Data Protection and Compliance

Second edition

Contributions by Stewart Room, Michelle Maher, Niall O'Brien, Adam Panagiotopoulos, Shervin Nahid, Richard Hall, Tughan Thuraisingam, James Drury-Smith, Simon Davis, Mark Hendry, Jamie Taylor, Ben Johnson Edited by Stewart Room

Publication date: 25 Nov 2021

Large-scale data loss and data privacy compliance breaches continue to make headline news, highlighting the need for stringent data protection policies, especially when personal or commercially sensitive information is at stake. While regulations and legislation exist to address these issues, how organisations can best tailor their compliance approaches to their own operational circumstances has remained an open question. The focus of this book is on operationalising a truly risk-based approach to data protection and compliance, beyond just emphasis on regulatory frameworks and legalistic compliance.
Stewart Room is a barrister and solicitor, and is President of the National Association of Data Protection and Freedom of Information Officers (NADPO).

Dimensions: 244x170mm

Print ISBN-13: 9781780175249

Ebook ISBN-13: 9781780175263

416 pages

Imprint: BCS, The Chartered Institute for IT

Part I - The Big Picture

1. Introduction to data protection

2. Introduction to the GDPR

3. Introduction to ePrivacy

4. Introduction to operational data protection

Part II - Core Law

5. The principles of data protection

6. The rights of data subjects

Part III - Operating Internationally

7. National supervision within an international framework

8. Transferring data between the GDPR landmass and third countries

9. Data protection beyond the GDPR landmass

Part IV - Delivery

10. Mechanisms to support operational compliance

11. Programmatic approaches for delivering data protection by design and default

12. Being accountable for records of processing, legitimate interests and risk management

13. 'The journey to code'

Part V - Adverse Scrutiny

14. How to prepare for the risks of challenge and 'adverse scrutiny'

15. Complaints, rights requests, regulatory investigations and litigation

16. Regulatory action

17. Handling personal data breaches

The past few years has seen transformative changes in privacy, particularly in the UK, where GDPR and Brexit have created a host of new and potentially divergent data protection laws. In this book, Stewart and his team distill several decades of accumulated privacy, data protection and information governance experience and know-how into a guide that’s essential reading for data protection newcomers and experienced practitioners alike.


An ideal resource and must read for new and seasoned privacy practitioners, Data Protection and Compliance provides a comprehensive overview of UK privacy requirements together with a practical focus on hot topics and emerging issues to watch out for. Uniquely, the book helps the reader understand how the breadth of the legal, policy and practical requirements all fit together with a contextual summary and tables, untangling the deluge of privacy data.

Vivienne Artz OBE, NED, GLEIF, former CPO LSEG/Refinitiv/Thomson Reuters

Stewart Room and his team apply their extensive knowledge of data protection law and practice to provide an invaluable resource on data protection that rightly goes beyond interpreting and understanding the law, and unpacks what this means on the ground for compliance leaders and their advisors. Full of practical insights on governance, risk and compliance in the data protection domain, every DPO should have this on their desk!

Stephen Deadman, VP, DPO, Meta

In a rapidly expanding digitised global economy, this book is a must-read and a go-to resource for legal and privacy professionals and all others interested in this field. Seeing data processing as a power for good, it contains a wealth of legal knowledge and practical insights into the key issues within the world of data protection. Highly recommended.

Olivia Shirville CIPP/E CIPM, Lead Privacy Counsel (EMEA), Aon

One of the biggest challenges to data protection law is how to effectively operationalise compliance and manage risk effectively within an evolving business structure. This book shows appreciation for this challenge and provides clear methods and concepts to address it. Operational landscape of data protection is summed up concisely and the concept of ‘Technology Reference Architecture’ linked to Privacy by Design, is incredibly insightful and relevant for businesses. I recommend this book for all data privacy practitioners, including in-house lawyers.

Nargis Hassani, Solicitor

Data Protection and Compliance tackles a rapidly evolving and complex regulatory landscape, in an easy to understand and practical manner. With data driving the digital evolution for most organisations, the ability to comprehend and apply an appropriate compliance framework, with respect to people, processes and systems, is increasingly challenging. For those organisations putting data at the heart of their business strategy, this is a comprehensive resource, which pulls together a wealth of subject matter expertise, tried and tested practical compliance approaches and useful insights into the rationale behind the legislation. Highly recommended.

Janine McKelvey, BT General Counsel - Digital & Innovation, BT Group Data Protection and Ethics Officer

There are many misconceptions about what is and isn’t Data Protection, alongside the misinformation and scaremongering that arose in the early days of the GDPR. This book distils the considerable knowledge of its author and fellow contributors to deliver the key facts with clarity, supported with reference to landmark cases and regulatory texts. The chapter on Operational Data Protection is a timely reminder that Data Protection is people, paper (processes) and technology, and that all three are required to be effective.

