Data privacy and GDPR handbook
著者
書誌事項
Data privacy and GDPR handbook
Wiley, c2020
- : cloth
大学図書館所蔵 件 / 全1件
-
該当する所蔵館はありません
- すべての絞り込み条件を解除する
注記
Includes index
内容説明・目次
内容説明
The definitive guide for ensuring data privacy and GDPR compliance
Privacy regulation is increasingly rigorous around the world and has become a serious concern for senior management of companies regardless of industry, size, scope, and geographic area. The Global Data Protection Regulation (GDPR) imposes complex, elaborate, and stringent requirements for any organization or individuals conducting business in the European Union (EU) and the European Economic Area (EEA)-while also addressing the export of personal data outside of the EU and EEA. This recently-enacted law allows the imposition of fines of up to 5% of global revenue for privacy and data protection violations. Despite the massive potential for steep fines and regulatory penalties, there is a distressing lack of awareness of the GDPR within the business community. A recent survey conducted in the UK suggests that only 40% of firms are even aware of the new law and their responsibilities to maintain compliance.
The Data Privacy and GDPR Handbook helps organizations strictly adhere to data privacy laws in the EU, the USA, and governments around the world. This authoritative and comprehensive guide includes the history and foundation of data privacy, the framework for ensuring data privacy across major global jurisdictions, a detailed framework for complying with the GDPR, and perspectives on the future of data collection and privacy practices.
Comply with the latest data privacy regulations in the EU, EEA, US, and others
Avoid hefty fines, damage to your reputation, and losing your customers
Keep pace with the latest privacy policies, guidelines, and legislation
Understand the framework necessary to ensure data privacy today and gain insights on future privacy practices
The Data Privacy and GDPR Handbook is an indispensable resource for Chief Data Officers, Chief Technology Officers, legal counsel, C-Level Executives, regulators and legislators, data privacy consultants, compliance officers, and audit managers.
目次
- 1 Origins and Concepts of Data Privacy 1 1.1 Questions and Challenges of Data Privacy 2 1.1.1 But Cupid Turned Out to Be Not OK 3 1.2 The Conundrum of Voluntary Information 3 1.3 What is Data Privacy? 5 1.3.1 Physical Privacy 5 1.3.2 Social Privacy Norms 5 1.3.3 Privacy in a Technology-Driven Society 5 1.4 Doctrine of Information Privacy 6 1.4.1 Information Sharing Empowers the Recipient 6 1.4.2 Monetary Value of Individual Privacy 7 1.4.3 "Digital Public Spaces" 7 1.4.4 A Model Data Economy 8 1.5 Notice-and-Choice versus Privacy-as-Trust 9 1.6 Notice-and-Choice in the US 9 1.7 Enforcement of Notice-and-Choice Privacy Laws 11 1.7.1 Broken Trust and FTC Enforcement 11 1.7.2 The Notice-and-Choice Model Falls Short 12 1.8 Privacy-as-Trust: An Alternative Model 13 1.9 Applying Privacy-as-Trust in Practice: The US Federal Trade Commission 14 1.9.1 Facebook as an Example 15 1.10 Additional Challenges in the Era of Big Data and Social Robots 16 1.10.1 What is a Social Robot? 