EU GDPR – An international guide to compliance
()
About this ebook
The GDPR aims to unify data protection and ease the flow of personal data across the EU. It applies to every organisation in the world that handles EU residents’ personal data.
While the GDPR is not law in countries outside the EU, it is effectively part of the legislative environment for organisations that do business with the EU. This is enforced through a combination of international trade law and business pressure – after all, a partner in the EU is unlikely to want to risk engaging with a company in the US, Australia or Singapore (or anywhere else) that will put them at risk.
EU GDPR – An international guide to compliance is the ideal resource for anyone wanting a clear primer on the principles of data protection and their obligations under the GDPR.
A concise pocket guide, it will help you understand:
- The terms and definitions used in the GDPR, including explanations;
- The key requirements of the GDPR, including:
- Which fines apply to which Articles;
- The principles that should be applied to any collection and processing of personal data;
- The Regulation’s applicability;
- Data subjects’ rights;
- Data protection impact assessments;
- The data protection officer role and whether you need one;
- Data breaches, and notifying supervisory authorities and data subjects; and
- Obligations for international data transfers.
- How to comply with the Regulation, including:
- Understanding your data, and where and how it is used (e.g. Cloud suppliers, physical records);
- The documentation you must maintain (such as statements of the information you collect and process, records of data subject consent, processes for protecting personal data); and
- The “appropriate technical and organisational measures” you need to take to ensure compliance with the Regulation.
- A full index of the Regulation, enabling you to find relevant Articles quickly and easily.
Supplemental material
While most of the EU GDPR’s requirements are broadly unchanged in the UK GDPR, the context is quite different and will have knock-on effects. You may need to update contracts regarding EU–UK data transfers, incorporate standard contractual clauses into existing agreements, and update your policies, processes and procedural documentation as a result of these changes.
We have published a supplement that sets out specific extra or amended information for this pocket guide. Click here to download the supplement.
About the authorAlan Calder is the Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. He is an internationally acknowledged cyber security expert, and a leading author on information security and IT governance issues. He co-wrote the definitive compliance guide IT Governance: An International Guide to Data Security and ISO27001/ISO27002, which is the basis for the Open University’s postgraduate course on information security, and has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted on data security for numerous clients in
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
ISO 22301:2019 and business continuity management - Understand how to plan, implement and enhance a business continuity management system (BCMS) Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsInformation Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5EU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsPCI DSS: A pocket guide, sixth edition Rating: 0 out of 5 stars0 ratingsIT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5Risk Assessment for Asset Owners Rating: 4 out of 5 stars4/5IT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5PCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Selling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5IT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsNine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsThe Green Office: A Business Guide Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5Network and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsIT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsA concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide - 3rd edition Rating: 0 out of 5 stars0 ratings
Related to EU GDPR – An international guide to compliance
Related ebooks
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition Rating: 0 out of 5 stars0 ratingsEU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsIntro to GDPR: A Plain English Guide to Compliance Rating: 0 out of 5 stars0 ratingsData Protection and Compliance: Second edition Rating: 0 out of 5 stars0 ratingsEU General Data Protection Regulation (GDPR), third edition: An Implementation and Compliance Guide Rating: 0 out of 5 stars0 ratingsA Last Minute Hands-on Guide to GDPR Readiness Rating: 0 out of 5 stars0 ratingsData Protection and the Cloud: Are the risks too great? Rating: 4 out of 5 stars4/5Ultimate GDPR Practitioner Guide (2nd Edition): Demystifying Privacy & Data Protection Rating: 0 out of 5 stars0 ratingsCybersecurity Law, Standards and Regulations, 2nd Edition Rating: 0 out of 5 stars0 ratingsData Protection Compliance in the UK: A Pocket Guide Rating: 5 out of 5 stars5/5A Practical Guide to IT Law Rating: 0 out of 5 stars0 ratingsGDPR for DevOp(Sec) - The laws, Controls and solutions Rating: 5 out of 5 stars5/5The IT / Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media and IP Law Rating: 5 out of 5 stars5/5SECURITY AND PRIVACY IN AN IT WORLD: Managing and Meeting Online Regulatory Compliance in the 21st Century Rating: 5 out of 5 stars5/5The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection Rating: 0 out of 5 stars0 ratingsThe California Consumer Privacy Act (CCPA): An implementation guide Rating: 4 out of 5 stars4/5LEGAL ASPECTS OF DATA PROTECTION Rating: 0 out of 5 stars0 ratingsIT Outsourcing Contracts: A Legal and Practical Guide Rating: 3 out of 5 stars3/5The California Privacy Rights Act (CPRA) – An implementation and compliance guide Rating: 0 out of 5 stars0 ratingsUpcoming Updates In Data Protection: Whistleblowing Channels Rating: 0 out of 5 stars0 ratingsA concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsRegulating Cross-Border Data Flows: Issues, Challenges and Impact Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsCyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5The EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsGDPR-standard data protection staff training: What employees & associates need to know by Dr Paweł Mielniczek Rating: 0 out of 5 stars0 ratingsBe Cyber Secure: Tales, Tools and Threats Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5
Computers For You
Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5Elon Musk Rating: 4 out of 5 stars4/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5Standard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5The Invisible Rainbow: A History of Electricity and Life Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/5Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsThe ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 0 out of 5 stars0 ratingsProcreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 0 out of 5 stars0 ratingsAlan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5CompTIA Security+ Practice Questions Rating: 2 out of 5 stars2/5Childhood Unplugged: Practical Advice to Get Kids Off Screens and Find Balance Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5AP Computer Science Principles Premium, 2024: 6 Practice Tests + Comprehensive Review + Online Practice Rating: 0 out of 5 stars0 ratingsChatGPT Ultimate User Guide - How to Make Money Online Faster and More Precise Using AI Technology Rating: 0 out of 5 stars0 ratingsThe Professional Voiceover Handbook: Voiceover training, #1 Rating: 5 out of 5 stars5/5Going Text: Mastering the Command Line Rating: 4 out of 5 stars4/5People Skills for Analytical Thinkers Rating: 5 out of 5 stars5/5How to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5
Reviews for EU GDPR – An international guide to compliance
0 ratings0 reviews
Book preview
EU GDPR – An international guide to compliance - Alan Calder
reading
INTRODUCTION
Few companies are in favour of further regulation, but it is generally recognised that it has a role to play in keeping industries honest and protecting the populace at large. There is also a lot of opposition to particularly strong regulation, so more heavy-handed laws are often developed incrementally, which conveniently reduces the outcry at any given stage. It’s quite rare for a particularly strong regulation to come about all at once: the European Union’s General Data Protection Regulation (GDPR) is one such beast, however.
It’s not that the GDPR is unnecessary, nor that any individual requirement is particularly egregious; rather, much of the initial challenge arose because it came along all at once and potentially affected nearly every organisation in the world. The Regulation is so widely applicable, in fact, that there are likely to be legal arguments and discussions over the coming decade to determine the true extent of its powers¹. Since then, the challenge for many organisations has been to maintain compliance in the face of changing economies and the results of various legal cases, which have had some fundamental impacts on how the Regulation should be interpreted and applied.
The repercussions of failing to comply with the law are not to be sneezed at: organisations found to be in breach of the Regulation can be fined up to €20 million, or four percent of global annual turnover – whichever is greater. Needless to say, there are few companies that would be willing to take a hit of that magnitude when compliance can be achieved much more cheaply.
Equally, however, the Regulation aims to tread that line between protecting the rights of the individual and removing barriers to the free movement of personal data within the internal market
. That is, although the Regulation places limits and restrictions on the use and storage of personal data (sometimes called ‘personally identifiable information’, or PII), it does so in the interests of both keeping the EU at the forefront of the modern information economy while creating a ‘level playing field’ among EU Member States.
The organisations that appreciate this distinction – and act quickly to resolve issues and to ensure compliance with the Regulation – are those that thrive in an evolving regulatory environment.
This pocket guide aims to help your organisation thrive under the GDPR wherever you are in the world by providing you with an understanding of the Regulation, the broader principles of data protection, and what the Regulation means for businesses in Europe and beyond.
There are key terms throughout this book that need to be properly understood to really get to grips with the Regulation. These are defined in chapter 2 – Terms and definitions.
¹ There’s more on this in chapter 3 of this guide (The Regulation).
CHAPTER 1: A BRIEF HISTORY OF DATA PROTECTION
The common conception of data protection is a very modern notion. We think of digitally stored databases and records, and we understand the importance of protecting them. It’s obvious: digital records have no physical weight and can be mislaid or stolen without removing the original, and it’s easy to comprehend that such a loss could represent an enormous amount of information. This isn’t the way it’s always been, though, and even today information in other formats needs to be protected.
Possibly the earliest forms of data and privacy protection come from the professions rather than legislation itself. For instance, lawyer-client confidentiality (or legal professional privilege, as it’s called in the UK) is believed to have begun as a sort of contract between a lawyer and their client many decades (and possibly centuries) before it entered into law itself. It was introduced as a way of ensuring that a lawyer could adequately represent their clients’ interests without the client fearing legal repercussions.
Equally, the keeping of medical records and a doctor’s confidentiality were established decades ago, and, although a court could force those records to be handed over, the medical profession was otherwise expected to keep them relatively safe. Once again, this was something that the profession handled long before the law moved to codify the practice.
Under these practices, specific silos of personal information were protected according to the interests of the business: if a profession could see the business value in protecting information, it was protected. This has had to change, however, as record keeping shifted from paper to electronics and as the methods for manipulating even small elements of personal information have become more powerful, which puts all this information at risk because it now has a distinct value. Political campaigns, as a reasonably ethical example, have used increasing volumes of data to better target key demographics, define policy, manage candidates’ image and so on. On the other end of the scale, identity theft has become a significant problem that has only become a greater threat with the greater volume of information that is available.
With regard to the situation in Europe, one of the first legal protections for personal information was codified in Article 8 of the European Convention on Human Rights (ECHR)