David Francis CIPP/E CIPT CIPM, Group Data Protection Officer, Canopius

Stewart Room and his co-authors have certainly discovered the special sauce when seeking to create a book that will appeal to so many. Data Protection and Compliance, 2nd edition, is truly inimitable amongst a minefield of technical, legal, and business publications on data protection and privacy. Taking the reader on a journey through history to providing practical operational advice is not only educationally important but also invaluable to practitioners across the multidisciplinary spectrum, regardless of their sector or experience.

Jane Wainwright, Director, Office of the Data Protection Officer, Meta

The 4th industrial revolution is upon us. Data Protection and Compliance provides a timely and thorough orientation of the regulatory landscape but then importantly turns to the pragmatic steps that must be taken to operationalise data protection. While the explanations of the laws are comprehensive, the book embraces the notion of data protection as a foundation for accelerating innovation – seminal reading for all data practitioners.

Jason du Preez, CEO, Privitar

Data Protection and Compliance provides a clear and practical guide to the operationalisation of the GDPR. It outlines a structured and measured approach that doesn’t focus on compliance for compliance sake, but encourages doing the right thing for the benefit of both the processing organisation and the data subject. It will serve as a useful reference manual on the bookshelf of any data protection professional.

Lisa Townsend CIPP/E CIPP/US CIPM, DPO, Wella Company

An invaluable source of astute guidance and pragmatic advice from one of the leading practitioners in this area as he leads you through the world of data protection and compliance in a way that demystifies the complexities of the subject matter. This book justifies a spot on the bookshelves of anyone practicing the law of data protection or just seeking to understand this area and how it impacts your day-to-day life.

John Skelton, General Counsel (Shared Specialist Services) & Group DPO, Centrica plc

Data Protection and Compliance is the book you need to bridge the gap between current legal developments and the practical steps companies can take to implement a successful data protection programme. The book offers something for everyone, whether you’re starting out in data protection or an experienced practitioner looking to fine tune your data protection compliance programme.

Andrea Chard LLM LLB BA, Group Data Protection Officer, easyJet

This is your ‘one-stop shop’ resource for data protection guidance! This book effortlessly and coherently brings together the legislative and relevant case law on data protection into a well structured and easy to follow book. This is a must have for any data protection professional looking to operationalise and embed data protection compliance within an organisation through a risk-based approach.

Harrison Barrett CIPM CIPP/E, Deputy Data Protection Officer, Canopius

Cuts nicely through the “noise” of data protection regulation and developments, making this a uniquely comprehensive guide for any practitioner wanting to understand data protection practices better. The book provides detail where it needs to, and is succinct on more straightforward topics. The handy “tables” are a useful ready-reckoner that moves the fingertips to the nub of the topic in an instant, a winner for the busy privacy team!

Sonal Khimji FIP CIPM CIPP/E, Director and Founder, Omnigov Limited

This revised edition of a venerable classic is a welcome addition to the reference library of data protection professionals navigating the landscape of data protection in the UK, post-Brexit.

Daragh O Brien FICS IAPP FIP, Managing Director, Castlebridge

Data Protection and Compliance is an excellent resource for anyone working in a data protection role. It’s a rare text that balances theory, practical application and the social and political context in which the legal and regulatory framework is developing; key to designing and implementing an effective, risk-based approach to operationalising data protection. I’d highly recommend Data Protection and Compliance as a solid addition to anyone’s data protection bookshelf.

Naureen Hussain, Director of Data Estate, Virgin Media O2

An indispensable book for data protection practitioners. The text includes exceptional detail, historical context, and relatable, pragmatic insights for this vast and complicated field. The style is approachable and delivers accessible, common-sense tables and summaries that will be the go-to resource for those advising businesses. A particularly useful reference for in-house privacy professionals as we face the ‘regulatory bear market’ and the need to push privacy into the very fabric of our electronically mediated lives. Well done, Stewart and team! You have re-forged a much-needed tool for our increasingly complex world with this edition.

Eric Heath, Chief Privacy Officer and Deputy General Counsel, Ancestry

An excellent guide to data protection and compliance. Takes the reader through an easy to follow journey to achieve and maintain regulatory compliance. Naturally focuses on GDPR but keeps relevant to other international laws. Illustrates impact of Brexit, highlights issues of data sovereignty and discusses challenges with global data processing in an increasingly digital world. A great reference for ins and outs of data protection law and regulatory compliance, as well as for dealing with consequences of non-compliance and data breaches.

Ashish Bhatt, Information and Data Management Officer, Queen’s University Kingston, ON Canada

'Data Protection and Compliance: Second edition' is a must have companion for anyone involved in the data protection or compliance space. It begins with a useful introduction to data protection itself, the link into the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA), providing an easy-to-read breakdown of the many complexities and challenges that organisations face when collecting, processing, and managing personal data. The book is full of useful guidance, advice, and good practice that all organisations should follow and is thoroughly recommended.

Jim Fox CISM MBCS, Cyber & Information Security Risk Management Executive

A fascinating read, highly thought provoking and one that will be returned to as a phenomenal reference book.

Angela McLoughlin MBCS, Business Analyst, Director Angel Analysis Ltd.