Cover image for Data Protection and Compliance : Second edition.
Data Protection and Compliance : Second edition.
Title:
Data Protection and Compliance : Second edition.
Author:
Room, Stewart.
ISBN:
9781780175263
Personal Author:
Edition:
2nd ed.
Physical Description:
1 online resource (543 pages)
Contents:
Front Cover -- Half-Title Page -- BCS, THE CHARTERED INSTITUTE FOR IT -- Title Page -- Copyright Page -- Contents -- List of figures and tables -- Contributors -- Copyright notices -- Abbreviations -- Preface -- PART I THE BIG PICTURE -- 1. INTRODUCTION TO DATA PROTECTION -- What is data protection? -- Does data protection mean privacy? -- What is privacy? -- Are there exceptions to the right to privacy? -- What else should be protected? -- Protecting fundamental rights and freedoms ('human rights') -- Protecting the free movement of personal data (data flows, transfers and shares) -- The protected activities -- Protecting processing -- Protecting personal data undergoing processing -- Special category data (or 'sensitive personal data') -- Thematic priorities of data protection, trends and hot topics - supporting a risk-based approach -- AdTech and cookies -- Advanced technology and data processing techniques -- Advanced surveillance -- Artificial intelligence -- Automated facial recognition -- Connected vehicles -- Children -- Cybersecurity -- Data subject rights - timetable breaches -- Democracy -- HR problems -- International transfers -- Privacy and electronic communications ('ePrivacy') -- Profiling -- Virtual voice assistants -- Core law -- The UK Data Protection Act and its relationship to the GDPR and other EU law -- The Data Protection Convention -- Regulatory guidance and decisions -- Court judgments -- Related law -- Data protection penalties and litigation -- The regulatory bear market -- Summary -- 2. INTRODUCTION TO THE GDPR -- Brexit: the impacts for data protection and the impacts for this book -- The land mass in Europe to which the GDPR applies -- Recitals and articles of the GDPR -- Jurisdiction of the GDPR -- Nationality and location of people -- A.3.1 - processing in the context of EU establishments.

A.3.2 - targeting people in the EU -- Material scope of the GDPR -- The building blocks of the GDPR -- The actors -- Compliance framework - the standards of protection -- Data protection principles -- Lawful bases of processing -- Necessity -- Consent for processing -- Compliance framework - controls -- Appropriate technical and organisational measures -- Appropriate safeguards -- Prescribed controls -- Anonymisation and pseudonymisation -- Accountability -- Assessing appropriateness of controls -- Critical outcomes to be achieved -- Transparency -- Clarity of the lawful basis of processing -- Control -- Compensatory mechanisms to remedy non-compliance -- Regulator's enforcement powers -- Data subjects' enforcement powers -- Where the GDPR does not apply - exceptions and restrictions -- Domestic processing -- Restrictions and the UK DPA -- Brexit - the UK, Frozen and EU GDPR -- UK GDPR -- Frozen GDPR -- Brexit - international transfers of data -- Summary -- 3. INTRODUCTION TO EPRIVACY -- Regulating the electronic communications sector -- The relationship between data protection and ePrivacy -- The actors and protected parties -- Confidentiality of communications -- Exceptions to confidentiality -- Consent for storing or accessing information in terminal equipment -- Consent, transparency and the use of cookie notices and consent tools -- Types of cookies -- Cookies, behavioural advertising and real-time bidding -- Cookies and legal risk -- Direct marketing -- The position under PECR -- Postal direct marketing -- Opt-out, as a matter of law -- Financial penalties for direct marketing contraventions -- Processing of traffic data, location data and value added services -- Security and personal data breach notification -- Personal data breaches -- Expanded rules for breach notifications -- Interplay with the breach notification rules in the GDPR.