16 1.10.2 Trust and Privacy 17 1.10.3 Legal Framework for Governing Social Robots 17 1.11 The General Data Protection Regulation (GDPR) 18 1.12 Chapter Overview 19 Notes 21 2 A Brief History of Data Privacy 23 2.1 Privacy as One's Castle 23 2.1.1 Individuals' "Castles" Were Not Enough 24 2.2 Extending Beyond the "Castle" 24 2.3 Formation of Privacy Tort Laws 24 2.3.1 A Privacy Tort Framework 25 2.4 The Roots of Privacy in Europe and the Commonwealth 25 2.5 Privacy Encroachment in the Digital Age 26 2.5.1 Early Digital Privacy Laws Were Organic 27 2.5.2 Growth in Commercial Value of Individual Data 27 2.6 The Gramm-Leach-Bliley Act Tilted the Dynamic against Privacy 28 2.7 Emergence of Economic Value of Individual Data for Digital Businesses 29 2.7.1 The Shock of the 9/11 Attacks Affected Privacy Protection Initiatives 29 2.7.2 Surveillance and Data Collection Was Rapidly Commercialized 30 2.7.3 Easing of Privacy Standards by the NSA Set the Tone at the Top 30 2.8 Legislative Initiatives to Protect Individuals' Data Privacy 31 2.9 The EU Path 33 2.9.1 The Internet Rights Revolution 34 2.9.2 Social Revolutions 34 2.10 End of the Wild West? 37 2.11 Data as an Extension of Personal Privacy 37 2.12 Cambridge Analytica: A Step Too Far 39 2.13 The Context of Privacy in Law Enforcement 39 Summary 41 Notes 41 3 GDPR's Scope of Application 45 3.1 When Does GDPR Apply? 45 3.1.1 "Processing" of Data 46 3.1.2 "Personal Data" 47 3.1.3 Exempted Activities under GDPR 51 3.2 The Key Players under GDPR 52 3.3 Territorial Scope of GDPR 54 3.3.1 Physical Presence in the EU 54 3.3.2 Processing Done in the Context of the Activities 55 3.3.3 Users Based in the EU 56 3.3.4 "Time of Stay" Standard 57 3.4 Operation of Public International Law 57 Notes 57 4 Technical and Organizational Requirements under GDPR 61 4.1 Accountability 61 4.2 The Data Controller 62 4.2.1 Responsibilities of the Controller 63 4.2.2 Joint Controllers and Allocating Liability 65 4.2.3 The Duty to Cooperate with the SA 68 4.3 Technical and Organizational Measures 69 4.3.1 Maintain a Data-Protection Level 69 4.3.2 Minimum Requirements for Holding a Data Protection Level 69 4.3.3 Weighing the Risks 70 4.3.4 The Network and Information Systems Directive 71 4.4 Duty to Maintain Records of Processing Activities 72 4.4.1 Content of Controller's Records 72 4.4.2 Content of Processor's Records 73 4.4.3 Exceptions to the Duty 73 4.5 Data Protection Impact Assessments 73 4.5.1 Types of Processing That Require DPIA 74 4.5.2 Scope of Assessment 75 4.5.3 Business Plan Oversight 78 4.6 The Data Protection Officer 80 4.6.1 Designation of DPO 80 4.6.2 Qualifications and Hiring a DPO 81 4.6.3 Position of the DPO 81 4.6.4 Tasks of the DPO 82 4.6.5 An Inherent Conflict of Interest? 83 4.6.6 DPO Liability 84 4.7 Data Protection by Design and Default 84 4.7.1 Data Protection at the Outset 84 4.7.2 Balancing the Amount of Protection 85 4.7.3 Applying Data Protection by Design 86 4.7.4 Special Case: Blockchain Technology and GDPR 91 4.8 Data Security during Processing 92 4.8.1 Data Security Measures 93 4.8.2 Determining the Risk Posed 94 4.8.3 Data Protection Management Systems: A "Technical and Organizational Measure" 94 4.9 Personal Data Breaches 94 4.9.1 Overview of Data Breaches 95 4.9.2 The Controller's Duty to Notify 103 4.9.3 Controller's Duty to Communicate the Breach to Data Subjects 106 4.10 Codes of Conduct and Certifications 107 4.10.1 Purpose and Relationship under GDPR 107 4.10.2 Codes of Conduct 108 4.10.3 Certification 110 4.11 The Data Processor 112 