Introduction

The General Data Protection Regulation — the GDPR — seeks to unify data protection legislation across Europe. It is the successor to the EU Data Protection Directive [of] 1995 and came into effect on May 25, 2018.

A complex regulation composed of 11 chapters, 99 articles (which dictate the compliance requirements), 173 recitals (which provide context to the articles), and 88 pages, the GDPR might not be something you care to read.

I was inspired to write this book — designed to help anyone who needs to quickly and easily come to grips with the GDPR and related data-protection legislation — following the success of my Facebook group, GDPR for Online Entrepreneurs. (I tell you more about that topic later in this introduction.) In this group, the largest social media group on the topic of the GDPR, I have been able to help tens of thousands of small-business owners via my numerous video guides, online training sessions, and live Q&As.

Although the Facebook group has helped many thousands of small-business owners around the world understand the GDPR and how to implement compliance in their own organization, I know that many more still need help. Some aren’t on Facebook, some will never find my group, and some prefer a comprehensive book over watching videos.

It is my hope that, in writing this book, I can help many more tens of thousands (and maybe someday, hundreds of thousands) when dealing with the complex set of issues associated with the GDPR.

About This Book

The book explains the complexities of the GDPR in language that anyone can understand. It is practical, it is relevant, and it is comprehensive. If you’re processing personal data — whether you’re part of a company, a charity, or an association — this is the book for you.

Due to its ease of reading and the comprehensive nature of the book, the book may be not only a useful guide for small-business owners, charities, and associations but also a useful resource for Data Protection Officers (or anyone responsible for data processing) of larger companies.

Although reading this book might save you the headache of reading the entire text of the GDPR, you might still need to obtain legal advice concerning certain activities related to achieving and maintaining GDPR compliance.

Foolish Assumptions

If you’re reading this book, I assume the following about you (issues that relate to the material scope of the GDPR, which is a topic I discuss further in Chapter 2):

• You either run your own business (or an association or a charity) or work for one and are to some extent the responsible party when it comes to data protection.
• You process personal data in an automated way or as part of a manual filing system.

Note: If you process personal data purely as part of a personal or household activity, you need not read this book, because the GDPR doesn’t apply to you.

The following list shows what I’ll ask you not to assume, to help you begin to understand how the GDPR works and when it applies to you:

• Territorial scope of the GDPR: Don’t assume that just because you’re established outside of the EU that the GDPR doesn’t apply to you. If either of the following bullet items applies to you, the GDPR applies to you:
  • You offer goods or services (whether payment is required or not) to data subjects within the EU.
  • You monitor the behavior of data subjects in the EU — for example, by using tracking cookies.
• Size threshold for the GDPR: Don’t assume, because your company, charity, or association is very small, that the GDPR doesn’t apply to you. No threshold of size dictates whether the GDPR applies. There are derogations (exemptions) for certain GDPR obligations for organizations that employ more than 250 employees, but many people confuse this with an absolute exemption from the application of the GDPR. That is not the case.

• Compliance: If the GDPR does apply to you, don’t assume that you can play fast-and-loose with the rules and never be fined or that you can ignore the rules because your competitors aren’t compliant. Supervisory authorities respond to complaints; if they investigate you and find non-compliance, they have a wide range of sanctions at their disposal. (See Chapter 21 for more on this topic.)

  Equally, don’t assume the worst because a complaint has been made. If you cooperate with the supervisory authority and show that you have been trying to become compliant, you will in all likelihood be spared a fine. If you bury your head in the sand and ignore the GDPR, however, the supervisory authorities won’t hesitate to use the full sanctions at their disposal.

• Investment to become compliant: You may not be overjoyed about having to find the time to learn about the GDPR and then implement compliance, but it’s important, and it’s necessary. Yet you don’t have to spend a fortune on expensive lawyers and you don’t need to become an expert on the GDPR.

  If you put aside just a few days to read this book, buy my GDPR Compliance Pack (find out more about this later in the Introduction), and put in place the necessary documents, you will be in good shape to fend off complaints, cope with regulatory investigations, avoid fines, and develop customer loyalty by respecting their data.

• People don’t care about compliance: At a talk I gave at the Digital Marketer’s Internet marketing conference in San Diego about the GDPR and the new ePrivacy Regulations (see Appendix A for more on the ePD), I shared research from a report by Axciom, which surveyed over 10,000 people in ten different countries. The report shows that the vast majority of people are very concerned about the issue of online privacy.

  So, don’t assume that your prospects and your customers don’t care about your compliance with the GDPR. As public awareness increases about GDPR compliance, it’s in your best interest to comply; not doing so means that your prospects and customers’ concerns about how you use their personal data won’t be alleviated. By showing that you’re complying with the GDPR, you'll likely be rewarded by your customers with their loyalty, and your prospects will be more likely to become customers.

How This Book Is Organized

I’ve organized this book into several chapters divided into seven parts. In this section I briefly describe each part to give you a high-level look into what information is covered and where. You can find a more granular breakdown of the topics in the table of contents at the front of this book. And, if you’re searching for information on a specific issue, you can check the index to find where in the book it’s located.

Part 1: Getting Started with GDPR

Part 1 walks you through the fundamentals of data protection law and the changes introduced by the GDPR.

Part 2: The Key Principles of GDPR

Part 2 is about the key principles of the GDPR. Here's where I look at what personal data is and what processing data is — and at the six data protection principles. This part also contains one chapter on data controllers and data processors and another on international transfers of data.

Part 3: Key Documentation

Part 3 is about the key documentation needed in order to become GDPR compliant. I explain what needs to be contained in the Data Inventory, the Privacy Notice, the Cookie Policy, Data Processing Agreements, Data Sharing Agreements, Opt-in wording, and Legitimate Interest Assessments.

I also touch briefly on Data Protection Impact Assessment forms, Data Subject Access Requests, Data Breach Records, and Data Protection Policies.

Part 4: Data Subject Rights, Protection, and Security

In this part, I look at each of the data subject rights, paying particular attention to Data Subject Access Requests and the right to be forgotten. I take a more in-depth look at Data Protection Impact Assessments, Privacy Impact Assessments, and Data Protection Officers. This part also contains a chapter each on data security and data breaches (including the reporting requirements in the case of a breach).

Part 5: The Workplace, Marketing, and Beyond

This part looks at the lawful grounds of processing for employees, the vital ingredients of an employee Privacy Notice, the handling of Data Subject Access Requests from employees, employee monitoring, employee data breaches, and staff training. I also delve into the lawful grounds of processing for marketing, the GDPR’s interrelationship with the ePrivacy Directive, and the impact of the GDPR on various types of offline and online marketing. This part covers how the GDPR affects children, charities, and associations and ends with a chapter on supervisory authorities and remedies, liabilities, and penalties.

Part 6: The Part of Tens

The Part of Tens is a traditional part of the For Dummies series, and I use it to provide three helpful lists:

• The ten best GDPR resources
• The ten must-have skills for a Data Protection Officer (DPO)
• The ten best ways to train employees to be good stewards of data

Part 7:...