Privacy and Data Protection based on the GDPR. Leo Besemer

While writing this book, people in my neighborhood asked me “isn’t it incredibly boring to write about privacy law?” Others told me about the misconceptions they had seen in the companies and organizations where they work: “People seem to think that everything is different now, or even that everything they need to do is now illegal.” You can hear the same message in TV news: “Government organization X cannot function properly because of the limitations imposed by privacy law” and “Errors in the healthcare sector because patient data may no longer be exchanged, while this is urgently needed”.

For me it was a pleasure to write this book, and no, it is not boring. On the contrary, the more I studied the details to try and make it a clear and comprehensible story, the more interesting it became.

But this book is not an effort of one solitary person in a silent room, somewhere in the rural north of the Netherlands. That is how it started, a lot of text based on an earlier white paper and some blog articles I wrote for EXIN. After those first steps, however, it became a team effort.

Acknowledgements to Marianne Hubregtse and Rita Pilon of EXIN for the idea to write this book, to Ivo van Haren and Bart Verbrugge of Van Haren Publishing for good counsel and excellent critiques, to Fintan Swanton for kindly providing a perfect foreword, to Steve Newton for correcting the many errors and imperfections in the English text I wrote. If you still find an infringement on English spelling or grammar, it is certainly mine.

How this book is organized

For many organizations processing personal data, the General Data Protection Regulation (GDPR) came as a shock. Not so much its publication in the spring of 2016, but rather the articles that appeared about it in professional journals and newspapers leading to protests and unrest. “The heavy requirements of the law would cause very expensive measures in companies and organizations”, was one of the concerns. In addition, the “173 recitals and 99 articles left too much room for interpretation, while companies which failed to comply would face draconian fines”.

This book is intended to explain where these requirements came from and to prove that the GDPR is not incomprehensible, that the principles are indeed remarkably easy to understand. However, the other points cannot completely be denied. The regulation forces companies to upgrade their data governance to a level where their data, in particular their personal data, is safe and the rights and freedoms of the data subjects involved are protected. And for those companies and other organizations that don’t even try to comply, the fines imposed should be effective, proportionate and dissuasive, to quote GDPR Recital (151).

Part I of the book covers the history of privacy and data protection, amongst others showing that the “new” requirements of the GDPR were not that new at all. The material and geographical scope of the GDPR is explained, including how the GDPR interacts with, and is complemented by, other EU and national law. For example, when a type of processing falls outside the scope of GDPR, it does not necessarily mean there is no harmonized framework of national law that covers it.

Скачать книгу