4.11.1 Relationship between Processor and Controller 112 4.11.2 Responsibilities of Controller in Selecting a Processor 113 4.11.3 Duties of the Processor 114 4.11.4 Subprocessors 116 Notes 116 5 Material Requisites for Processing under GDPR 125 5.1 The Central Principles of Processing 125 5.1.1 Lawful, Fair, and Transparent Processing of Data 126 5.1.2 Processing Limited to a "Purpose" 127 5.1.3 Data Minimization and Accuracy 130 5.1.4 Storage of Data 131 5.1.5 Integrity and Confidentiality of the Operation 131 5.2 Legal Grounds for Data Processing 132 5.2.1 Processing Based on Consent 132 5.2.2 Processing Based on Legal Sanction 144 5.2.3 Changing the Processing "Purpose" 148 5.2.4 Special Categories of Data 149 5.3 International Data Transfers 161 5.3.1 Adequacy Decisions and "Safe" Countries 162 5.3.2 Explicit Consent 166 5.3.3 Standard Contractual Clauses 166 5.3.4 The EU-US Privacy Shield 169 5.3.5 Binding Corporate Rules 172 5.3.6 Transfers Made with or without Authorization 175 5.3.7 Derogations 177 5.3.8 Controllers Outside of the EU 180 5.4 Intragroup Processing Privileges 182 5.5 Cooperation Obligation on EU Bodies 183 5.6 Foreign Law in Conflict with GDPR 184 Notes 185 6 Data Subjects' Rights 193 6.1 The Controller's Duty of Transparency 194 6.1.1 Creating the Modalities 194 6.1.2 Facilitating Information Requests 195 6.1.3 Providing Information to Data Subjects 195 6.1.4 The Notification Obligation 196 6.2 The Digital Miranda Rights 197 6.2.1 Accountability Information 197 6.2.2 Transparency Information 198 6.2.3 Timing 200 6.2.4 Defenses for Not Providing Information 200 6.3 The Right of Access 201 6.3.1 Accessing Personal Data 201 6.3.2 Charging a "Reasonable Fee" 202 6.4 Right of Rectification 203 6.4.1 Inaccurate Personal Data 204 6.4.2 Incomplete Personal Data 204 6.4.3 Handling Requests 204 6.5 Right of Erasure 205 6.5.1 Development of the Right 205 6.5.2 The Philosophical Debate 206 6.5.3 Circumstances for Erasure under GDPR 209 6.5.4 Erasure of Personal Data Which Has Been Made Public 211 6.5.5 What is "Erasure" of Personal Data? 212 6.5.6 Exceptions to Erasure 212 6.6 Right to Restriction 214 6.6.1 Granting Restriction 215 6.6.2 Exceptions to Restriction 216 6.7 Right to Data Portability 216 6.7.1 The Format of Data and Requirements for Portability 217 6.7.2 Business Competition Issues 218 6.7.3 Intellectual Property Issues 219 6.7.4 Restrictions on Data Portability 220 6.8 Rights Relating to Automated Decision Making 221 6.8.1 The Right to Object 221 6.8.2 Right to Explanation 223 6.8.3 Profiling 224 6.8.4 Exceptions 225 6.8.5 Special Categories of Data 225 6.9 Restrictions on Data Subject Rights 226 6.9.1 Nature of Restrictions Placed 226 6.9.2 The Basis of Restrictions 227 Notes 228 7 GDPR Enforcement 233 7.1 In-House Mechanisms 233 7.1.1 A Quick Review 234 7.1.2 Implementing an Internal Rights Enforcement Mechanism 235 7.2 Data Subject Representation 240 7.2.1 Standing of NPOs to Represent Data Subjects 240 7.2.2 Digital Rights Activism 241 7.3 The Supervisory Authorities 241 7.3.1 Role of Supervisory Authority 241 7.3.2 The Members of the Supervisory Authority 242 7.3.3 An Independent Body 243 7.3.4 Professional Secrecy 243 7.3.5 Competence of the Supervisory Authority 244 7.3.6 Tasks of the Supervisory Authority 246 7.3.7 Powers of the SA 248 7.3.8 Cooperation and Consistency Mechanism 250 7.3.9 GDPR Enforcement by Supervisory Authorities 252 7.4 Judicial Remedies 253 7.4.1 Judicial Action against the Controller or Processor 253 7.4.2 Courts versus SA
