GDPR For Dummies
Suzanne Dibble
- English
- ePUB (handyfreundlich)
- Über iOS und Android verfügbar
GDPR For Dummies
Suzanne Dibble
Über dieses Buch
Don't be afraid of the GDPR wolf!
How can your business easily comply with the new data protection and privacy laws and avoid fines of up to $27M? GDPR For Dummies sets out in simple steps how small business owners can comply with the complex General Data Protection Regulations (GDPR). These regulations apply to all businesses established in the EU and to businesses established outside of the EU insofar as they process personal data about people within the EU.
Inside, you'll discover how GDPR applies to your business in the context of marketing, employment, providing your services, and using service providers. Learn how to avoid fines, regulatory investigations, customer complaints, and brand damage, while gaining a competitive advantage and increasing customer loyalty by putting privacy at the heart of your business.
- Find out what constitutes personal data and special category data
- Gain consent for online and offline marketing
- Put your Privacy Policy in place
- Report a data breach before being fined
79% of U.S. businesses haven't figured out how they'll report breaches in a timely fashion, provide customers the right to be forgotten, conduct privacy impact assessments, and more. If you are one of those businesses that hasn't put a plan in place, then GDPR For Dummies is for you.
Häufig gestellte Fragen
Information
Getting Started with GDPR
Grasping the Fundamentals of GDPR and Data Protection
- The GDPR needs to fit into the member state’s legal framework.
- National legislation is needed to choose from the exemptions permitted by the GDPR.
Understanding Data Protection Laws
- Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed.
- Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).
- Apply throughout the world. The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.
- Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.
- Prevent common misuses of personal data: Organizations often fail to (i) put in place appropriate measures to keep personal data secure, (ii) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent, and (iii) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.
Type of Regulation/Enforcement | Countries |
Tough | Australia, Canada, Hong Kong, South Korea |
Strong | Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand |
Light | Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine |
Limited | Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay |
The Ten Most Important Obligations of the GDPR
- Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it. (See Chapter 7 for more on this topic.)
- Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it. (Chapter 3 has more on this topic.)
- Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident. (See Chapter 16 for more about data security.)
- Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA). (See Chapter 6 for more about transferring personal data.)
- Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing. (See Chapter 8 for more on Privacy Notices.)
- Update your Cookie Policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained. (For more on the concept of implied consent as well as details about cookie policies, see Chapter 9.)
- Ensure that your staff are appropriately trained in relevant areas of the GDPR. (Chapter 18 has more on this topic and Chapter 24 has tips for training employees to help you maintain GDPR compliance.)
- Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee Privacy Notice where necessary. (See Chapter 18 for more on this topic.)
- Determine whether you need to appoint a Data Protection Officer (DPO). If you do, take the necessary steps to hire a suitable candidate. (See Chapter 15 for more on DPOs.)
- Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data. (See Chapter 5 for more on this topic. Chapter 10 covers data processor and subprocessor contracts.)