Calling line ID and directories of subscribers -- Law reform underway -- Summary -- 4. INTRODUCTION TO OPERATIONAL DATA PROTECTION -- Operational adequacy schemes - implementing data protection (operationalisation) -- Focus on operational adequacy schemes -- The three layers of an organisation -- Implementing data protection in the people layer -- Governance structures -- Steering committee -- Recruitment and onboarding -- Education and training -- Access rights and privileges -- Monitoring -- Worker discipline -- Flowing requirements to data processors -- Implementing data protection in the paper layer -- Data Protection by Design and Default (DPbDD, or PbD) -- Governance structures -- Records of processing activities -- Risk registers and assessment tools and methodologies -- Legitimate interests assessments -- Transfer assessments -- Transparency notices -- Contracts and similar documents -- Policies, procedures and controls frameworks -- Records of significant events -- Programme and project plans -- Technology architecture -- Assurance records -- Other mechanisms for assurance -- Implementing data protection in the technology and data layer -- Privacy Enhancing Technologies -- Regulatory sandboxes -- 'The Journey to Code' -- Risk management - implementing measures to assess risks to rights and freedoms and the appropriateness of controls -- The adequacy test -- The impact of the 'consensus of professional opinion' - what are the risks and what should be done about them? -- Risk management - dealing with adverse scrutiny -- Globalisation - implementing data protection on an international stage -- International transfers - adequacy, appropriate safeguards and derogations -- Meaning of 'adequacy' for the purposes of international transfers -- Adequacy of the UK -- Appropriate safeguards -- Derogations.

Wider operational challenges of international activities -- Impacts for micro, small and medium-sized enterprises -- Size of enterprise and size of risk -- Financial resources, cost and risk -- Security and connection to wider legal and operational frameworks -- Summary -- PART II CORE LAW -- 5. THE PRINCIPLES OF DATA PROTECTION -- A constant presence in data protection law -- The duty of compliance (accountability) -- Lawfulness, fairness and transparency - the first principle -- Lawfulness -- Fairness -- Transparency -- Purpose limitation - the second principle -- Expanded purposes - archiving in the public interest -- Expanded purposes - scientific and historical research -- Expanded purposes - statistics -- Compatibility -- Data minimisation - the third principle -- Accuracy - the fourth principle -- Storage limitation - the fifth principle -- Integrity and confidentiality (including security) - the sixth principle -- Accountability - the seventh principle -- Lawfulness of processing of personal data (Article 6) -- Categorising the lawful bases of processing -- Consent -- Contract -- Legal obligation -- Vital interests -- Public task -- Legitimate interests -- Lawfulness of processing - special category personal data and criminal convictions and offences -- The ban on processing special category personal data - enhanced sensitivity, risks and legal requirement -- Summary -- 6. THE RIGHTS OF DATA SUBJECTS -- Informing and empowering the protected party -- Transparency and information rights -- General obligation of transparency - GDPR A. -- Obtaining transparency - GDPR A.13 and -- The right of access to information - A. -- Personal data breaches - Article -- Rights over data processing -- Right to rectification - A. -- Right to erasure, or 'the right to be forgotten' - A. -- Right to restriction of processing - A.

Right to data portability - A. -- Right to object - A. -- Right not to be subject to automated decision making, including profiling - A. -- Remedies and rights of redress -- Summary -- PART III OPERATING INTERNATIONALLY -- 7. NATIONAL SUPERVISION WITHIN AN INTERNATIONAL FRAMEWORK -- National regulatory systems and divergences -- GDPR solution for international processing -- Establishment of supervisory authorities -- General conditions for members of supervisory authorities -- Independence -- Interference -- Supervisory authority competence -- Member competence -- Tasks -- Monitoring -- Promotion and awareness -- Advice and administration -- Rights, complaints and enforcement -- Powers -- Lead supervisory authorities -- Cross-border processing -- Cooperation and mutual assistance -- Choosing a lead supervisory authority -- Appointing an EU Representative -- Summary -- 8. TRANSFERRING DATA BETWEEN THE GDPR LAND MASS AND THIRD COUNTRIES -- Why regulate international transfers? -- What is a transfer? -- General principles for transfers -- Transfers on the basis of an adequacy decision -- Elements considered in assessing adequacy -- Adequacy decisions issued -- UK adequacy -- Partial adequacy decisions -- Ongoing monitoring of adequacy decisions -- Transfers subject to appropriate safeguards -- Standard contractual clauses -- Derogations for specific situations -- Relying on the derogations in practice -- Compelling legitimate interests -- Litigation on international data transfers -- Schrems I - Safe Harbor decision declared invalid -- Schrems II - Privacy Shield declared invalid and SCCs declared valid subject to certain conditions -- Navigating international data transfers -- EDPB's six-step recommendations -- Supplementary measures -- A practical approach to international transfers -- Getting to know your 'special characteristics'.

Understanding the 'zone of precedent'.
Abstract:
This comprehensive guide for those with little or no legal knowledge provides detailed analysis of current data protection laws. It enables the reader to operationalise a truly risk-based approach to data protection and compliance, beyond just emphasis on regulatory frameworks and legalistic compliance.
Local Note:
Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2022. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.
Electronic Access:
Click to View
Holds: Copies: