BOOK REVIEW: Data Protection Strategy: Implementing Data Protection Compliance

November 11, 2019

As the authors note in their introduction, the General Data Protection Regulation is over 100 pages long. The Data Protection Act 2018 is 340 pages long. This book is accordingly a hefty one. However, we have no regrets about agreeing to review it, given how useful it is for those who have to advise on the UK and Europe’s data protection regime. The Third Edition of this text is the first edition in the age of the GDPR: the Second Edition was published a little over seven years ago so could only offer limited guidance on the major legislative changes that were to come.

The book is divided into three parts. Broadly, the first part deals with what the law is and to whom and to which activities it applies. The second part deals with conducting a data audit: that is, the process by which an organisation figures out whether it is engaging in any of the activities covered by the law and whether it is complying with it. Naturally, this part addresses the new principles of transparency and accountability introduced by the GDPR. The third part deals with how organisations can ensure that they are set up to comply with GDPR now and in future.

Throughout, the authors cover their topic thoroughly, highlighting which areas are clear, which are grey and which issues are most likely to arise in particular circumstances. Most attractively, the authors have done the hard work of pulling together the multitude of “authorities” on each part of the regime – from legislative provisions, to case law (including useful summaries of their material facts), to guidance from the Information Commissioner (ICO) and European Data Protection Board (EDPB). This renders the book a true “one-stop-shop” for data protection law in the UK. The authors have also been generous in their inclusion of precedent documents (for example, pro-forma wording for correspondence with individuals seeking access to their data) and other tools of the trade (such as a complete list of exemptions under GDPR).

That said, this is not a book for those interested in debating the policy underpinning data protection (although a brief exposition is contained in an appendix) or in a comparative study of data protection regulation around the globe. As you would expect from a collaboration between an experienced IT consultant and the co-head of Bird & Bird’s International Privacy and Data Protection Group, the book is far too functional for that. A researcher might trawl through as a starting point but it is organisations and their advisors who will derive the real benefit from this text.

Finally, credit is due to the authors for avoiding the well-worn path of glossing over the likely impact of Brexit on their subject matter. The book contains well thought through explanations of what various arrangements for the UK’s departure from the EU would mean for the UK’s data protection regime. In doing so, it cuts through the typical Brexit hype (or malaise) to highlight the key aspects of that regime which stand to be affected by which type of Brexit eventuates.

About the book

Dan Tench is a Partner, and Leah Grolman is an Associate, at CMS Cameron McKenna Nabarro Olswang LLP. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official views and opinions of CMS.