GDPR For Dummies®
Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com
Copyright © 2020 by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2019954068
ISBN: 978-1-119-54609-2; 978-1-119-54614-6 (ebk); 978-1-119-54617-7 (ebk)
The General Data Protection Regulation — the GDPR — seeks to unify data protection legislation across Europe. It is the successor to the EU Data Protection Directive [of] 1995 and came into effect on May 25, 2018.
A complex regulation composed of 11 chapters, 99 articles (which dictate the compliance requirements), 173 recitals (which provide context to the articles), and 88 pages, the GDPR might not be something you care to read.
I was inspired to write this book — designed to help anyone who needs to quickly and easily come to grips with the GDPR and related data-protection legislation — following the success of my Facebook group, GDPR for Online Entrepreneurs. (I tell you more about that topic later in this introduction.) In this group, the largest social media group on the topic of the GDPR, I have been able to help tens of thousands of small-business owners via my numerous video guides, online training sessions, and live Q&As.
Although the Facebook group has helped many thousands of small-business owners around the world understand the GDPR and how to implement compliance in their own organization, I know that many more still need help. Some aren’t on Facebook, some will never find my group, and some prefer a comprehensive book over watching videos.
It is my hope that, in writing this book, I can help many more tens of thousands (and maybe someday, hundreds of thousands) when dealing with the complex set of issues associated with the GDPR.
The book explains the complexities of the GDPR in language that anyone can understand. It is practical, it is relevant, and it is comprehensive. If you’re processing personal data — whether you’re part of a company, a charity, or an association — this is the book for you.
Due to its ease of reading and the comprehensive nature of the book, the book may be not only a useful guide for small-business owners, charities, and associations but also a useful resource for Data Protection Officers (or anyone responsible for data processing) of larger companies.
Although reading this book might save you the headache of reading the entire text of the GDPR, you might still need to obtain legal advice concerning certain activities related to achieving and maintaining GDPR compliance.
If you’re reading this book, I assume the following about you (issues that relate to the material scope of the GDPR, which is a topic I discuss further in Chapter 2):
Note: If you process personal data purely as part of a personal or household activity, you need not read this book, because the GDPR doesn’t apply to you.
The following list shows what I’ll ask you not to assume, to help you begin to understand how the GDPR works and when it applies to you:
Compliance: If the GDPR does apply to you, don’t assume that you can play fast-and-loose with the rules and never be fined or that you can ignore the rules because your competitors aren’t compliant. Supervisory authorities respond to complaints; if they investigate you and find non-compliance, they have a wide range of sanctions at their disposal. (See Chapter 21 for more on this topic.)
Equally, don’t assume the worst because a complaint has been made. If you cooperate with the supervisory authority and show that you have been trying to become compliant, you will in all likelihood be spared a fine. If you bury your head in the sand and ignore the GDPR, however, the supervisory authorities won’t hesitate to use the full sanctions at their disposal.
Investment to become compliant: You may not be overjoyed about having to find the time to learn about the GDPR and then implement compliance, but it’s important, and it’s necessary. Yet you don’t have to spend a fortune on expensive lawyers and you don’t need to become an expert on the GDPR.
If you put aside just a few days to read this book, buy my GDPR Compliance Pack (find out more about this later in the Introduction), and put in place the necessary documents, you will be in good shape to fend off complaints, cope with regulatory investigations, avoid fines, and develop customer loyalty by respecting their data.
So, don’t assume that your prospects and your customers don’t care about your compliance with the GDPR. As public awareness increases about GDPR compliance, it’s in your best interest to comply; not doing so means that your prospects and customers’ concerns about how you use their personal data won’t be alleviated. By showing that you’re complying with the GDPR, you'll likely be rewarded by your customers with their loyalty, and your prospects will be more likely to become customers.
I’ve organized this book into several chapters divided into seven parts. In this section I briefly describe each part to give you a high-level look into what information is covered and where. You can find a more granular breakdown of the topics in the table of contents at the front of this book. And, if you’re searching for information on a specific issue, you can check the index to find where in the book it’s located.
Part 1 walks you through the fundamentals of data protection law and the changes introduced by the GDPR.
Part 2 is about the key principles of the GDPR. Here's where I look at what personal data is and what processing data is — and at the six data protection principles. This part also contains one chapter on data controllers and data processors and another on international transfers of data.
Part 3 is about the key documentation needed in order to become GDPR compliant. I explain what needs to be contained in the Data Inventory, the Privacy Notice, the Cookie Policy, Data Processing Agreements, Data Sharing Agreements, Opt-in wording, and Legitimate Interest Assessments.
