eBook - ePub
GDPR For Dummies
Suzanne Dibble
This is a test
Share book
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
GDPR For Dummies
Suzanne Dibble
Book details
Book preview
Table of contents
Citations
About This Book
Don't be afraid of the GDPR wolf!
How can your business easily comply with the new data protection and privacy laws and avoid fines of up to $27M? GDPR For Dummies sets out in simple steps how small business owners can comply with the complex General Data Protection Regulations (GDPR). These regulations apply to all businesses established in the EU and to businesses established outside of the EU insofar as they process personal data about people within the EU.
Inside, you'll discover how GDPR applies to your business in the context of marketing, employment, providing your services, and using service providers. Learn how to avoid fines, regulatory investigations, customer complaints, and brand damage, while gaining a competitive advantage and increasing customer loyalty by putting privacy at the heart of your business.
- Find out what constitutes personal data and special category data
- Gain consent for online and offline marketing
- Put your Privacy Policy in place
- Report a data breach before being fined
79% of U.S. businesses haven't figured out how they'll report breaches in a timely fashion, provide customers the right to be forgotten, conduct privacy impact assessments, and more. If you are one of those businesses that hasn't put a plan in place, then GDPR For Dummies is for you.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is GDPR For Dummies an online PDF/ePUB?
Yes, you can access GDPR For Dummies by Suzanne Dibble in PDF and/or ePUB format, as well as other popular books in Business & Corporate Governance. We have over one million books available in our catalogue for you to explore.
Information
Part 1
Getting Started with GDPR
IN THIS PART âŚ
Introducing the General Data Protection Regulation
A quick overview of data protection laws â in the EU and around the world
Taking on your ten most important obligations
Learning what happens if you donât comply
Determining when the GDPR applies and when it doesnât
Reviewing the GDPRâs most notable changes
Chapter 1
Grasping the Fundamentals of GDPR and Data Protection
IN THIS CHAPTER
The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, is the successor to the European Union's Data Protection Directive [of] 1995 (Directive 95/46/EC).
One aim of the GDPR was to harmonize data protection laws across Europe â so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve arenât dictated). Unlike a directive, when the European Union (EU) enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.
However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a countryâs security), so data protection laws across Europe arenât quite as harmonized as may have been desired by some of the legislators.
Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:
- The GDPR needs to fit into the member stateâs legal framework.
- National legislation is needed to choose from the exemptions permitted by the GDPR.
At the time this book was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.
Understanding Data Protection Laws
Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.
This list describes a handful of additional points about these laws to keep in mind. Data protection laws:
- Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed.
- Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).
- Apply throughout the world. The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.
- Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data â of its clients, employees, suppliers, prospects, and so on.
- Prevent common misuses of personal data: Organizations often fail to (i) put in place appropriate measures to keep personal data secure, (ii) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent, and (iii) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.
Countries hold to varying degrees of regulation and enforcement and some countries donât have any data protection laws. Table 1-1 rates the strength of various countriesâ efforts to protect data.
TABLE 1-1 Regulation/Enforcement Strength of Data Protection Laws Worldwide
| Type of Regulation/Enforcement | Countries |
| Tough | Australia, Canada, Hong Kong, South Korea |
| Strong | Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand |
| Light | Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine |
| Limited | Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay |
The Ten Most Important Obligations of the GDPR
The obligations I refer to in this sectionâs heading are the ten most important actions you need to take to comply with the GDPR; Iâve only summarized these obligations in the following list because I discuss them further throughout this book:
- Prepare a data inventory to map your data flows so that you can understand exactly what personal data youâre processing and what youâre doing with it. (See Chapter 7 for more on this topic.)
- Work out the lawful grounds for processing each type of personal data for each purpose for which youâre processing it. (Chapter 3 has more on this topic.)
- Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident. (See Chapter 16 for more about data security.)
- Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA). (See Chapter 6 for more about transferring personal data.)
- Update your Privacy Notice to ensure that youâre being transparent about the means and purposes of your data-processing. (See Chapter 8 for more on Privacy Notices.)
- Update your Cookie Policy to ensure that you arenât relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained. (For more on the concept of implied consent as well as details about cookie policies, see Chapter 9.)
- Ensure that your staff are appropriately trained in relevant areas of the GDPR. (Chapter 18 has more on this topic and Chapter 24 has tips for training employees to help you maintain GDPR compliance.)
- Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee Privacy Notice where necessary. (See Chapter 18 for more on this topic.)
- Determine whether you need to appoint a Data Protection Officer (DPO). If you do, take the necessary steps to hire a suitable candidate. (See Chapter 15 for more on DPOs.)
- Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data. (See Chapter 5 for more on this topic. Chapter 10 covers data processor and subprocessor contracts.)
Facing the Consequences
Think of this section as a description of not only the consequences you face if you arenât compliant but also the reasons you should care about being compliant.
Increased fines and sanctions
The GDPR has introduced significant increases in the maximum fines for breaches of its requirements.
Under the GDPR, the fi...