安全人需要知道的GDPR
大家可能已经听说过GDPR的新法律,又称“通用数据保护条例”。该法律由欧盟制定并在2018年5月25日生效。它适用于任何处理欧盟(EU)居民个人信息的组织,无论这个组织在世界的哪个地方。其中,GDPR要求组织维护任何欧盟居民个人信息的隐私和安全。为确保符合GDPR,理解和实施一些关键原则也是必要的。
You may have heard of a new law called GDPR, or the General Data Protection Regulation. This law was developed by the European Union and takes effect 25 May 2018. It applies to any organization that handles the personal information of any resident in the European Union (EU), regardless of where in the world that organization is located. GDPR requires organizations to maintain the privacy and security of any EU resident’s personal information. To ensure compliance with GDPR, some key principles need to be understood and implemented.
人们有隐私权。组织需要通过限制他们收集和处理的个人数据并保护这些数据来尊重他们的隐私。隐私义务适用于任何信息,不论是单独使用还是与其他信息一起使用,都可以识别生活在欧盟的个人。这些信息可以是地址,护照号码,驾驶执照号码,财务详情,生物识别信息,工会会员资格,医疗史,位置数据,性别,宗教或政治取向有关的信息。该规定适用于“自然人”,即有生命的个人。以下是应该遵循的GDPR的一些主要原则:
People have a right to privacy.Organizations need to respect their privacy by restricting what personal data they collect and process and by safeguarding that data. Privacy obligations apply to any information, either by itself or used with other pieces of information, that could identify an individual person living in the European Union. This information could be items such as addresses, passport numbers,driver’s license numbers, financial details,biometrics,union memberships,medical history, location data, or information relating to a person’s sexual,religious, or political orientation. The regulation applies to a ‘natural person,’ meaning a living individual. Here are some of the main tenets of GDPR that should be followed:
-
个人资料应以合法,公正和透明的方式处理。
-
人们需要被告知正在收集什么信息以及为了什么目的而收集。
-
个人数据应按指定的,明确的和合法的目的收集。它不得用于与这些目的相冲突的其他任何原因。
-
个人资料只有在需要时才能保存和处理,并且不超过此时间。
-
个人资料必须保持最新和准确。
-
人们有权收到其数据副本,或者可以要求不再使用他们的个人数据。在某些情况下,他们可以完全删除它。
-
组织必须采取适当的安全措施来保护个人数据免受意外或不当影响而导致数据的非法破坏,遗失,变更或披露。
-
此外,组织需要确保所有处理个人数据的工作人员都经过适当的培训知道如何保护这些数据。
-
Personal data for individuals shall be processed lawfully, fairly, and in a transparent manner.
-
People need to be told what is being collected and for what purpose.
-
Personal data shall be collected for specified, explicit, and legitimate purposes. It shall not be used for any other reasons that conflict with these purposes.
-
Personal data shall only be kept and processed for as long as it is required for that purpose and for no longer than that.
-
Personal data must be kept up-to-date and accurate.
保护个人数据的措施必须确保适当的水平来保障数据的敏感性。由于与数据相关的风险变得更大,所以应该花费更多的努力和措施来保护数据。这些措施也应该进行定期审查并适时更新。有关于隐私和安全决议的记录有助于合规。
The protection measures that are in place to secure personal data must ensure a level of protection appropriate to the sensitive nature of the data. As the risk associated with data becomes greater, so should the effort and expense of measures to protect the data.These measures should be regularly reviewed and updated as appropriate.Well-documented records about privacy and security decisions and measures help to show compliance with the requirements.
此外,当数据转移给外部第三方或欧盟以外的各方时,组织在法律上必须采取合同和尽职调查等措施来保护个人。最后,在个人数据泄露的情况下,组织应该在知悉后72小时内报告违规行为。组织未能遵守GDPR可能导致高达其全球收入的4%的罚款,这也使得GDPR成为财务成本最高的全球法规之一。
In addition, organizations are legally bound to employ measures, such as contracts and due diligence reviews,to protect personal data when transferring it to external third parties or parties outside the European Union. Finally, in the case of a personal data breach, organizations shall report the breach within 72 hours after becoming aware of it. Failure for organizations to comply with GDPR can result in fines up to 4% of their global revenue, making GDPR one of the most financially costly global regulations in the world.