I also touch briefly on Data Protection Impact Assessment forms, Data Subject Access Requests, Data Breach Records, and Data Protection Policies.
In this part, I look at each of the data subject rights, paying particular attention to Data Subject Access Requests and the right to be forgotten. I take a more in-depth look at Data Protection Impact Assessments, Privacy Impact Assessments, and Data Protection Officers. This part also contains a chapter each on data security and data breaches (including the reporting requirements in the case of a breach).
This part looks at the lawful grounds of processing for employees, the vital ingredients of an employee Privacy Notice, the handling of Data Subject Access Requests from employees, employee monitoring, employee data breaches, and staff training. I also delve into the lawful grounds of processing for marketing, the GDPR’s interrelationship with the ePrivacy Directive, and the impact of the GDPR on various types of offline and online marketing. This part covers how the GDPR affects children, charities, and associations and ends with a chapter on supervisory authorities and remedies, liabilities, and penalties.
The Part of Tens is a traditional part of the For Dummies series, and I use it to provide three helpful lists:
I’ve included three appendixes (and a glossary of terms), each providing useful information that doesn’t fit elsewhere in the book:
Throughout this book, I use various icons to draw your attention to specific information — here’s a description of what they mean:
This icon highlights pointers to an easier way of doing something or a suggestion that can save you time. This icon may also point out where I give advice to help keep you out of trouble.
When you see this icon, you know that it highlights information to keep in mind — or a topic I’ve discussed elsewhere, and I’m reminding you of it.
I use this icon to point out pitfalls to avoid or actions (or a lack of actions) that can land you in legal trouble.
Sometimes I provide particularly sticky details about an issue, which can get technical and not exactly interesting. You can ignore any text marked with this icon and not miss it a whit.
Many small business owners are familiar with concepts such as consent and legitimate interests and the requirements to have a Privacy Notice and a Cookie Policy and to keep data secure. What many of them ignore, however, are matters such as using data processors and subprocessors, international transfers and data protection by design and by default.
If you’re familiar with basic concepts but haven’t ventured beyond that, I recommend that you skip Part 1 and most of Part 2 to start at Chapter 6 and then read on from there.
I see many business owners who took action when the GDPR came into effect by putting new documentation into place but haven’t revisited it since then. The supervisory authorities are clear that treating the GDPR lightly, as a one-off exercise or a tick-the-box exercise, is not sufficient. Compliance has to be ongoing, and privacy must be at the heart of the organization. If this is you and you need to revisit your ongoing compliance, I recommend skipping Parts 1–3 (for now) and paying particular attention to Chapter 14 onward.
If you’re an expert on the GDPR and are using this book as a reference point only, just dip in and out as you see fit.
Unless you are an expert in the GDPR (and are using this book as a reference point), I suggest that you start at Chapter 1 and read the entire book from start to finish.
You can read chapters out of order if you need to focus on certain areas before others. I provide cross-references to relevant chapters on topics you might need to know more about.
If you are new to GDPR compliance or you haven’t kept on top of ongoing compliance, start with the GDPR checklist in Appendix C, which will highlight your areas of noncompliance.
If you receive a data subject right request, such as a Data Subject Access Request or a right to be forgotten, you can refer quickly to the relevant section in Chapter 14.
After having worked with multinational companies for many years as a City of London lawyer at one of the world’s largest law firms, I have dedicated the past ten years to working exclusively with small businesses. I have always felt strongly about the injustice of traditional legal services being inaccessible to small business owners, often leaving them without protection for their businesses.
Though I had been running my Small Business Legal Academy for many years and helping thousands of small businesses with not just data protection law but also wider business law matters (www.smallbusinesslegalacademy.co.uk/sbla), I set up my GDPR Facebook group (GDPR for Online Entrepreneurs) after realizing that the majority of small-business owners:
Because of this, I posted, for 90 days, one video guide per day on the GDPR, helping tens of thousands of small businesses in the process. I regularly post updates of cases, updated guidance from the European Data Protection Board or supervisory authorities, and updates on new related legislation. I also answer questions about the general application of the GDPR.
Ensure that you answer the questions that you are asked when you apply to join my Facebook group — or you won’t be let in.
In my Facebook group, many small-business owners were panicking about the introduction of the GDPR and the huge fines they might face for non-compliance. Some were considering closing their small businesses because they lacked the resources to consult a lawyer in the traditional way. Part of my role in the Facebook group was to calm that panic and explain the reality: Small business owners wouldn’t be fined 20 million euros the day after the GDPR went into effect because of a small breach of the GDPR.
As I continued to educate group members on the ins and outs of the GDPR, they started asking how to implement their newfound knowledge. They realized that they needed a Privacy Notice, agreements with their data processors, and other documents, but they didn’t know where to get them from.
In response to this demand, I put together my GDPR Compliance Pack and sold it as affordably as possible. It has all the documents (over 20) a small business needs in order to become GDPR-compliant. After selling many thousands of copies of this Compliance Pack to organizations around the world, I have received huge accolades from happy customers — even asking whether they can nominate me for an award for the help I have provided. (That MBE is on its way, I am sure!)
If my Compliance Pack would help you, find out more about it here: www.suzannedibble.com/gdprpack.
You can sign up for my GDPR updates by email by going to www.suzannedibble.com/gdprupdates.
If you don’t receive any updates, check the spam folder in your email program and then whitelist the email address.
I also provide free training sessions on all areas of the GDPR that offer practical guidance on how to comply. The dates and registration links for those webinars are in my update emails.
If any areas of this book need to be updated, I will post the information at www.suzannedibble.com/gdprfordummies.
In addition to what you’re reading right now, this book comes with a free access-anywhere Cheat Sheet that offers a number of GDPR-related tips, techniques, and resources. To get this Cheat Sheet, visit www.dummies.com and type GDPR For Dummies cheat sheet in the Search box.
Although this book, the Facebook group, and my Compliance Pack can help you enormously with the GDPR, they don’t comprise a complete substitute for one-on-one legal advice. If you have a particularly complex business or are processing data in a complex way, I recommend that you obtain legal advice. For one-to-one advice, email me via my website and I’ll either provide you with a quote or refer you to a trusted data protection colleague.
www.suzannedibble.com
Part 1
IN THIS PART …
Introducing the General Data Protection Regulation
A quick overview of data protection laws — in the EU and around the world
Taking on your ten most important obligations
Learning what happens if you don’t comply
Determining when the GDPR applies and when it doesn’t
Reviewing the GDPR’s most notable changes
Chapter 1
IN THIS CHAPTER
Taking a look at data protection laws
Taking the most important actions — now
Recognizing what happens when you don’t comply
Gaining a competitive advantage by way of compliance
The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, is the successor to the European Union's Data Protection Directive [of] 1995 (Directive 95/46/EC).
One aim of the GDPR was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated). Unlike a directive, when the European Union (EU) enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.
However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators.
Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:
At the time this book was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.
Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.
This list describes a handful of additional points about these laws to keep in mind. Data protection laws:
Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. Table 1-1 rates the strength of various countries’ efforts to protect data.
TABLE 1-1 Regulation/Enforcement Strength of Data Protection Laws Worldwide
|
Type of Regulation/Enforcement |
Countries |
|
Tough |
Australia, Canada, Hong Kong, South Korea |
|
Strong |
Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand |
|
Light |
Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine |
|
Limited |
Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay |
The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:
Think of this section as a description of not only the consequences you face if you aren’t compliant but also the reasons you should care about being compliant.
The GDPR has introduced significant increases in the maximum fines for breaches of its requirements.
Under the GDPR, the fine for certain breaches of the GDPR have been increased to €20 million or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to €10 million or 2 percent of global turnover for the past financial year, whichever is higher.
This significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated.
This is not to say that you will be fined these amounts for any infringements of the GDPR — you would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine. (See Chapter 21 for examples of fines issued and the considerations that will be taken into account when supervisory authorities are deciding on the appropriate sanction. I also discuss throughout this book, fines and sanctions as pertinent to the topics at hand.)
Supervisory authorities are the regulatory authorities (often known as data protection authorities) within individual EU member states that are responsible for the enforcement of the GDPR. There is a list of supervisory authorities in Appendix B.
Data subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject — see Chapter 14 for more detail on this) or if you experience a data breach that affects the data subject’s personal data (see Chapter 17 for more on this), you could find yourself on the receiving end of a civil claim.
As you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller.
A civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim.
The general public is much savvier about their data protection rights than they used to be — for these reasons:
This savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses:
These corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data, or to force you to respond to the data subject’s requests to exercise their rights. Chapter 21 contains more information about the powers of supervisory authorities.
When a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by Axciom (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: What the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data.
You can see the Axciom report at: https://dma.org.uk/uploads/misc/5b0522b113a23-global-data-privacy-report---final-2_5b0522b11396e.pdf.
If you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you.
In unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m).
In 2018, CompariTech carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed.
You can find that report at www.comparitech.com/blog/information-security/data-breach-share-price-2018/.
By embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage.
Elizabeth Denham, the UK information commissioner, summed up this idea nicely:
“Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”