Intro to GDPR E-Book

Punit Bhatia

Intro to GDPR

A Plain English Guide to Compliance

Copyright ©2018 by Advisera Expert Solutions Ltd

All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without written permission from the author, except for the inclusion of brief quotations in a review.

Limit of Liability / Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representation or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. This book does not contain all information available on the subject. This book has not been created to be specific to any individual’s or organisation’s situation or needs. You should consult with a professional where appropriate. The author and publisher shall have no liability or responsibility to any person or entity regarding any loss or damage incurred, or alleged to have been incurred, directly or indirectly, by the information contained in this book.

First published by Advisera Expert Solutions LtdZavizanska 12, 10000 ZagrebCroatiaEuropean Unionhttp://advisera.com/

Editor: Dejan Kosutic.

ISBN: 978-953-8155-18-51

ABOUT THE AUTHOR

Punit Bhatia is a senior professional with more than 18 years of experience in executing change and leading transformation initiatives. Across three continents, Punit has led projects and programs of varying complexity in business and technology. Across multiple industries, he has experience on both sides of the table; i.e., he has served as a consultant who worked for IT consulting companies, and as a key influencer and driver who has defined and delivered change for large enterprises. He has proven expertise in the areas of data privacy, sourcing and vendor management, and digital transformation.

In the last three years, Punit has advised and driven multiple initiatives to ensure compliance with the EU General Data Protection Regulation (GDPR). Part of this effort has involved attending multiple events, exchanging implementation approaches and dialogue with many experts. Based on these experiences, he is an active speaker or panellist at many different GDPR and sourcing events. Punit is also the author of another book: “Be Ready for GDPR”, which is available on Amazon in print and e-formats.

An engineer and MBA through qualifications, Punit is a Certified Information Privacy Professional – Europe (CIPP-E), a Certified Information Privacy Manager (CIPM), and a Certified Outsourcing Professional (COP). Punit delivers guest lectures at Solvay Brussels School of Economics and Management on topics of privacy and sourcing.

TABLE OF CONTENTS

ABOUT THE AUTHOR

ACKNOWLEDGEMENTS

1. INTRODUCTION

1.1WHICHORGANISATIONSNEEDTOBECOMPLIANTWITHTHE GDPR? 

1.2THEPOSITIVESIDEOFTHE GDPR 

1.3HOWISTHISBOOKSTRUCTURED? 

1.4WHOISTHISBOOKFOR? 

1.5ADDITIONALRESOURCES

2.ORIGIN OF PRIVACY AND GDPR BASICS

2.1INTRODUCTION

2.2HISTORYOFPRIVACY

2.3WHATISTHE GDPR? 

2.4OBJECTIVESOFTHE GDPR 

2.5WHODOESTHE GDPR APPLYTO? 

2.6RELATEDFRAMEWORKS (ISO 27001 ANDOTHER) 

2.7E-PRIVACYREGULATION

2.8KEYTERMSINTHE GDPR 

2.9MYTHSABOUTTHE GDPR 

2.10BUSINESSACTIVITIESTHATAREMOSTIMPACTEDBYTHE GDPR  

2.11SUCCESSFACTORS

3.LEGITIMATE PURPOSES, PRINCIPLES AND ROLES

3.1INTRODUCTION

3.2LEGITIMATE PURPOSESOFPROCESSINGPERSONALDATA

3.3PRINCIPLES

3.4SUCCESSFACTORS

4.TRANSPARENCY THROUGH THE PRIVACY NOTICE

4.1INTRODUCTION

4.2WHATISMEANTBYTRANSPARENCY? 

4.3WHATISAPRIVACYNOTICEORSTATEMENT? 

4.4WHOISTHEPRIVACYNOTICEMEANTFOR? 

4.5WHATARETHEKEYREQUIREMENTSFORAPRIVACYNOTICE? 

4.6WHATARETHECONTENTSOFAPRIVACYNOTICE? 

4.7WHOARETHEKEYCONTRIBUTORSTOAPRIVACYNOTICE? 

4.8HOWOFTENSHOULDTHISBEUPDATED? 

4.9SUCCESSFACTORS

5.INVENTORY OF PROCESSING ACTIVITIES AND RETENTION

5.1INTRODUCTION

5.2INVENTORYOF PROCESSING ACTIVITIES – WHAT, ANDWHY? 

