 20 Children, Charities, and Associations......Page 353 Differences for children under the GDPR......Page 354 Consent of parents and children......Page 356 Additional rights of children......Page 357 Fundraising and marketing......Page 360 Wealth screening and data matching......Page 362 Volunteers......Page 363 ICO risk review report for charities......Page 364 Associations......Page 366 Chapter 21 Supervisory Authorities, Remedies, Liabilities, and Penalties......Page 369 Introducing Supervisory Authorities......Page 370 Supervisory authority......Page 371 Lead authority......Page 372 Investigatory powers......Page 377 Authorization and advisory powers......Page 378 Data subject complaints......Page 379 Judicial remedies......Page 380 The data controller’s and data processor’s liability to provide compensation......Page 381 A 2-tiered system of fines......Page 382 Other penalties......Page 384 Part 6 The Part of Tens......Page 387 Suzanne Dibble’s resources......Page 389 Supervisory Authorities and EDPB Websites......Page 390 International Association of Privacy Professionals (IAPP)......Page 391 Easily Readable Online Text of the GDPR......Page 392 TrustArc......Page 393 GDPR Enforcement Tracker......Page 394 Book Contributors’ Resources......Page 395 Chapter 23 Ten Must-Have Skills for the DPO......Page 397 Knowledge of Data Protection Law and Practices......Page 398 Ability to Work Independently......Page 399 Ability to Communicate Effectively......Page 400 Ability to Embrace Change......Page 401 Display Business and Interpersonal Acumen......Page 402 Chapter 24 Ten Ways to Train Employees to Be Good Stewards of Data......Page 403 Understand That One Size Doesn’t Fit All......Page 404 Teach the Basics to All Staff......Page 405 Provide Detailed Training per Function......Page 406 Reinforce Training with Reminders around the Workplace......Page 407 Adopt a Culture of Privacy......Page 408 Part 7 Appendixes......Page 411 Appendix A Upcoming Changes to Data Protection Laws......Page 413 Appendix B List of Supervisory Authorities......Page 421 Appendix C GDPR Checklist......Page 427 Appendix D Glossary......Page 437 Index......Page 443 EULA......Page 467