- Which is Better for GDPR Enforcement? 254 7.4.3 Judicial Action against the Supervisory Authority 254 7.4.4 Controller Suing the Data Subject? 256 7.4.5 Suspending the Proceedings 257 7.5 Alternate Dispute Resolution 258 7.5.1 Is an ADR Arrangement Allowed under GDPR? 260 7.5.2 ADR Arrangements 260 7.5.3 Key Hurdles of Applying ADR to GDPR 261 7.5.4 Suggestions for Implementing ADR Mechanisms 263 7.6 Forum Selection Clauses 265 7.7 Challenging the Existing Law 266 Notes 267 8 Remedies 271 8.1 Allocating Liability 271 8.1.1 Controller Alone Liable 271 8.1.2 Processor Alone Liable 272 8.1.3 Joint and Several Liabilities 272 8.2 Compensation 273 8.2.1 Quantifying "Full Compensation" 273 8.2.2 Conflict in the Scope of "Standing" in Court 274 8.3 Administrative Fines 275 8.3.1 Fines for Regulatory Infringements 275 8.3.2 Fines for Grave Infringements 276 8.3.3 Determining the Quantum of the Fine 276 8.4 Processing Injunctions 279 8.4.1 Domestic Law 279 8.4.2 The EU Injunction Directive 280 8.4.3 The SA's Power to Restrain Processing 281 8.5 Specific Performance 283 Notes 284 9 Governmental Use of Data 287 9.1 Member State Legislations 287 9.2 Processing in the "Public Interest" 291 9.2.1 What is Public Interest? 291 9.2.2 Public Interest as a "Legal Basis" for Processing 292 9.2.3 State Use of "Special" Data 292 9.2.4 Processing Relating to Criminal Record Data 294 9.3 Public Interest and the Rights of a Data Subject 294 9.3.1 Erasure and Restriction of Data Processing 294 9.3.2 Data Portability 295 9.3.3 Right to Object 296 9.3.4 Right to Explanation 296 9.4 Organizational Exemptions and Responsibilities 297 9.4.1 Representatives for Controllers Not within the EU 297 9.4.2 General Impact Assessments in Lieu of a Data Protection Impact Assessment (DPIA) 297 9.4.3 Designation of a Data Protection Office (DPO) 298 9.4.4 Monitoring of Approved Codes of Conduct 299 9.4.5 Third-Country Transfers 299 9.5 Public Documents and Data 301 9.5.1 The Network and Information Systems Directive 301 9.5.2 Telemedia Data Protection 302 9.5.3 National Identification Numbers 303 9.6 Archiving 304 9.7 Handling Government Subpoenas 305 9.8 Public Interest Restrictions on GDPR 305 9.9 Processing and Freedom of Information and Expression 306 9.9.1 Journalism and Expression under GDPR 306 9.9.2 Combating "Fake News" in the Modern Age 307 9.10 State Use of Encrypted Data 308 9.11 Employee Data Protection 309 9.11.1 The Opening Clause 310 9.11.2 Employment Agreements 311 9.11.3 The German Betriebsrat 312 9.11.4 The French "Comite d'enterprise" 313 Notes 314 10 Creating a GDPR Compliance Department 319 10.1 Step 1: Establish a "Point Person" 319 10.2 Step 2: Internal Data Audit 321 10.3 Step 3: Budgeting 322 10.4 Step 4: Levels of Compliance Needed 323 10.4.1 Local Legal Standards 323 10.4.2 Enhanced Legal Standards for International Data Transfers 324 10.4.3 International Legal Standards 324 10.4.4 Regulatory Standards 324 10.4.5 Contractual Obligations 324 10.4.6 Groups of Undertakings 325 10.5 Step 5: Sizing Up the Compliance Department 325 10.6 Step 6: Curating the Department to Your Needs 326 10.6.1 "In-House" Employees 326 10.6.2 External Industry