Full Description
Blue Papers are a new notion in concept papers. This one provides the legal position of the General Data Protection Regulation (GDPR) on data security and data breaches. In particular, it presents a legally defensible compliance position for organisations in the form of a practical Accountability Framework for handling actual data breaches. It is best guidance for professionals, politicians, scholars, and all who wish to glean more insight into how to develop a robust data protection framework. What readers will find in this Blue Paper will empower them to assess their real situation and will aid them in conceptualising practical solutions.
Contents
FOREWORD
ACKNOWLEDGEMENTS
TABLE OF CONTENTS
LIST OF ACRONYMS
LIST OF FIGURES
EXECUTIVE SUMMARY
PART I: OVERVIEW OF THE BLUE PAPER; THE LEGAL POSITION ON DATA SECURITY AND BREACHES
1. INTRODUCTION
1.1 Key objectives, assumptions and value for data controllers
1.2 Scope of this Blue Paper
1.3 Structure of this Blue Paper
1.4 Methodology applied and resources used
2. THE LEGAL POSITION OF THE GDPR ON DATA SECURITY AND DATA BREACHES
2.1 Why data breaches occupy a unique position
2.2 The integrity and confidentiality principle (Article 5(1)(f))
2.3 The legal definition of security of processing (Article 32) and DPIAs (Article 35)
2.4 Safeguarding the rights of data subjects through PbD&D (Article 25)
2.5 The relevance of data breach notifications (Articles 33 and 34)
2.6 Cooperation and prior consultation with the DPSA (Articles 31 and 36)
2.7 The concept of "demonstrating" compliance with the Regulation
2.8 Demonstrating risk prevention and damage mitigation
3.9 Conclusions of the legal review
PART II: INSIGHTS FROM REGULATORS AND DATA PROTECTION PRACTITIONERS
3. THE EMPIRICAL DATA: ANALYSIS OF DATA BREACHES
3.1 Sanctions by national DPSAs
3.2 Sanctions for data breaches vs. other GDPR provisions that carry liability
3.3 The consistency of enforcement across the EEA
3.4 GDPR sanctions by DPSAs (Sanctions Directory)
3.5 Case studies: Lessons to be learned for after the data breach
3.5.1 Case One: DoorsLetep Dispensaree Ltd.
3.5.2 Case Two: Cathay Pacific Airways Ltd.
3.5.3 Case Three: WM Morrison Supermarkets plc
3.5.4 Case Four: British Airways
3.5.5 Case Five: Marriott International
4. HOW CAN ORGANISATIONS PROTECT THEMSELVES FROM DATA BREACH SANCTIONS?
4.1 Insights obtained by survey respondents who are professionals in the data protection field
4.1.1 Governance and policy
4.1.2 Processes and procedures
4.1.3 Technology
4.1.4 DPSA response to data breaches
4.2 Insights obtained from authors' participant observation of privacy events
4.2.1 Governance and policy
4.2.2 Processes and procedures
4.2.3 Technology
4.3 Implement appropriate technical and organisational security measures
4.4 Demonstrate compliance: Independent assurance and approved certifications
4.5 Synthesis for practitioners
PART III: A NEW COMPLIANCE MODEL: THE DATA BREACH ACCOUNTABILITY FRAMEWORK
5. CONCLUSIONS: HOW ORGANISATIONS CAN IMPROVE THEIR COMPLIANCE MATURITY
5.1 DPR enforcement by national DPSAs and oversight at European level
5.2 Building a legally defensible compliance position: The Data Breach Accountability
BIBLIOGRAPHY
TOOLKITS - Resources for Professionals
Toolkit 1: Tables analysing the results of the data breach survey
Toolkit 2: Survey questionnaire
Toolkit 3: Tables and diagrams analysing the results of the GDPR enforcement and sanctions review
Toolkit 4: GDPR Sanctions Directory
Toolkit 5: Inventory of European Data Protection bodies
Toolkit 6: Inventory of EEA national Data Protection Supervisory Authorities (DPSAs)
