Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
The EU general data protection regulation (GDPR) : a practical guide
Voigt P., von dem Bussche A., Springer Publishing Company, Incorporated, New York, NY, 2017. 383 pp. Type: Book (978-3-319579-58-0)
Date Reviewed: Jul 18 2018

Perhaps as a result of the traumatic events of the early 20th century, the people of Europe now consider personal privacy a fundamental human right. As a consequence, the European Union (EU) passed the General Data Protection Regulation (GDPR) in 2016. The regulation aims to “harmonize the rules for [personal] data protection,” simplifying the processing and exchange of data across the EU. Not only is it a game changer for the protection of personal data within the EU, but the extraterritorial reach of the regulation will impact organizations across the globe that engage with individuals in the EU.

Organizations will now have to seek explicit consent from individuals to collect their personal data, spell out why the data is being collected, and ensure that the data is used only for lawful purposes. People now have the right to access personal data collected about them as well as the right to have that data deleted--“the right to be forgotten.” The effect this will have on internal business processes could be large and costly.

The authors start with an introduction to the regulation, describing its history and goals, explaining the significant concepts, and presenting a simple checklist of the main obligations imposed and referencing them to the relevant subsequent sections in the book. Chapter 2 explains the scope of application, who it applies to, and many concepts with useful examples. Particular attention is paid to explaining the meaning of “personal data.” Chapter 3 looks at the general obligations and accountability of an organization and its nominated data controller. The minimum required technical and organizational measures that need to be in place are discussed, including mandatory records and record retention. Important concepts such as the burden of proof for compliance are highlighted. Chapter 4 covers more basic requirements, including legal justifications for processing personal data and the rules about transferring data across borders.

Chapter 5 deals with the rights of “data subjects”--GDPR’s term to describe those protected by the regulation. Issues covered include a person’s right to approve of personal data collection and to access, correct, move, or erase that data; the responsiveness required from those processing the data is included. Also discussed (in chapter 6) is the interaction required between organizations processing personal data and the supervisory authority--the relevant EU member state authority responsible for monitoring the regulation. Identifying this authority (or authorities) may become complex and cumbersome, particularly for organizations without a physical presence in the EU. Chapter 7 is on the investigative powers of supervisory authorities. It discusses general enforcement provisions as well as various judicial remedies, sanctions, and fines that could be imposed for breaches. Chapter 8 looks at the opening clauses of GDPR, which allow EU member states to establish specific national legislation for local issues such as employee data protection and telecommunications privacy. Chapter 9 looks at GDPR’s application to recent technology advances such as big data, cloud computing, and the Internet of Things, as well as how the general abstraction of the regulation’s provisions helps to keep it effective in the face of technological change.

Chapter 10 provides a short guide for anyone working to bring an organization’s processes in line with regulation requirements. The final section is a large appendix of over 120 pages that lists the provisions of GDPR (each of the 99 articles) in a table, referring each to respective recitals (there are 173 recitals) at the beginning of the regulation document. This should prove very useful to anyone trying to navigate through the specifics of the regulation. The book also has a detailed table of contents and a simple index.

For many EU-based organizations, GDPR’s major requirements will likely already be in place by virtue of existing legislation and their need to address longstanding general expectations of EU citizens. These organizations should benefit from the regulation’s harmonized rules for processing personal data and moving data between EU member states. However, for organizations based outside of the EU that fall within the regulation’s scope, significant costs may come with compliance.

This is a good guide to a complex new regulation. Its main goal is to explain what the regulation requires and of whom it is required. The regulation’s concepts are well explained in simple terms, with loads of useful examples. Anyone working in the area of governance, risk management, and compliance (GRC) will find this book invaluable (and will probably be assured of a long and fruitful career).

More reviews about this item: Amazon

Reviewer:  David B. Henderson Review #: CR146156 (1809-0499)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Governmental Issues (K.5.2 )
 
 
General (K.4.0 )
 
Would you recommend this review?
yes
no
Other reviews under "Governmental Issues": Date
Computing in South Africa
Goodman S. Communications of the ACM 37(2): 21-25, 1994. Type: Article
Jan 1 1995
Cryptography’s role in securing the information society
Dam K., Lin H., National Academy Press, Washington, DC, 1996. Type: Book (9780309054751)
Sep 1 1997
More lawyers than programmers?
Cusumano M. Communications of the ACM 47(7): 29-31, 2004. Type: Article
Jul 28 2004
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy