Anyone interested to find available documentation about GDPR could read thousands of web resources including best practices, buyer’s guides, solution handbooks or implementation kits. All of these are very useful, but many time we need more advised recommendation related to the General Data Protection Regulation. And the best way to find a bit of professional advice is to read a book. Despite we are living now in a fully digital era, many of us still need the classical page-to-page reading books – even in print or online version.

In my documentation process for the specific content of GDPR, I had to review some interesting book. Although many of us are on vacation, I think that this year-end period in which GDPR was a hot topic for all, is the best time to stay quiet and browse an interesting book.

Is important to note this is not a “Top 10” classification. Is just a personal selection. A recommended list of books selected by GDPR Ready Initiative having various criteria like subject popularity, reviewing notes, relevance, and EU coverage. Images credit to various online bookshops.

EU GDPR, A Pocket Guide, Second Edition

Authors: Alan Calder
Publishers: IT Governance Publishing, 76 pages, October 2018
Language: English

Now in its second edition, this bestselling book provides a clear understanding of the EU GDPR (General Data Protection Regulation). It has been updated to include guidance on related laws, including the NIS Directive and the forthcoming ePrivacy Regulation.

This essential pocket guide explains:

  • The terms and definitions used within the GDPR in simple terms;
  • The key requirements; and
  • How to comply with the Regulation.

Alan Calder is an acknowledged authority on international cybersecurity and IT governance. He is the founder and executive chairman of IT Governance Ltd. Alan has published a wide range of books on IT governance and information security. These include the market-leading IT Governance: An International Guide to Data Security and ISO27001/ISO27002 (co-written with Steve Watkins), and bestselling guides to complying with regulations such as the GDPR and international standards such as ISO 27001. Alan has also developed training courses and consulted for clients in the UK and abroad. He regularly acts as a media commentator and speaker.


A Practical Guide to the General Data Protection Regulation (GDPR)

Authors: Keith Markham
Publishers: Law Brief Publishing, 168 pages, January 2018
Language: English

With everyone talking about the GDPR this book is intended to offer a guide through the maze of different requirements and also separate fact from myth. Beginning with a succinct summary of the key changes being introduced by the GDPR, emphasis then shifts to what needs to be done practically by way of response. Written in an accessible style and containing lots of useful resources, it is suitable for lawyers and non-lawyers alike who are seeking to better understand this topic and to comply with their obligations in common sense and risk-focused manner.

Keith Markham qualified as a Solicitor in 2001 and now works as a freelance training consultant. Drawing on his considerable experience Keith has designed and delivered a wide variety of training for BPP Professional Education and other providers as well as for his own clients in the commercial law field. In particular, he teaches topics relating to data protection and commercial contracts to lawyers and non-lawyers alike. He is also currently involved in a number of GDPR compliance projects.

GDPR: Guiding Your Business To Compliance: A practical guide to meeting GDPR regulations

Authors: Mark Foulsham, Brian Hitchen
Publishers: Independent published, 293 pages, second edition February 2018
Language: English

Many companies are will struggling to approach the requirements in a practical and timely way. Written by two industry experts, this book allows you to navigate the regulations from a real-world business perspective. Whether you are an Information Security expert or a business manager, this book outlines some of the most straightforward and common sense approaches from starting the project all the way through to the end.

The authors have over 100 years’ collective international experience in security, compliance and business disciplines and know what it takes to keep companies secure and in-line with regulators’ demands.


The Essential Business Guide to GDPR: A business owner’s perspective to understanding & implementing GDPR

Authors: Alistair J Dickinson
Publishers: Independent published, 372 pages, March 2018
Language: English

A business owner’s perspective to understanding the need for GDPR, with shared knowledge of what you will have to complete. After spending many months trying to define the GDPR project response for MyCRM, it became apparent that a single resource that could help our team plan and implement using a defined set of templates was somewhat lacking. This book is for all business owners and DPO’s and gives an overview of all the steps involved when implementing your response and journey to compliance with GDPR. This book also comes with a number of templates available from an online website dedicated to MyCRM publications and updates, papers and further general information will be provided as GDPR become law in May 2018.

