Breaking down GDPR compliance 和 how it protects EU citizens' data.
After years of patchwork privacy 和 data h和ling rules causing headaches across the various nations of the European Union, the EU passed the General Data Protection Regulation (GDPR compliance) in 2016 to make things easier across all member states. The GDPR aims to protect the data of all EU residents 和 make it easier for organizations to underst和 和 comply with data protection rules. Though the GDPR was officially adopted in 2016, 其正式实施日期为5月25日, 2018, giving member states about two years to ramp up their preparations to comply.
Even if your organization does not have a location in the EU, if you h和le the personal data of any EU citizen, you will need to comply with the General Data Protection Regulations or risk being hit with hefty fines—up to 4% of your company's annual revenue or up to €20 million, 取较高者.
隐私设计: The aim of the GDPR is to protect the Personal Data of EU citizens, 包括他们的名字等数据, 电子邮件地址, 财务或医疗细节, 甚至他们的IP地址. 像这样, a key component of the GDPR is building in privacy from the start in all systems—called Privacy By Design—provided by default for all end users.
数据保管工作: In addition, better data custodianship rules are also part of the General Data Protection Regulation. The regulations dictate that organizations should only keep the data they absolutely need for only as long as they need it. Once that data is no longer needed, the data should be destroyed or anonymized.
删除权: Building off the “right to be forgotten” concept introduced in a 2006 lawsuit against Google, GDPR包括删除权. This means that users can request for their Personal Data to be deleted from an organization for any number of reasons, including suspected non-compliance with the GDPR. 另外, 明确的同意, 哪一个必须无偿给予, is required for the processing of Personal Data, 和 organizations must provide users with the same ease of consent withdrawal should the user wish to do so.
违约通知要求: Along with the requirements around keeping users’ data safe, the GDPR also includes m和atory 和 stringent data breach notification rules. In the event of a data breach of Personal Data, the breach must be reported to the Supervisory Authority of the EU member states affected within 72 hours of the breach’s discovery. Depending on the severity of the data breach, the organization may also need to notify the affected users as well.
1. Underst和 your network 和 the scope of the data you have
Make sure you have a grasp on your ecosystem 和 the scope of the data your organization holds: who has access to it, 这是什么样的数据? 一旦你对范围有了概念, you can start to implement access limits 和 monitoring to make sure there’s no unauthorized access.
2. Assess the strength of controls 和 programs
You’ll want to test 和 assess the efficacy of any 关键安全控制 和 programs currently in place—not just technology, but people 和 processes, too. 一定要扫描 漏洞 和 weak points regularly 和 address any gaps.
3. Formalize 和 practice notification processes
没有人希望发生数据泄露, but it’s best to be prepared for the worst-case scenario well ahead of time. Put in place a formalized data breach notification process 和 take it for a few trials runs, 确保它包括 威胁检测和响应 功能.
The General Data Protection Regulation will be formally implemented on May 28, 2018, 和 impacted organizations should begin moving toward compliance as soon as possible. Not only will it make them compliant in the eyes of the law, but it’s never a bad idea to continuously be evolving your security stack, especially where personal data is concerned. Learn more about complying with the General Data Protection regulation.