Privacy in practice establish and operationalize a holistic data privacy program
Privacy is not just the right to be left alone, but also the right to autonomy, control, and access to your personal data. This book aims at helping privacy leaders, professionals and organizations in establishing a unified, integrated, privacy program, both on a personal and enterprise-wide level
Gespeichert in:
| 1. Verfasser: | |
|---|---|
| Format: | Buch |
| Sprache: | English |
| Veröffentlicht: |
Boca Raton
CRC Press, Taylor & Francis Group
2023
|
| Schriftenreihe: | Security, Audit and Leadership Series
|
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Inhaltsangabe:
- Cover
- Half Title
- Series
- Title
- Copyright
- Contents
- Foreword 1
- Foreword 2
- Preface
- Acknowledgments
- Author
- Icons Used in This Book
- Part 1 Privacy Basics and Landscape
- Chapter 1 Privacy Concept and a Brief History
- 1.1 Narratives of Privacy and Data Protection
- 1.2 Personal Data and Sensitive Personal Data
- 1.2.1 Personal Data
- 1.2.2 Sensitive Personal Data
- 1.3 Timeline of Privacy Development
- 1.3.1 Pre-Contemporary
- 1.3.2 Privacy 1.0: From Concept to Declaration
- 1.3.3 Privacy 2.0: From Principles to Regulations
- 1.3.4 Privacy 3.0: From Obligations to Advantages
- Chapter 2 Legal Systems, World Models, and Landscape
- 2.1 Legal Systems
- 2.1.1 EU Legal System
- 2.1.2 US Legal System
- 2.1.3 China's Legal System
- 2.2 World Models for Data Protection
- 2.3 Data Protection Legislation Global Landscape
- 2.3.1 Worldwide Landscape
- 2.3.2 Privacy Laws in Main Jurisdictions
- 2.3.2.1 List of Data Privacy Laws in Main Jurisdictions
- 2.3.2.2 One-Pagers
- 2.3.3 Sector Specific Laws
- Chapter 3 GDPR, CCPA/CPRA, PIPL and PIPEDA
- 3.1 EU GDRP
- 3.1.1 Seven Principles
- 3.1.2 GDPR vs. Directive 95/46/EC
- 3.1.3 Legal Effect of GDPR Recitals
- 3.2 US CCPA/CPRA
- 3.2.1 Importance of CPRA
- 3.2.2 GDPR vs. CCPA vs. CPRA
- 3.3 China PIPL
- 3.4 Canada PIPEDA
- Chapter 4 Privacy Best Practices, Standards, and Certifications
- 4.1 Prevalent Privacy Frameworks
- 4.2 Privacy Frameworks, Regulations, and the Relationship
- 4.3 Certifications and Codes of Conduct
- 4.3.1 Benefits of Privacy Certifications CoCs
- 4.3.2 Key Roles in the Certification Scheme
- 4.3.3 Main Privacy Certifications and CoCs
- Part 2 Business Impact and a Holistic Framework
- Chapter 5 Data Protection Drivers and Challenges
- 5.1 Privacy Balanced Scorecard
- 5.2 Financial Impact and Criminal Charges
- 5.3 Internal Process Optimization
- 5.4 Customers Satisfaction
- 5.5 Learning and Growth
- 5.6 Main Challenges and Obstacles
- Chapter 6 Unified Data Protection Framework
- 6.1 Common Data Protection Principles
- 6.2 Unified Data Protection Framework
- 6.3 Data Protection Objectives and Controls
- Chapter 7 Privacy Program Assessment and Roadmap
- 7.1 Key Tenets
- 7.2 A Phased Approach
- 7.3 Maturity Assessment and Gap Initiatives
- 7.4 Privacy Program Roadmap
- Chapter 8 Privacy Program Management Metrics and Tools
- 8.1 Measurement and Improvement
- 8.1.1 Privacy Program Metrics
- 8.1.2 Privacy Audits and Assessments
- 8.1.3 Annual Report and Management Review
- 8.2 Privacy Program Management Tools
- Part 3 Privacy Governance
- Chapter 9 Data Protection Legal Mandate and Business Requirements