Operators 326 10.6.3 Combining the Resources 327 10.7 Step 7: Bring Processor Partners into Compliance 327 10.8 Step 8: Bring Affiliates into Compliance 328 10.9 Step 9: The Security of Processing 328 10.10 Step 10: Revamping Confidentiality Procedures 329 10.11 Step 11: Record Keeping 329 10.12 Step 12: Educate Employees on New Protocols 330 10.13 Step 13: Privacy Policies and User Consent 331 10.14 Step 14: Get Certified 331 10.15 Step 15: Plan for the Worst Case Scenario 331 10.16 Conclusion 332 Notes 332 11 Facebook: A Perennial Abuser of Data Privacy 335 11.1 Social Networking as an Explosive Global Phenomenon 335 11.2 Facebook is Being Disparaged for Its Data Privacy Practices 335 11.3 Facebook Has Consistently Been in Violation of GDPR Standards 336 11.4 The Charges against Facebook 336 11.5 What is Facebook? 337 11.6 A Network within the Social Network 337 11.7 No Shortage of "Code of Conduct" Policies 338 11.8 Indisputable Ownership of Online Human Interaction 339 11.9 Social Networking as a Mission 339 11.10 Underlying Business Model 340 11.11 The Apex of Sharing and Customizability 341 11.12 Bundling of Privacy Policies 341 11.13 Covering All Privacy Policy Bases 342 11.14 Claims of Philanthropy 343 11.15 Mechanisms for Personal Data Collection 344 11.16 Advertising: The Big Revenue Kahuna 346 11.17 And Then There is Direct Marketing 347 11.18 Our Big (Advertiser) Brother 347 11.19 A Method to Snooping on Our Clicks 348 11.20 What Do We Control (or Think We Do)? 349 11.20.1 Ads Based on Data from FB Partners 350 11.20.2 Ads Based on Activity on FB That is Seen Elsewhere 350 11.20.3 Ads That Include Your Social Actions 351 11.20.4 "Hiding" Advertisements 351 11.21 Even Our Notifications Can Produce Revenue 352 11.22 Extent of Data Sharing 353 11.23 Unlike Celebrities, We Endorse without Compensation 354 11.24 Whatever Happened to Trust 355 11.25 And to Security of How We Live 355 11.26 Who is Responsible for Security of Our Life Data? 356 11.27 And Then There Were More 359 11.28 Who is Responsible for Content? 359 11.29 Why Should Content Be Moderated? 360 11.30 There are Community Standards 361 11.31 Process for Content Moderation 369 11.31.1 Identifying and Determining Content Removal Requests 369 11.32 Prospective Content Moderation "Supreme Court" 370 11.33 Working with Governmental Regimes 370 11.34 "Live" Censorship 371 11.35 Disinformation and "Fake" News 372 11.35.1 "Disinformation" 372 11.35.2 False News Policy 374 11.35.3 Fixing the "Fake News" Problem 375 11.36 Conclusion 380 Notes 386 12 Facebook and GDPR 393 12.1 The Lead Supervisory Authority 393 12.2 Facebook nicht spricht Deutsch 393 12.3 Where is the Beef? Fulfilling the Information Obligation 394 12.4 Data Processing Purpose Limitation 395 12.5 Legitimate Interests Commercial "Restraint" Needed 396 12.6 Privacy by Design? 398 12.7 Public Endorsement of Personalized Shopping 398 12.8 Customizing Data Protection 399 12.9 User Rights versus Facebook's Obligations 400 12.10 A Digital Blueprint and a GDPR Loophole 401 12.11 Investigations Ahead 402 12.12 Future Projects 403 Notes 404 13 The Future of Data Privacy 407 13.1 Our Second Brain 407 13.2 Utopian or Dystopian? 409 13.3 Digital Empowerment: Leveling the Playing Field 410 Notes 412 Appendix: Compendium of Data Breaches 413 About the Authors 467 Index 469
「Nielsen BookData」 より