Data Protection and Compliance, 2nd Edition

Table of contents

1. Front Cover
2. Half-Title Page
3. BCS, THE CHARTERED INSTITUTE FOR IT
4. Title Page
5. Copyright Page
6. Contents
7. List of figures and tables
8. Contributors
9. Copyright notices
10. Abbreviations
11. Preface
12. PART I THE BIG PICTURE
    1. 1. INTRODUCTION TO DATA PROTECTION
       1. What is data protection?
       2. Does data protection mean privacy?
          1. What is privacy?
          2. Are there exceptions to the right to privacy?
       3. What else should be protected?
          1. Protecting fundamental rights and freedoms (‘human rights’)
          2. Protecting the free movement of personal data (data flows, transfers and shares)
       4. The protected activities
          1. Protecting processing
          2. Protecting personal data undergoing processing
          3. Special category data (or ‘sensitive personal data’)
       5. Thematic priorities of data protection, trends and hot topics – supporting a risk-based approach
          1. AdTech and cookies
          2. Advanced technology and data processing techniques
          3. Advanced surveillance
          4. Artificial intelligence
          5. Automated facial recognition
          6. Connected vehicles
          7. Children
          8. Cybersecurity
          9. Data subject rights – timetable breaches
          10. Democracy
          11. HR problems
          12. International transfers
          13. Privacy and electronic communications (‘ePrivacy’)
          14. Profiling
          15. Virtual voice assistants
       6. Core law
          1. The UK Data Protection Act and its relationship to the GDPR and other EU law
          2. The Data Protection Convention
          3. Regulatory guidance and decisions
          4. Court judgments
          5. Related law
       7. Data protection penalties and litigation
          1. The regulatory bear market
       8. Summary
    2. 2. INTRODUCTION TO THE GDPR
       1. Brexit: the impacts for data protection and the impacts for this book
          1. The land mass in Europe to which the GDPR applies
       2. Recitals and articles of the GDPR
       3. Jurisdiction of the GDPR
          1. Nationality and location of people
          2. A.3.1 – processing in the context of EU establishments
          3. A.3.2 – targeting people in the EU
       4. Material scope of the GDPR
       5. The building blocks of the GDPR
       6. The actors
       7. Compliance framework – the standards of protection
          1. Data protection principles
          2. Lawful bases of processing
          3. Necessity
          4. Consent for processing
       8. Compliance framework – controls
          1. Appropriate technical and organisational measures
          2. Appropriate safeguards
          3. Prescribed controls
          4. Anonymisation and pseudonymisation
          5. Accountability
          6. Assessing appropriateness of controls
       9. Critical outcomes to be achieved
          1. Transparency
          2. Clarity of the lawful basis of processing
          3. Control
       10. Compensatory mechanisms to remedy non-compliance
           1. Regulator’s enforcement powers
           2. Data subjects’ enforcement powers
       11. Where the GDPR does not apply – exceptions and restrictions
           1. Domestic processing
           2. Restrictions and the UK DPA
       12. Brexit – the UK, Frozen and EU GDPR
           1. UK GDPR
           2. Frozen GDPR
           3. Brexit – international transfers of data
       13. Summary
    3. 3. INTRODUCTION TO EPRIVACY
       1. Regulating the electronic communications sector
       2. The relationship between data protection and ePrivacy
       3. The actors and protected parties
       4. Confidentiality of communications
          1. Exceptions to confidentiality
          2. Consent for storing or accessing information in terminal equipment
          3. Consent, transparency and the use of cookie notices and consent tools
          4. Types of cookies
          5. Cookies, behavioural advertising and real-time bidding
          6. Cookies and legal risk
       5. Direct marketing
          1. The position under PECR
          2. Postal direct marketing
          3. Opt-out, as a matter of law
          4. Financial penalties for direct marketing contraventions
       6. Processing of traffic data, location data and value added services
       7. Security and personal data breach notification
          1. Personal data breaches
          2. Expanded rules for breach notifications
          3. Interplay with the breach notification rules in the GDPR
       8. Calling line ID and directories of subscribers
       9. Law reform underway
       10. Summary
    4. 4. INTRODUCTION TO OPERATIONAL DATA PROTECTION
       1. Operational adequacy schemes – implementing data protection (operationalisation)
          1. Focus on operational adequacy schemes
       2. The three layers of an organisation
       3. Implementing data protection in the people layer
          1. Governance structures
          2. Steering committee
          3. Recruitment and onboarding
          4. Education and training
          5. Access rights and privileges
          6. Monitoring
          7. Worker discipline
          8. Flowing requirements to data processors
       4. Implementing data protection in the paper layer
          1. Data Protection by Design and Default (DPbDD, or PbD)
          2. Governance structures
          3. Records of processing activities
          4. Risk registers and assessment tools and methodologies
          5. Legitimate interests assessments
          6. Transfer assessments
          7. Transparency notices
          8. Contracts and similar documents
          9. Policies, procedures and controls frameworks
          10. Records of significant events
          11. Programme and project plans
          12. Technology architecture
          13. Assurance records
          14. Other mechanisms for assurance
       5. Implementing data protection in the technology and data layer
          1. Privacy Enhancing Technologies
          2. Regulatory sandboxes
          3. ‘The Journey to Code’
       6. Risk management – implementing measures to assess risks to rights and freedoms and the appropriateness of controls
          1. The adequacy test
          2. The impact of the ‘consensus of professional opinion’ – what are the risks and what should be done about them?
          3. Risk management – dealing with adverse scrutiny
       7. Globalisation – implementing data protection on an international stage
          1. International transfers – adequacy, appropriate safeguards and derogations
          2. Meaning of ‘adequacy’ for the purposes of international transfers
          3. Adequacy of the UK
          4. Appropriate safeguards
          5. Derogations
          6. Wider operational challenges of international activities
       8. Impacts for micro, small and medium-sized enterprises
          1. Size of enterprise and size of risk
          2. Financial resources, cost and risk
       9. Security and connection to wider legal and operational frameworks
       10. Summary
13. PART II CORE LAW
    1. 5. THE PRINCIPLES OF DATA PROTECTION
       1. A constant presence in data protection law
       2. The duty of compliance (accountability)
       3. Lawfulness, fairness and transparency – the first principle
          1. Lawfulness
          2. Fairness
          3. Transparency
       4. Purpose limitation – the second principle
          1. Expanded purposes – archiving in the public interest
          2. Expanded purposes – scientific and historical research
          3. Expanded purposes – statistics
          4. Compatibility
       5. Data minimisation – the third principle
       6. Accuracy – the fourth principle
       7. Storage limitation – the fifth principle
       8. Integrity and confidentiality (including security) – the sixth principle
       9. Accountability – the seventh principle
       10. Lawfulness of processing of personal data (Article 6)
           1. Categorising the lawful bases of processing
           2. Consent
           3. Contract
           4. Legal obligation
           5. Vital interests
           6. Public task
           7. Legitimate interests
       11. Lawfulness of processing – special category personal data and criminal convictions and offences
           1. The ban on processing special category personal data – enhanced sensitivity, risks and legal requirement
       12. Summary
    2. 6. THE RIGHTS OF DATA SUBJECTS
       1. Informing and empowering the protected party
       2. Transparency and information rights
          1. General obligation of transparency – GDPR A.
          2. Obtaining transparency – GDPR A.13 and
          3. The right of access to information – A.
          4. Personal data breaches – Article
       3. Rights over data processing
          1. Right to rectification – A.
          2. Right to erasure, or ‘the right to be forgotten’ – A.
          3. Right to restriction of processing – A.
          4. Right to data portability – A.
          5. Right to object – A.
          6. Right not to be subject to automated decision making, including profiling – A.
       4. Remedies and rights of redress
       5. Summary
14. PART III OPERATING INTERNATIONALLY
    1. 7. NATIONAL SUPERVISION WITHIN AN INTERNATIONAL FRAMEWORK
       1. National regulatory systems and divergences
       2. GDPR solution for international processing
       3. Establishment of supervisory authorities
          1. General conditions for members of supervisory authorities
       4. Independence
          1. Interference
       5. Supervisory authority competence
          1. Member competence
       6. Tasks
          1. Monitoring
          2. Promotion and awareness
          3. Advice and administration
          4. Rights, complaints and enforcement
          5. Powers
       7. Lead supervisory authorities
          1. Cross-border processing
          2. Cooperation and mutual assistance
          3. Choosing a lead supervisory authority
       8. Appointing an EU Representative
       9. Summary
    2. 8. TRANSFERRING DATA BETWEEN THE GDPR LAND MASS AND THIRD COUNTRIES
       1. Why regulate international transfers?
       2. What is a transfer?
       3. General principles for transfers
       4. Transfers on the basis of an adequacy decision
          1. Elements considered in assessing adequacy
          2. Adequacy decisions issued
          3. UK adequacy
          4. Partial adequacy decisions
          5. Ongoing monitoring of adequacy decisions
       5. Transfers subject to appropriate safeguards
          1. Standard contractual clauses
       6. Derogations for specific situations
          1. Relying on the derogations in practice
          2. Compelling legitimate interests
       7. Litigation on international data transfers
          1. Schrems I – Safe Harbor decision declared invalid
          2. Schrems II – Privacy Shield declared invalid and SCCs declared valid subject to certain conditions
       8. Navigating international data transfers
          1. EDPB’s six-step recommendations
          2. Supplementary measures
       9. A practical approach to international transfers
          1. Getting to know your ‘special characteristics’