- 9.1 Identify Legal Obligations
- 9.1.1 Household Activities
- 9.1.2 An Establishment
- 9.1.3 Extra-Territorial Effect
- 9.2 Personal Data Processing Roles and Obligations
- 9.2.1 Relationship among Data Processing Roles
- 9.2.2 Determine the Data Processing Role
- 9.2.3 Obligations
- 9.3 Privacy in Alignment with Business
- Chapter 10 Governance Structure and Responsibilities
- 10.1 Data Protection Governance Structure
- 10.2 The Chief Privacy Officer
- 10.2.1 Key Responsibilities
- 10.2.2 The Position
- 10.3 The Independent Data Protection Officer (DPO)
- 10.3.1 Legal Requirements of Designating a DPO
- 10.3.2 DPO's Designation, Position and Tasks
- 10.3.3 Legal Risks of Being a DPO
- 10.4 Designating a Representative
- 10.5 Cross-Functional Responsibilities
- Chapter 11 Privacy Policies and Procedures
- 11.1 Privacy Documentation Structure
- 11.2 Privacy Mission Statement
- 11.3 Privacy Charter
- Chapter 12 Privacy Awareness, Training, and Engagement
- 12.1 Challenges and Key Considerations
- 12.2 Awareness Raising Approaches
- 12.3 Role-Based Awareness and Training Program
- Part 4 Privacy Operations
- Chapter 13 Privacy Impact Assessment (PIA)
- 13.1 What is a PIA
- 13.2 PIA vs. DPIA vs. PbD
- 13.3 Legal Obligations and Industry Guidelines
- 13.4 Core Components of a PIA Report
- 13.5 Trigger of a PIA
- 13.5.1 High-Risk Data Processing Scenarios
- 13.5.2 Privacy by Design
- 13.5.3 Privacy by Default
- 13.6 PIA Process
- Chapter 14 Record of Processing Activities
- 14.1 Visibility of Data Processing Activities
- 14.2 Data Inventory Core Components
- 14.3 Process-Driven Data Inventory
- Chapter 15 Privacy Notice
- 15.1 Privacy Notice Basics
- 15.2 Types of Privacy Notices
- 15.3 Fairness and Transparency
- 15.3.1 Fairness
- 15.3.2 Transparency
- 15.4 Core Components of a Privacy Notice
- 15.5 Key Considerations of Providing Privacy Notices
- Chapter 16 Lawful Basis
- 16.1 Common Lawful Basis
- 16.2 Performance of a Contract
- 16.3 Legal Obligation
- 16.4 Vital Interests
- 16.5 Public Interests
- 16.6 Legitimate Interests
- 16.7 Consent
- 16.7.1 Obtaining Consent
- 16.7.2 Conditions for Consent
- 16.7.3 Separate Consent
- 16.7.4 Records of Consent
- 16.7.5 Consent to Changes
- 16.7.6 Withdrawal of Consent
- Chapter 17 Data Collection
- 17.1 Lawfulness and Fairness
- 17.2 Purpose Limitation
- 17.3 Data Minimization
- Chapter 18 Data Usage and Maintenance
- 18.1 Data Use Purpose Limitation
- 18.2 Access Control
- 18.3 Accuracy and Integrity
- Chapter 19 Personal Data Sharing
- 19.1 Necessity of Personal Data Sharing
- 19.2 Data Processing Chains
- 19.3 End-to-End Vendor Management
- 19.3.1 Risk-Based Management
- 19.3.2 Pre-Contract
- 19.3.3 Signing of Contract
- 19.3.4 Execution of Contract
- 19.3.5 Termination of the Contract
- 19.4 Purchasing Personal Data from Data Brokers
- Chapter 20 Data Residency and Cross-Border Transfers
- 20.1 Residency Requirements and Transfer Restrictions
- 20.2 Different Perspectives of "Transfer"
- 20.3 EU/GDPR Cross-Border Transfer Framework
- 20.3.1 The Underline Logic
- 20.3.2 Summary of Acceptable Mechanisms
- 20.3.3 The New Standard Contractual Clauses (SCCs)
- 20.3.4 Binding Corporate Rules (BCRs)
- 20.4 EU-US Personal Data Transfers