5.3RETENTIONOFPERSONALDATA – WHAT, ANDWHY? 

5.4FULFILLINGINVENTORYANDRETENTIONREQUIREMENTS – WHO, ANDHOW? 

5.5SUCCESSFACTORS

6.DATA SUBJECT ACCESS RIGHTS AND CONSENT

6.1INTRODUCTION

6.2CONSENT – WHATISIT? 

6.3WHATARETHEKEYREQUIREMENTSRELATEDTOCONSENT? 

6.4WHOISRESPONSIBLEFORSEEKINGCONSENT? 

6.5WHOARETHEDATASUBJECTSWHONEEDTOPROVIDECONSENT? 

6.6WHATARETHESCENARIOSINWHICHCONSENTMAYBEREQUIRED? 

6.7DATA SUBJECT ACCESS RIGHTS

6.8WHOCANMAKEAREQUESTINLINEWITH DATA SUBJECT ACCESS RIGHTS? 

6.9HOWCANADATASUBJECTMAKEAREQUESTINLINEWITH DATA SUBJECT ACCESS RIGHTS? 

6.10HOWLONGCANACOMPANYTAKETOANSWERA DSAR? 

6.11CANTHEDATASUBJECTBECHARGEDFORA DSAR? 

6.12HOWSHOULDA DSAR BEHANDLED? 

6.13ARETHEREANYEXEMPTIONSWHENANSWERINGA DSAR? 

6.14CANA DSAR BEREJECTED? 

6.15SUCCESSFACTORS

7.DATA PROTECTION IMPACT ASSESSMENT

7.1INTRODUCTION

7.2WHATISA DATA PROTECTION IMPACT ASSESSMENT? 

7.3WHATISTHEPURPOSEOFA DPIA? 

7.4WHENSHOULDA DPIA BECONDUCTED? 

7.5WHATARETHESTEPSOFA DPIA, ANDWHOSHOULDCONDUCTIT? 

7.6SUCCESSFACTORS

8.DATA SECURITY AND PRIVACY BY DESIGN

8.1INTRODUCTION

8.2WHATISPRIVACYBYDESIGN? 

8.3WHATARETHECONSEQUENCESOFPRIVACYBYDESIGN? 

8.4WHATARETHEPOLICIESTHATSHOULDBEIMPLEMENTEDTOENSURESECURITYOFPERSONALDATA? 

8.5BESTPRACTICESTOIMPLEMENTPRIVACYBYDESIGNPOLICIES

8.6SUCCESSFACTORS

9.PERSONAL DATA TRANSFERS AND MANAGING THIRD PARTIES

9.1INTRODUCTION

9.2WHATISMEANTBYDATATRANSFERS? 

9.3WHATARETHEREQUIREMENTSWHENTRANSFERRINGDATA, BOTHINTHE EU ANDOUTSIDEOFTHE EU? 

9.3.1. HOWCANDATATRANSFERSBEENABLED? 

9.3.2. HOWTOMANAGETHIRDPARTIES

9.3.3. MANAGINGEXISTINGTHIRDPARTIES

9.4HANDLINGNEWCONTRACTSWITHTHIRDPARTIES

9.5SUCCESSFACTORS

10.DATA BREACHES

10.1INTRODUCTION

10.2WHATISADATABREACH, ANDWHATARETHEFINESRELATEDTOADATABREACH? 

10.3WHATARETHECONTENTSOFADATABREACHNOTIFICATION? 

10.4HOWSHOULDAPERSONALDATABREACHBEREPORTED? 

10.5WHATSHOULDBEDONEONCEADATABREACHISIDENTIFIED? 

10.6INFORMINGSUPERVISORYAUTHORITIESANDDATASUBJECTS

10.7WHATSHOULDBEDONEAFTERADATABREACH? 

10.8SUCCESSFACTORS

11.DATA PROTECTION OFFICER

11.1INTRODUCTION

11.2WHATISTHE DPO ROLE, ANDWHYISITNEEDED? 

11.3WHATARETHERESPONSIBILITIESOFA DPO? 

11.4CANYOUHIREANEXTERNAL DPO? 

