探索我们的网络安全资源库, 包括案例研究, 白皮书, 最佳实践和专家思想领导.了解更多 >
The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The regulation is specific to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation applies to any organization doing business in the EU or that processes personal data originating in the EU, 无论是居民数据还是访客数据.
GDPR深刻改变了人们对隐私的理解, data protection and personal data in the EU and has wide-ranging effects on anyone processing personal data of data subjects of the EU. A data subject is defined as a person whose personal data is being captured and processed. If your organization captures just one record of an EU data subject, this regulation applies to you.
GDPR also changes the way that these laws are enforced and brings potential penalties that are significant in nature. Penalties for failing to comply with the articles of GDPR may subject the organization to fines up to €20m or 4% of the organization’s total global revenue, 哪个更大.
You should make sure that decision-makers and key people in your organization are aware that regulations are changing. They need to appreciate the impact that these changes are likely to have on your organization. 除了, line-level and larger scale training may be necessary for certain personnel within your organization who handle personal data on a regular basis.
你应该记录你所持有的个人资料, 它从何而来, 你用它做什么，你和谁分享它. We use data flow diagrams and business process maps for each of these processes.
您应该检查您当前的隐私政策, 程序, contracts and notices and put a plan in place for making any necessary changes to meet the GDPR deadline.
4. Individuals’ Rights: Right to Be Forgotten, Transfer Data or Correct Data, etc.
You should check your 程序 to ensure that they cover all the rights individuals have, 包括如何删除任何过时的数据(e.g., right to be forgotten), transfer data upon request or correct any incorrect information.
You should update your 程序 and plan how you will handle data extraction requests to meet the 30-day requirement. Data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed and, 这是什么情况呢, 查阅个人资料. They also have the right to inquire about the nature of further processing and treatment of their data while it was in the controller’s possession.
Identify all the data subjects for which you process or store sensitive data and determine whether GDPR applies to their country. Document the supervisory authority for each member country and identify the data controller for each process. You need to also determine who the lead supervisory authority will be based on your overall activities.
You should review your current practices and contracts and identify the lawful basis for your processing activity under the GDPR, 记录它, 更新你的隐私通知来解释它.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consent processes now if they do not meet the GDPR standard.
您应该确保有一个适当的事件响应计划来检测, 报告和调查个人资料泄露事件. 计划需要被记录并测试.
You should ensure that certain technical safeguards are in place to ensure that risk to personal data is effectively mitigated. Your plan should include techniques such as the pseudonymization and encryption of personal data. 有效的控制不仅能确保持续的安全, but also the confidentiality and availability of personal data must also be in place.
You should familiarize yourself now with the code of practice on Data Protection Impact Assessments as well as the latest guidance from the Article 29 Working Party, 并决定如何, 何时或是否需要在组织中实施这些.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance model. You need to determine whether you are required to formally designate a Data Protection Officer. 如果是这样，这个职位必须向最高管理层汇报.
如果您的组织没有及时遵守GDPR，请 请访问“我们的想法”博客 阅读更多关于如何变得兼容的建议.