最有看点的互联网金融门户

最有看点的互联网金融门户
国际资讯监管与政策

GDPR数据监管新规即将生效,你准备好了吗?

国际资讯监管与政策

GDPR数据监管新规即将生效,你准备好了吗?

本周早些时候,Facebook宣布即将成立一个新的隐私中心,帮助公司应对四个月后即将生效的欧洲GDPR数据监管新规。一周后就是数据隐私日,Facebook的声明恰好体现了美国公司在5月25日最晚期限到来前的准备不足。

许多公司并没有关注GDPR,因为他们认为这个规定只适用于欧盟境内公司,或者说他们想看看Facebook或者Google有何举动,然后再做打算。在这里我们有必要提醒各位:只要你隶属于一家美国公司并且经手欧盟公民的个人信息,那GDPR对你就适用。违规后果严重,罚款最高可达2000万欧元或该公司全收收益的4%,取两者中较大值。

GDPR需要团队配合,公司里的每个人都有责任保护数据并了解该监管规则。今天在这篇文章中,我们就简单跟各位聊聊这个话题。

角色与责任

GDPR虽然需要团队配合,但确保合规高效则需要精确分配角色与责任以及部门间联动。以下是每个组织都该知道的三个主要合规参与方。

控制者:这个职务或部门决定目标、条件以及处理数据的方法,但本身并不实际处理数据。同时该职位或部门还负责外部承包商合规并向有关部门及时汇报数据泄漏事件。

处理者:这个职位或部门替控制方处理信息,应由第三方或公司职员担任。处理者应该遵循控制者制定的合同并遵守保密规定。同时,控制者需要利用技术和组织控制手段保护数据,并提供资料证明合规。

数据保护员(DPO):数据保护员监管合规并和数据保护监管部门保持沟通。DPO向公司最高层管理人员汇报,通常拥有风控经验。注意,DPO不能参与数据处理,否则会造成利益冲突。该职务受保密条款限制。

因为GDPR规定范围不只是网络安全,以下是确保合规所需要的其他业务部门:

法律:GDPR法律事务大部分有关监管范围的定义、公司的易遭攻击点和数据是否被合理使用。法律部门同时还需从合同上确保一切有序进行,比如确保合同中有相关条款规定第三方合规。

IT:IT部门任务量最重。他们需确保IT系统、服务和技术能够保护客户数据并且符合监管规定。

安全:违反GDPR将遭致大额罚款,因此网络安全部门必须尽可能减少数据泄漏风险。最佳做法是在下文提到的六大网络安全点基础上整合努力。

未来规划:以数据为中心的安全项目

各国和机构可能对个人信息有不同的定义,但按照GDPR的定义,个人信息指的是可以被用来识别一个人身份的数据,比如姓名、邮件地址、银行账号信息、社交媒体信息、健康信息等等。GDPR主要关注此类个人信息的搜集、处理和流动,因此合规的最佳做法就是建立以数据为中心的信息安全项目并按以下六点评估。

数据管理:理解并履行你所在机构的GDPR义务。了解哪些数据受监管以及为什么被用来支持业务功能的该数据是重要的。随后再采取其他行动比如分类、管理介入权或制定专门保护措施。

数据分类:为现行管理分析并分类相关数据。数据分类过程即存放数据并将之分类至某一类目(如高度限制、限制、内部使用、公开),这样才能基于相关的业务和监管风险进行相应程度的数据保护。

数据发现:将敏感数据存放在机构内部并为现行管理建立架构。机构必须清楚知道他们受监管数据的存放位置,无论是云端、本地、内部或第三方,有结构或无结构,以及它们被使用的方式。

数据接入:决定谁对数据有和应该有接入权并相应处理请求。知道这一关键信息可以帮助企业保护数据的商业需求并保证除计划目的外数据没有被滥用

数据处理:实施信息安全保护并为可能的泄漏事件做好准备。机构必须明白手上数据以及公司内部、公司之间和应用之间互相流动的数据所伴随的风险,并实施恰当的保护措施。最重要的是,恰当的数据处理在发生意外导致泄漏事件时可以帮助你决定哪些是最重要的,因为GDPR要求公司发生泄漏事件72小时内通报。

数据保护:设立恰当的安全项目保护敏感数据。GDPR要求机构采取技术和组织手段确保与风险相适应的保护程度,但没有具体规定如何实施。

严格监管的带来更多裨益

GDPR对于许多美国机构来说是太过强大的对手,后者根本不敢与之抗衡,更无论输赢。我们不应该将GDPR视为无法解决的难题,相反,它其实能够为公司建立一个有效的安全项目提供机会打下基础(人员、流程和技术)。毕竟,如果你拥有了完善的安全项目,那监管合规包括GDPR合规自然而然就实现了。

Earlier this week, Facebook announced it is rolling out a new privacy center to help the company comply with Europe’s GDPR regulation that comes into effect in just four months. The company’s announcement comes just ahead of next week’s Data Privacy Day, and is a reminder of how slow U.S. companies have been in preparing for the May 25 compliance deadline.