- 20.4.1 Brief History and Current Status
- 20.4.2 Shrems II Ruling
- 20.4.3 Data Transfer Impact Assessments
- 20.5 APEC CPEA, CBPR, and PRP
- 20.5.1 The Design Logic
- 20.5.2 CBPR Rules and Operations
- 20.5.3 PRP Rules and Operations
- 20.5.4 List of Participating Jurisdictions and Certification Bodies
- 20.6 China Certification Specification
- 20.7 A Six-Step Approach
- Chapter 21 Data Retention and De-Identification
- 21.1 Data Retention Benefits and Challenges
- 21.2 Data Retention and Destruction Mandate
- 21.2.1 Data Retention
- 21.2.2 Data Destruction
- 21.3 Data Retention Key Considerations
- 21.4 Data Destruction and De-Identification
- 21.4.1 Data Destruction
- 21.4.2 Anonymization, Pseudonymization, and Aggregation
- 21.4.2.1 Anonymization
- 21.4.2.2 Pseudonymization
- 21.4.2.3 Aggregation
- Chapter 22 Security of Personal Data Processing
- 22.1 Obligations for Protecting Personal Data
- 22.2 Appropriate TOMs and Challenges
- 22.3 A Holistic Approach for Data Security
- Part 5 High-Risk Business Scenarios
- Chapter 23 PbD in Marketing Practices
- 23.1 Main Marketing Channels
- 23.2 Consumer Expectations and Privacy Implications
- 23.3 Legal Obligations and Enforcement Status
- 23.4 Marketing Technology and Initiatives
- 23.5 Privacy-Enabled Marketing Practices
- 23.6 Online Marketing and Cookies
- 23.6.1 Online Tracking
- 23.6.2 Cookies
- 23.6.2.1 Cookie Types
- 23.6.2.2 DPA Guidance
- 23.6.2.3 Proper Cookie Settings
- 23.6.3 Risk Mitigation Plan
- 23.7 Email Marketing
- 23.8 Telemarketing
- 23.8.1 EU ePrivacy
- 23.8.2 US Telemarketing Rules
- 23.8.2.1 US Federal Level Rules
- 23.8.2.1.1 Do Not Call Rules
- 23.8.2.1.2 Robocalls
- 23.8.2.1.3 Do Not Fax Rules
- 23.8.2.2 US State Level Rules
- 23.8.3 Canada Do Not Call Rules
- 23.8.4 Best Practices
- Chapter 24 Workforce Data Protection
- 24.1 Privacy Obligations in the Workplace
- 24.2 Typical HR Processes and Personal Data
- 24.2.1 Typical Legal Basis
- 24.2.2 Typical Processing Purposes
- 24.3 Background Screening
- 24.4 Workplace Monitoring
- 24.4.1 Types of Employee Monitoring
- 24.4.2 General Principles
- 24.4.3 Electronic Communications and Content
- 24.4.4 CCTV and Video Surveillance
- 24.4.4.1 CCTV Data Protection Practices
- 24.4.4.2 Privacy Implication for Facial Recognition
- 24.4.5 Social Media
- 24.4.6 Telephone
- 24.5 Processing Sensitive Personal Data
- 24.5.1 Lawful Basis for Sensitive Personal Data
- 24.5.2 Biometrics
- 24.6 Privileged Information, Legal Hold, and eDiscovery
- 24.6.1 Privileged Information
- 24.6.2 Legal Hold Process
- 24.6.3 eDiscovery Process
- 24.6.4 Legal Hold vs. Data Retention
- Chapter 25 Protection of Children's Data
- 25.1 Children's Age
- 25.2 Data Protection Practices
- Chapter 26 PbD for AI Solutions
- 26.1 AI Definition and Use Cases
- 26.2 Privacy and Security Implications for AI
- 26.3 Guiding Principles for Responsible AI
- 26.4 AI Privacy Protection Practices
- Part 6 Data Breach Handling and DPA Cooperation
- Chapter 27 Data Subject Rights, Inquiries, and Complaints
- 27.1 What is a Data Subject Right Request
- 27.2 Data Subject Rights Comparison
- 27.3 Core Data Subject Rights and Key Considerations
- 27.4 Legal Basis, Applicability and Exceptions
- 27.5 DSRs Handling Workflow
- 27.6 Inquiries and Complaints Handling