          2. Understanding the ‘zone of precedent’
          3. Knowing your ‘adverse scrutineers’
          4. Achieving operational adequacy
          5. Upscaling protections
          6. Considering options for deregulatory effects
       10. Summary
    3. 9. DATA PROTECTION BEYOND THE GDPR LAND MASS
       1. Multi-jurisdictional frameworks protecting rights and freedoms including data protection
          1. The Universal Declaration of Human Rights
          2. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
          3. APEC Privacy Framework
       2. National laws beyond the GDPR land mass
          1. Notable new legislation
       3. Comparative review between the GDPR and key international laws
       4. United States
          1. California
          2. Virginia
       5. Brazil
       6. India
       7. China
       8. Data localisation
          1. Examples of localisation laws
       9. Coping strategies for organisations operating globally
          1. Examples of coping mechanisms
       10. Summary
15. PART IV DELIVERY
    1. 10. MECHANISMS TO SUPPORT OPERATIONAL COMPLIANCE
       1. Mechanisms within the GDPR
       2. Technical and organisational measures
          1. Organisational measures
          2. Technical measures
          3. Codes of conduct and certification mechanisms
          4. Risk assessments
       3. Data protection policies
          1. An overarching data protection policy
          2. Policies covering specific GDPR obligations
          3. Procedures
          4. Reflecting operational realities
       4. Records of processing activities – a baseline for accountability
          1. Minimum content of ROPAs
          2. Wider benefits of ROPAs
       5. Data Protection by Design and Default
          1. A formula for compliance
          2. Design
          3. Default
       6. Data protection impact assessment
          1. Likely to result in a high risk
          2. Minimum features of a DPIA
       7. Data protection officer
          1. Requirement to appoint a DPO
          2. Tasks of the DPO
          3. Position of the DPO
       8. Contracts
          1. Article 28 processor contracts
          2. Joint controller contracts
       9. Summary
    2. 11. PROGRAMMATIC APPROACHES FOR DELIVERING DATA PROTECTION BY DESIGN AND DEFAULT
       1. The origins of Data Protection by Design and Default
       2. Data Protection by Design and Default in the GDPR
          1. The design element
          2. The default element
       3. The need for DPbDD – compelling events that trigger data protection transformation
       4. Embarking upon a transformation journey to achieve DPbDD
          1. A vision statement – laying the foundations for DPbDD
          2. Difference between data protection programmes and projects
          3. The beginning of work – building a business case
          4. The beginning of work – developing the brief
          5. Managing the work
          6. Initiating the work
          7. The workplans and workstreams
       5. Governance frameworks required by DPbDD for accountability purposes
          1. Roles and responsibilities – who will do what?
          2. Management structures and reporting lines
          3. Setting a target operating model
       6. Summary
    3. 12. BEING ACCOUNTABLE FOR RECORDS OF PROCESSING, LEGITIMATE INTERESTS AND RISK MANAGEMENT
       1. Accountability for our decisions, actions and behaviours
       2. Accountability as a core principle of data protection
       3. Demonstrating accountability – an ongoing obligation, not a moment-in-time issue
       4. End-to-end accountability – from idea to reality
       5. Accountability in practice
          1. Records of processing activities
          2. ROPAs – continuing obligations
          3. Understanding data
          4. Producing the ROPA on request
          5. Benefits of extended records of processing – going beyond A.
          6. Developing records of processing – discovery and analysis
          7. Technology-assisted data discovery
          8. ROPAs and Data Protection by Design and Default
          9. Gated development – upskilling
          10. Organisation type
          11. A combination of all the above
          12. Exemptions
       6. Being accountable for legitimate interests
          1. Being accountable for the balancing exercise
          2. Considerations within legitimate interests
          3. Legitimate interests and the right to object to direct marketing
          4. Legitimate interests and data subject rights
       7. Being accountable for risk management
          1. Being accountable for ATOM
          2. Risk of failure baked into design
          3. Being accountable for the 4-Ts
          4. Being accountable for embedding data protection risk management into change methodologies
          5. Being accountable for recognised controls
          6. Being accountable for assurance
       8. Being accountable for adverse scrutiny
       9. Being accountable for an accumulation of evidence
          1. Production of evidence under pressure and scenario testing
       10. Summary
    4. 13. ‘THE JOURNEY TO CODE’
       1. The Journey to Code – working towards achieving compliance within technology and data themselves
       2. The Journey has commenced
       3. The nature of the problem
          1. Email example
          2. Malicious technology and code
       4. A technology reference architecture for The Journey to Code
          1. The Core Privacy Technology Value Chain
       5. Privacy management technology
          1. The rise of privacy management technologies
          2. Arguments for the use of privacy management technology
          3. Drawbacks associated with privacy management technology
       6. Data intelligence technology
          1. Native and third-party data intelligence technology
          2. Third-party integrated data intelligence technology
       7. Principles and rights technology
       8. Producers of technology and data processing systems
          1. A regulatory gap
          2. Solutions to the regulatory gap
          3. The risk of a litigation culture emerging
       9. What comes next on The Journey to Code?
          1. ‘Your mission, should you choose to accept it’
       10. Summary
16. PART V ADVERSE SCRUTINY
    1. 14. HOW TO PREPARE FOR THE RISKS OF CHALLENGE AND ‘ADVERSE SCRUTINY’
       1. Challenge and scrutiny are inevitable
       2. Challenge and scrutiny designed into regulatory law
          1. Adverse scrutiny
          2. The supervisory authority
          3. The data subject
          4. A legal duty to understand the risks of challenge and scrutiny
       3. The continuum of challenge and scrutiny
          1. Why a continuum?
          2. Examples of internal challengers and scrutineers
          3. Moral spectrum
          4. Examples of external challengers and scrutineers
       4. Modelling challenge and scrutiny risks
          1. Situations in the GDPR calling for risk assessments
          2. Risk scenarios and context-specific risk modelling
          3. The special characteristics and how they relate to modelling
          4. Modelling – challenge and scrutiny as reactive events
          5. Tiers of visibility – catalysts of challenge and scrutiny
          6. Modelling the domino effect of challenge and scrutiny
          7. Other interests to be considered when modelling challenge and scrutiny risks
       5. The relative impacts of challengers and scrutineers
          1. The impacts of data subject challenge and scrutiny
          2. Privacy activists
          3. The impacts of data protection regulators
       6. Outcomes versus structures and artefacts
          1. Examples of structures and artefacts
          2. Root cause analysis for operational failure
          3. Confidence testing and sentiment analysis
       7. Summary
    2. 15. COMPLAINTS, RIGHTS REQUESTS, REGULATORY INVESTIGATIONS AND LITIGATION
       1. Awareness levels driving scrutiny and challenge
       2. Accountability
          1. Accounting for readiness to deal with challenge and scrutiny
       3. Dealing with complaints
          1. Point of contact
          2. Managing complaints and concerns received direct from data subjects
          3. Managing complaints escalated to a supervisory authority
          4. How to respond
       4. Dealing with regulatory investigations (investigatory powers)
          1. Information Notices
          2. Assessment Notices
          3. Investigations and prosecutions of criminal offences
       5. Exercise of data subject rights
          1. Escalation of problems – rights requests leading to adversity
          2. Timing
          3. Extensions
          4. Manifestly unfounded or excessive requests
          5. Compliance orders
       6. Litigation
          1. Subject access and litigation
          2. Data protection and litigation
          3. Compensation and liability
          4. Mass claims
       7. Summary
    3. 16. REGULATORY ACTION
       1. The impacts of national laws and other contingencies on GDPR enforcement powers
       2. When can regulatory powers be used?
          1. The investigatory phase of regulatory action
       3. Powers in Article
          1. Warnings of potential infringements – action to prevent things going wrong
          2. Reprimands
          3. Enforcement Notices
          4. Withdrawal of certification
          5. Financial penalties
       4. Determination of penalties
          1. Mitigating factors
       5. Reputational impact
       6. Appeals against regulatory action
       7. Preparing for the risk of regulatory action
          1. Preparation through understanding the true extent of regulator powers – privilege example
          2. Disposition – the stance and style to adopt when faced with regulatory action
       8. Summary
    4. 17. HANDLING PERSONAL DATA BREACHES
       1. The legal obligation to be secure
          1. Relationship to ePrivacy
          2. Relationship to cybersecurity
          3. The protections to be achieved under GDPR A.5.1.f
          4. Protections to be achieved under GDPR A.
          5. Security of the full data processing environment
          6. Processing data for security purposes as a legitimate interest
          7. Accountability for security
       2. Operational security
          1. Expanded requirements for security found outside the GDPR
          2. The state of the art
          3. Costs of implementation
          4. The nature, scope, context and purpose of processing
          5. The risks of varying likelihood and severity
          6. Required outcomes
          7. Appropriateness – what risks will the law tolerate?
       3. Personal data breaches, breach notification and communications
          1. Philosophies within breach notification and communications – transparency and its effects
          2. Personal data breach definition
          3. Breach of security
          4. Incident detection and response
          5. Types of personal data breaches – risks to rights and freedoms
          6. Timetables for notification and communications
          7. Risks to rights and freedoms and the carve-out for encrypted data
          8. Interests of law enforcement
          9. A.34 communications and disproportionate effort
          10. Contents of notifications and communications
          11. Ordering A.34 communications
          12. Breach logs
       4. Summary
17. Glossary
18. Index
19. Back Cover