GDPR – Fix it Fast: Apply GDPR to Your Company in 10 Simple Steps

Authors: Patrick O’Kane
Publishers: Brentham House Publishing Company Ltd, 136 pages, December 2017
Language: English

Have you been assigned responsibility for GDPR compliance but don’t know where to start?  Have you been reading articles and books that go into lengthy detail about legal issues but have no practical advice?  Do you want someone to explain exactly how your company should comply with GDPR so you can sleep at night?  If so, then this book is for you. Fix it Fast will help you to implement the key requirements of GDPR.  It contains templates, outlines, examples and plain-English explanations to help you to:

  • Complete your data inventory so you know where all your data is
  • Start and finish your data map
  • Draft and institute a Privacy Impact Assessment process
  • Plan how you’ll deal with a Data Breach
  • Implement Data Privacy Policies and Privacy Notifications
  • And much more

This book’s 10 Simple Steps will take you from beginning to end of your GDPR readiness and implementation project.  This isn’t a legal book – it’s a practical, no-nonsense guide to getting the job done fast.


Data Sovereignty and Enterprise Data Management: Extending Beyond the European Union General Data Protection Regulation

Authors: Sunil Soares, Mark Gallman, Pamela Basil
Publishers: Information Asset, 158 pages, April 2017
Language: English

As with all enacted regulations, compliance requires a sound data governance program with effective enterprise data management. Data governance is the formulation of policy to optimize, secure, and leverage information as an enterprise asset by aligning the objectives of multiple functions. Enterprise data management refers to an organization’s ability to precisely define, easily integrate, and effectively retrieve data for both internal applications and external communication. This book, geared toward business users, outlines 16 core steps to operationalize a data governance program geared to data sovereignty compliance. Successful data sovereignty requires collaboration across the organization, including among those responsible for legal, risk, compliance, information technology, and enterprise data management. The amalgamation of skills and technology within the organization will support the operationalization. As organizations extend the reach of their operations and customer base and look to leverage the cloud for computing, data distribution, and application hosting, they must understand the ramifications their business and IT decisions could have with respect to data sovereignty laws. With the concepts outlined in this book, organizations will be equipped to move forward to address the challenges of data sovereignty.

The Data Protection Officer: Profession, Rules, and Role

Authors: Paul Lambert
Publishers: Auerbach Publications, 367 pages, December 2016
Language: English

The EU’s General Data Protection Regulation created the position of corporate Data Protection Officer (DPO), who is empowered to ensure the organization is compliant with all aspects of the new data protection regime. Organizations must now appoint and designate a DPO. The specific definitions and building blocks of the data protection regime are enhanced by the new General Data Protection Regulation and therefore the DPO will be very active in passing the message and requirements of the new data protection regime throughout the organization. This book explains the roles and responsibilities of the DPO, as well as highlights the potential cost of getting data protection wrong.

Paul Lambert, PhD, lawyer, consultant, adjunct lecturer, is the author of various books on data protection, internet, social media and courtroom broadcasting including The Laws of the Internet (4th edition), International Handbook of Social Media Laws, A Users’s Guide to Data Protection and Television Courtroom Broadcasting Effects, and has published many articles in various professional, trade and academic journals including the European Intellectual Property Review. He speaks regularly at conferences and events across Europe and Asia on data protection, Internet, intellectual property, information technology, and courtroom broadcasting.


Le Délégué à la protection des données (DPO): Clé de voûte de la conformité (English: The Data Protection Officer, DPO: Keystone of Compliance)

Authors: Aline Alfer, Amandine Kashani-Poor, Garance Mathias
Publishers: Revue Banque, 120 pages, October 2017
Language: French

The objective of this book is to present and clarify in an operational way the positioning, the profile and the missions of the DPO on reading the GDPR, the recommendations of the National Commission for Informatics and Liberties (CNIL), the Group Article 29 (G29) and the expertise of the authors. Which responsibilities? Which means? What guarantees of independence? What ecosystem? This Essential offers practical recommendations allowing the interested parties to appropriate the role of the DPO, whatever the size of the company – from FinTech to the big banking group – and highlights the potential asset that the regulatory environment can represent. in the performance of the DPO’s missions. The authors propose, based on their own experiences in the implementation of compliance strategies, practical tools for the DPO in an Anglo-Saxon perspective of accountability. The book aims to accompany the new DPOs, the CILs in their necessary transition to a renewed function but also, more broadly, all the players involved in the ecosystem of personal data processing.

Mathias is Lawyer at the Paris Bar, Founder of Mathias Avocats and expert at the Council of Europe. Its activity is dedicated to business law and the legal issues raised by innovative technologies.
Kashani-Poor is an IT and Freedoms Correspondent of the French Development Agency. She has developed expertise in personal data protection law in the non-profit, retail and insurance sectors.
A. Alter is Attorney at the Paris Bar, Mathias Avocats. She intervenes both in consulting and litigation mainly in personal data protection law.

Guide Juridique du RGPD – La réglementation sur la protection des données personnelles (English: GDPR Legal Guide – The regulation on the protection of personal data)

Authors: Gérard HAAS
Publishers: Editions ENI, Collection Datapro, 204 pages, April 2018
Language: French

The purpose of this guide is to help companies to make the new law an opportunity and not a constraint for innovation, competitiveness and trust. After describing the context of the adoption of the new Data Protection Act and the GDPR and explained the concept of Accountability, the book focuses on the identification of the processing of personal data (Chapite1) then to determine how the controller should s ensure the legality of treatments (Chapter 2), what tools it has for its “compliance” (Chapter 3) and to secure treatments (Chapter 4). The chapters of the book: Foreword – Introduction – Identifying treatments – Ensuring the legality of treatments – The tools of Compliance – Securing treatments.

Founder of the Cabinet HAAS-Avocats, Gérard HAAS is a doctor of law, Lawyer at the Court of Appeal of Paris, a specialist in the law of intellectual property, communication and information and Expert INPI. Speaker, he speaks at ESCP-Europe, HEC Executive Education.


Datenschutz-Compliance nach der DS-GVO: Handlungshilfe für Verantwortliche inklusive Prüffragen für Aufsichtsbehörden (English: Data protection compliance according to the DS-GVO: Guidance for responsible persons including questions for supervisory authorities)

Authors: Thomas Kranig, Andreas Sachs, and Markus Gierschmann
Publishers: Bundesanzeiger, 230 pages, March 2017
Language: German

The book includes an introduction to the DS-GVO and explains the essential requirements for those responsible. Special attention is paid to the fulfilment of the accountability and its proof as well as the regular review of the effectiveness. It will answer general questions of data processing, ensuring data subject rights and the handling of data breaches, and will provide assistance for the recurring daily planning, operation, evaluation and improvement cycle. A comprehensive questionnaire catalogue provides clues as to how a supervisory authority checks compliance with the data protection compliance of those responsible and contract processors, and what expectations it has of the answers.

Thomas Kranig, lawyer, President of the Bavarian State Office for Data Protection Supervision (BayLDA),
Andreas Sachs, Dipl.-Informatiker, Head of the technical department at the Bavarian State Office for Data Protection Supervision (BayLDA) and
Markus Gierschmann, Dipl.-Wirtschaftsingenieur, Finance Economist (ebs), CIPP / E, CIPM, Data Protection Officer (udis, TÜV), Data Protection Auditor (TÜV), Management Consultant




Six months passed since the entry into force of the new EU Regulation 679 and about a year since the alignment of the GDPR has become an extremely active topic. End of May was a turbulence period, culminating in the avalanche of e-mail statements and consent requests. After that the agitation has gradually calmed down. This can be GOOD if we assume that people have understood what it is about and started alignment. But reality shows us that this assumption is NOT TRUE. Reality is different and this is NOT GOOD.

Everything goes from managers

The starting of alignment projects is organically linked to a managerial decision. Nothing can be done if management is not convinced of the importance of the subject. But understanding the importance is not everything. Management must conduct the start of activities, set up a team, delegate a responsible person, and especially plan resources. This means to get involved.

Any business analysis or audit that is the first step in conducting a compliance assurance project is a function of the managerial engagement level. Are the managers directly involved, participate in discussions or delegate a trusted person to handle everything?

What situations could be actually encountered? All the implementation steps undertaken so far have in most cases been the impetus of external pressure and quite little and rarely the result of a real management conviction. Unfortunately, there are still many managers who consider GDPR:

  • a stupidity,
  • a simple bureaucratic exercise,
  • a threat with huge penalties that will never endanger our organization,
  • a lot of money thrown away.
  • an extra headache that can still wait
  • a great bluff, no one has been fined so far
  • none of the buddies or partners did anything for that, and nothing happened to them
  • those who hired a consulting firm gave the money for nothing because they had to do it all alone …
  • something totally useless. I only work with business data. These are public data, not personal

And the list could go on well and well…

What needs to be done

It’s never too late to start. Anytime you can begin alignment exercises. Here are some tips for managers:

  1. GDPR MEANS ALL – It’s not a stupid thing. Any organization, association, or licensed natural person carries out an activity in which it acquires some personal data of its clients, partners or employees NEED to be compliant with to GDPR.
  2. THE SIZE DOESN’T MATTER – Whether we have a company with 10, 50 or more than 250 employees, whether we are a micro-enterprise, an NGO or a professional association, whether we manage an association of tenants or that we are an independent consultant, dentist or specialist blogger,  WE NEED GDPR. Of course, not all of us need all procedures and policies. But there is a core of activities and measures that are mandatory for any kind of organization. We cannot avoid this. WE HAVE TO BE PREPARED.
  3. GDPR MEANS ACCOUNTABILITY – We are responsible for our personal data. For our employees. For our customers. For our partners. We do not do that expecting the inspections of the Authority, nor as a mere bureaucratic formality. We do it for our sake and the community in which we live and work. WE ARE RESPONSIBLE FOR OUR RESPONSIBILITY.
  4. GDPR IS MORE THAN A SIMPLE PROJECT – More than an IT solution implementation. More than a bureaucratic review of documents from a different bureaucratic perspective. It is an assumed, documented and permanent action that involves decision-making, policy making, the adoption of procedures, but especially a team action in which we have a triple involvement: PEOPLE, TECHNOLOGY, PROCESSES.
  5. GDPR IS A PERMANENT REQUIREMENT – It’s not just a push-on, a punctual activity, or an implementation of procedures after which someone gives you a degree. It is a permanent exercise, a mandatory business requirement for the entire business lifecycle. In order to maintain an optimal level of compliance, we need to act continuously, to remain within certain parameters.
  6. GDPR IS AN EFFICIENT INVESTMENT – No money is discarded. No one forces us to make all purchases at once. A risk analysis can help create plans to rectify the possible sources of incidents related to personal data loss. We focus on what’s more important now and we’re making an effort. A budget allocated for the next financial exercise will help keep the balance. There are many reallocating budgets possibilities when we became aware that WE MUST HAVE THAT.
  7. TRAIN YOUR PEOPLE – Learning is not a shame. It’s a permanent need. You don’t understand exactly what this is about and you don’t have time to bother your head. Participate in a one-day or two-day GDPR training session. There are already dozens of courses that offer this. You can do it online from your desk or your home armchair. You will see what it is about. You will understand why it is important. YOU WILL REACH THE RESPONSIBILITIES.
  8. PREPARE A DATA PROTECTION OFFICER – Even if the law does not oblige you to hire or appoint a DPO, many aspects of GDPR adoption require the skills of a person who has undergone a DPO training. Do not wait for the certification issue to be solved. There is no waiting time. You do not need diplomas, but (at least) someone who knows where to start, with whom to start and what to do.
  9. WE NEED GDPR CULTURE – This is respect for data. Permanent training of employees. Testing the effectiveness or efficiency of existing procedures. Adaptation to change. GDPR will undergo changes over time. Verify compliance with related regulations such as Privacy or NIS. GDPR compliance becomes permanent, just like internal regulations, fire protection, or escape measures in case of natural disasters. Protect your data! Put a post-it on the door where it says: “Turn off the light!”, “Check the gases!” or “Activate the alarm!”
  10. GDPR IS AN OPPORTUNITY, NOT A CALAMITY – Look at alignment efforts as an investment in efficiency. As a first step in the digital transformation of the organization. As a trusted label to your employees, customers, and partners.

It depends only on us. It is our responsibility as managers. GDPR compliance cannot be ensured without our involvement and the entire organization. We depend on how we apply the procedures recommended by a consultant. It depends on us how we assimilate policies and how we make sure people respect them. We depend on the health and efficiency of our business. We depend on how we can turn compliance into a competitive advantage.