11.5IMPORTANTTONOTEIFYOUCHOSETOAPPOINTA DPO 

11.6SUCCESSFACTORS

12.GETTING YOUR ORGANISATION TO GDPR COMPLIANCE

12.1INTRODUCTION

12.2WHATISTHEFIRSTTHINGTODO? 

12.3WHOARETHEKEYSTAKEHOLDERS? 

12.4ESTABLISHTHEPROJECT

12.5CHOOSINGANEXTERNALCONSULTANT

12.6GDPR READINESSASSESSMENT

12.7IDENTIFYRISKSANDMAKEAPLAN

12.8DEFINEADATAPROTECTIONPOLICY

12.9COMMUNICATION

12.10AWARENESSANDTRAINING

12.11KEYSUCCESSFACTORSTOREMAINCOMPLIANTWITHTHE GDPR  

12.12REVIEWAWARENESSONPRIVACYANDPROTECTIONMATTERS

12.13INTERNALOREXTERNALAUDIT

12.14REGULARREVIEWSANDCONTINUALIMPROVEMENT

12.15KEEPLOOKINGFORWARD

12.16SUCCESSFACTORS

APPENDIX A– PROJECT CHECKLIST FOR EU GDPR IMPLEMENTATION

APPENDIX B– DIAGRAM OF THE EU GDPR IMPLEMENTATION PROCESS

APPENDIX C– KEY DELIVERABLES FOR COMPLIANCE WITH GDPR

BIBLIOGRAPHY

ACKNOWLEDGEMENTS

Thank you to Namita Bhatia (my wife), for being patient with my ideas.

To Yash Bhatia (my son), for bringing new ideas and energy into my life.

And to Dejan Kosutic, for reviewing this book and improving it.

And, special thanks go to all my family, colleagues and friends who stand by me, work with me, and challenge me to learn every day. I also take this opportunity to thank Advisera for publishing this book.

1. INTRODUCTION

The European Union General Data Protection Regulation (GDPR) is a key regulation in the field of privacy. So, in this section, we’ll cover the following:

Which companies need to be compliant with GDPR?

How is this book structured?

Who is this book for?

Note: Beyond the above questions, this book elaborates on the key requirements of GDPR and provides a simple introduction to setting and monitoring your GDPR compliance project.

1.1 Which organisations need to be compliant with the GDPR?

The General Data Protection Regulation is a significant piece of legislation, applicable to the processing of personal data of individuals in the European Union. The key to understanding when the EU GDPR is applicable is to understand the meaning of “in the Union”. The EU GDPR will only apply to personal data about individuals within the Union, and the nationality or habitual residence of those individuals is irrelevant.

This implies that, for example, in a situation where a U.S. company that processes personal information of EU citizens in the U.S. for a service provided in the U.S., the EU GDPR would not be applicable to that company. However, if the same company processes personal information of EU citizens or any other persons presently in the EU for a service provided in the EU, the EU GDPR would be applicable to the company. So, irrespective of whether your organisation is based in Asia, Australia, America or any other continent, the GDPR may apply if your company provides services to, and / or processes the personal data of, individuals in the EU.

Some of the most commonly impacted industries and organisations include:

Industries that provide services to individual customers

: Industries wherein the core business is to provide services to individual customers generally include the processing of personal data on a large scale. These industries would include financial services, insurance, retail, etc. All of these companies would need to take significant steps to comply with the EU GDPR.

Industries that provide marketing, business, process and system support services

: A significant number of organisations provide business, process or system management services. All of these companies will become processors of personal data on behalf of their controllers (by whom they are contracted). While their controllers need to be GDPR-compliant, the GDPR also demands that processors be compliant, and they have the same liability if they do not fulfil this obligation. These organisations will include cloud-based services, platform-based services, law services, analytics, event management, marketing companies, etc.

Automobile industry

: Most automobile manufacturers love to collect and process personal data about who buys their products. But, with the GDPR being applicable, these companies would need to be more transparent with regard to what data they have, what they do with it, and why.

Professional organisations:

Most clubs or member organisations like football clubs, fitness clubs, golf clubs, tennis clubs, etc. collect the personal data of their members. At present, these organisations may not be transparent about what they collect and why; but, with GDPR coming into effect, the transparency requirements shall apply to these companies if their members are in the EU.

