The General Data Protection Regulation (GDPR), which took effect in May 2018, is largely a response to concern about how corporations gather, manage, share, and protect consumer data.
For years, the data space has been a kind of Wild West, with data collectors having a free hand in how they treat information gathered from consumers. The GDPR not only attempts to tame the Wild West, but also gives consumers more control over what's done with their data.
Although the GDPR applies only to data about EU citizens, the best practices it outlines have begun to be adopted by businesses outside the EU because customers know no borders online—and they can see the handwriting on the wall.
On January 1, the California Consumer Privacy Act went into effect, and it won't be long before other states, as well as the federal government, follow suit. So it's essential to be familiar with all aspects of the GDPR in anticipation of what's coming from regulators.
Need more motivation? Getting the GDPR wrong can be an expensive proposition. Maximum fines can be as high as 4% of net sales, or 20 million euros ($23 million), whichever is higher.
Here are 18 essential resources for IT, security, and governance pros to help them understand what the GDPR is all about and how to how to manage a GDPR compliance program in their organizations.
Understand the law
The GDPR runs to 261 pages. It's not the most scintillating reading, and it doesn't contain much in the way of helpful analysis of its provisions. Still, understanding it matters.
General Protection Data Regulation
The text of the GDPR can be found at Eur-Lex, a website that serves as a repository for EU laws, treaties, agreements, and case law. At the site a version of the GDPR is available in the languages of all the EU nations and in PDF and HTML formats. You can also search a full copy of the regulation available on the GDPR page.
Guide to the General Data Protection Regulation
If you're looking for an authoritative and easier-to-read approach to the nuts and bolts of the GDPR, the UK Information Commissioner's Office has published a Guide to the General Data Protection Regulation. At 295 pages, it is longer than the law itself, but it's much more accessible.
It's nicely organized and written for folks in the trenches charged with the day-to-day protection of an organization's data.
European Data Protection Board
For data protectors who want to get deeper into the GDPR weeds, there's the website of the European Data Protection Board, formerly known as the Article 29 Working Party.
It contains the latest guidelines, recommendations, and best practices from the board, such as criteria for the "right to be forgotten," mandatory data protection by design and by default, and the territorial scope of the GDPR.
Get compliant
Are you GDPR-ready?
HubSpot, a provider of cloud-based marketing software, has put together a broad checklist of items that should be considered by organizations embarking on a GDPR journey.
It covers assessing data collection, storage, and protection; putting together a GDPR project plan; appraising security procedures and controls; and evaluating the documentation needed to comply with the regulation.
Data protection self-assessment
The UK Information Commissioner's Office has posted detailed checklists to allow organizations to determine if they're GDPR-compliant. There are lists for entities that are controllers and processors of data under the law, as well as for information security, direct marketing, records management, data sharing, subject access, and the use of closed-circuit TV.
General Data Protection Regulation: A compliance guide
This "green paper" by IT Governance, a UK-based provider of cyber risk and privacy management solutions, is good for getting an overview of the changes introduced by the GDPR and how they impact US companies. It also outlines the initial steps an organization should take to make sure it's compliant with the regulation.
GDPR compliance checklist for US companies
If an organization collects any data from citizens of EU nations, it will need to comply with the GDPR to protect that data. The EU makes it a little easier for US companies to determine if they're complying with the GDPR with this list tailored to US companies. It includes topics on information audits, customer notifications, vendor agreements, and compliance with cross-border transfer laws.
Webinars
Free GDPR videos
While many busy IT pros don't have a spare hour or two to sit and watch a webinar, the sessions can be helpful in understanding the intricacies of a subject such as the GDPR. IT Governance has put together a free series of webinars on a number of aspects of the GDPR.
They include addressing the challenges faced by data protection officers, demonstrating data protection by design and default, and conducting a data-flow mapping exercise, a key prerequisite for complying with the GDPR. There's even a session about aligning compliance between the GDPR and the CCPA.
EU free webinars
This is another source of free webinars on GDPR subjects. Staged by the EUGDPR Academy—one of the schools of Advisera, an online provider of web-based training and documentation—both ongoing and archived sessions are available at this site. Among the topics covered by these webinars are a how-to guide on data-breach notifications under the GDPR, how to handle suppliers and processors under the GDPR, and the impact of the GDPR on US companies.
Podcasts
GDPR Stand Up
This is a series of podcasts focused on compliance, by Rocio Baerza, CEO and founder of CyberSecurityBase, a consulting practice that helps rising tech companies get started with data security. Baerza begins the series talking about some GDPR basics, moves on to how she implemented the GDPR at her business, and ends with conversations about legal and other aspects of the regulation.
The GDPR Guy
Although The GDPR Guy, a.k.a. Carl Gottlieb, a data protection consultant, doesn't stick to a strict schedule—seven months elapsed between his latest podcast and his previous one—his archives contain a wealth of material on the GDPR. Topics include the role of the virtual data protection officer, an evaluation of the GDPR, and the right of erasure. His latest podcast branches from the GDPR to the CCPA, California's privacy statute, and what "do not sell my personal information" means under the law.
GDPR Weekly Show
Keith Budden, a GDPR compliance expert, hosts this weekly podcast about everything GDPR, privacy, and data security. Podcasts include occasional guests, as well as information on the latest GDPR data breaches. He also slips in news about the CCPA from time to time.
GDPR Now!
Episodes of this periodic podcast, sponsored by This Is DPO, a consultancy for data privacy officers based in the UK, are in the host/guest format and focus on topics of interest to DPOs, such as cybersecurity, privacy by design, and governance.
Books
GDPR—Fix it Fast: Apply GDPR to Your Company in 10 Simple Steps
In this book, Patrick O'Kane, a British attorney and data protection officer for a US Fortune 500 company, tries to stay away from legalese and instead presents a road map for compliance. The book contains templates, outlines, examples, and plain-English explanations to help organizations complete data inventories, start and finish data maps, set up a privacy impact assessment process, and learn how to plan for a data breach.
EU GDPR: A Pocket Guide, second edition
This short guide—it's 56 pages long—by the founder of IT Governance, Alan Calder, provides organizations with an overview of the changes they may need to make to comply with the GDPR. The second edition includes the latest guidance from the Article 29 Working Party, the UK Information Commissioner's Office, and information about related laws. The guide also includes an index of the GDPR, which can be used to find articles about any aspect of the regulation.
GDPR for Dummies
For almost 30 years, the publishers of the "For Dummies" books have been making complicated subjects accessible to laymen. So it's not surprising that they're taking a crack at something as complex as the GDPR.
Written by Suzanne Dibble—a business lawyer who has advised multinational corporations, private equity-backed enterprises, and companies with household names—the book covers topics including the consequences of noncompliance, the meaning of personal and special category data, how to implement a privacy policy, and how to report a data breach.
Are you a privacy pro who has come across a resource that has been especially helpful in your GDPR or CCPA work? If so, please share it by posting in the comments field below.
Keep learning
Understand the newest privacy laws with this Webcast: California’s own GDPR? It’s not alone.
Take a deep dive into the new privacy laws with TechBeacon's Guide to GDPR and CCPA.
- Get up to speed on cloud security and privacy and selecting the right encryption and key management with TechBeacon's Guide.