Non-profit organisations and charities:

Charities and non-profit organisations usually collect personal data. In some cases, they also keep information about the bank details of their members. At present, these organisations may not be obliged to disclose what personal data they collect and why, but with the GDPR coming into effect, the transparency requirements shall also apply to these companies if their members are in the EU.

In short, GDPR shall apply to your organization if your process personal data of individuals in EU - this is irrespective of what industry the company may be operating in. The only thing that shall matter is whether the individuals are in EU or not, and whether the data being collected or handled is personal or not.

1.2 The positive side of the GDPR

While the GDPR applies to most organisations, the benefits a company can achieve by taking steps towards compliance are often misunderstood. Some examples of GDPR requirements and their benefits include:

Make a register of data processing

. That is, list what personal data is being captured, as well as when, for what purpose, and so on. This will bring a lot of insight into the data that exists in your company. Once your company knows all this, your investments into data analytics will become much more valuable than the typical current approach of taking your CRM systems and starting to analyse them.

Demonstrate transparency

. Specify what data you collect, why you collect it and how you process it. Again, doing so requires a huge effort, but once done correctly, your customers will have a lot of trust in what you do and why. Once they understand this, and feel confident about your approach, they should trust your company more. And, we all know that customer trust is one of the core elements in the growth of any business.

Minimise the data that is collected

. Now, this is easier said than done, but if a company really invests in minimising the data that is being collected, there can be immense benefits: business processes will become efficient, the costs of storing data will be reduced because you reduce the data that is captured, and so on.

Secure the personal data

. Security of data has always been a big topic, but not every company has done enough. Now, the GDPR asks for ensuring the security of personal data, and if this is done well, it should reduce the number of personal data breaches. And, if the number of breaches is reduced, it is certainly very good for business when examined through cost, reputation, and many other perspectives.

The GDPR is not about fines, but about being transparent and accountable while protecting personal data. If you do this well, your company has an opportunity to increase customer trust, generate more business and reduce threats of personal data breaches. So, next time you have a conversation about the GDPR, start with why it will be good for your business. And, being in business yourself, you should be able to think of many more reasons than the ones listed above.

1.3 How is this book structured?

Before we begin, I would like to suggest two points that will greatly increase the value you get from this book. First and foremost, I want to emphasise that this is not a book that you read once and then forget about. To begin, read it completely once; then, refer back as you start your GDPR compliance journey.

Second, I would like to make it explicit that this is not legal advice; rather, this is my personal perspective on the GDPR for anyone willing to learn about the regulation. The content in this book is not my experience with any one organisation for which I work or have worked; it is the sum total of what I have observed and learned throughout my career thus far. Hence, expect this to provide you with general information about the GDPR and ideas on how best to implement GDPR compliance.

To make it easier for you, each chapter ends with a section called “Success factors”, which will assist you in implementing the GDPR quickly and more effectively through key actions you may take. Some chapters also include a “Free tool tip”, which provides a link to a completely free tool that will help you on your way toward compliance.

And, if you use this book as intended, I am confident that you will gain a better understanding of the GDPR and decide on the best compliance approach for your company.

1.4 Who is this book for?

Company executives are becoming increasingly concerned about the impact of the new General Data Protection Regulation that takes effect on 25 May 2018. Most of them understand that this new law will have a huge impact, but the extent and areas of impact are not always clear. In such situations, you need a simple and easy-to-follow explanation of the core requirements of the GDPR. Ideally, this information should include actionable suggestions. If you find yourself in need of this sort of help, then this book is your solution.

The ideal reader of this book is any person who seeks to understand the General Data Protection Regulation from a perspective of understanding core requirements. The book is particularly suited for persons in companies aspiring to become GDPR-compliant.

1.5 Additional resources

Here are some resources that will help you, together with this book, to learn about the GDPR:

EU GDPR online courses

– free online courses that will teach you GDPR basics.

EU GDPR free downloads

– a collection of white papers, checklists, diagrams, templates, etc.

EU GDPR tools

– a couple of free tools like the EU GDPR Readiness Assessment Tool and the full text of the EU GDPR.

Conformio