Many companies have taken little note of GDPR, believing it only affects companies in the European Union — or perhaps waiting for big fish like Facebook or Google to make a move first before investing in big audits of their own data. To be clear: If you’re part of a U.S. company that handles personal information of EU citizens, the GDPR applies to you. Failing to comply will result in significant penalties of up to €20 million or four percent of a company’s global revenue, whichever is greater.

GDPR is a team effort, and everyone within an organization has a responsibility to protect data and understand the main points of the GDPR. So, whether you’re a board member, C-suite executive, or part of the legal, IT, or security teams at your company, here’s what you need to know. The clock is ticking.

The players: Roles and departments

While GDPR is a team effort, effective GDPR compliance requires well-defined roles and division of responsibilities, as well as strong interdepartmental partnerships. There are three key players to GDPR compliance that every organization should be aware of:

The Controller: This person or office determines the purpose, conditions, and means of processing data, but they don’t actually do the processing. This person or office is also responsible for ensuring that outside contractors comply with regulations and reporting data breaches to the appropriate authorities.

The Processor: This person or office processes the information on behalf of the controller. A processor could be a third party or an employee within the organization. The processor should follow the contract as set by the controller and adhere to confidentiality. Additionally, the processor protects data with technical and organizational controls, and provides documentation to prove compliance.

The Data Protection Officer (DPO): The data protection officer oversees compliance and communicates with data protection authorities. The DPO reports to the highest management and generally has experience with risk management. Note: the DPO cannot be involved in data processing, as this would create a conflict of interest. This office is bound by confidentiality.

Because the GDPR extends beyond cyber security, there are three core business areas — in addition to the aforementioned roles — whose integrated efforts are necessary to achieve compliance:

Legal: A majority of the GDPR heavy lifting from a legal standpoint involves defining what’s in the scope of the regulation, where a company has vulnerabilities, and whether data is being used properly. Legal also must make sure everything is in order from a contracts standpoint, such as ensuring third-party relationships have the appropriate model contract clauses in place to enable compliance.

IT: The IT team is tasked with the biggest burden related to GDPR: It must ensure IT systems, services, and technologies protect customer data and comply with outlined regulations.

Security: Given the hefty financial penalties associated with GDPR, cyber security programs must mitigate breach risk as much as possible. This is best achieved by concentrating efforts on the six cyber security pillars outlined below.

The game plan: A data-centric security program

Countries and organizations may define personal information in different ways, but the GDPR defines it as data that can be used to identify a person, such as a name, an email address, bank account information, social media posts, health information, and more. Because the GDPR is laser-focused on the collection, processing, and movement of this personal information, one of the best ways to achieve compliance is to take a data-centric view of your information security program and evaluate it against the following six pillars.

Data governance: Understand and meet your organization’s GDPR obligations. Knowing what data is regulated and why this data is used to support business functions is essential before any other activity can be taken toward classifying it, administering access, or defining specific protections.

Data classification: Analyze and classify relevant data for ongoing management. The data classification process entails locating data and assigning it a certain category (e.g., highly restricted, restricted, internal use, public), so your business can enable the right level of protections based on the associated business and regulatory risks.

Data discovery: Locate sensitive data within the organization and set up structures for ongoing management. Organizations must be able to clearly articulate where their regulated data is — regardless of whether it’s in the cloud or on-premises, internal or third-party, structured or unstructured — and how it’s used.

Data access: Determine who has and should have access to data and manage permissions accordingly. Knowing this vital information helps organizations defend the business need for the data and ensure data isn’t used outside of its intended purpose.

Data handling: Implement safeguards for information and prepare for a potential data breach incident. Organizations must understand the risks associated with data at rest, as well as data that moves throughout the company, between companies and between applications, and implement appropriate protection measures. Perhaps most importantly, proper data handling lets you determine when an incident becomes a breach, which is essential, as GDPR requires notification within 72 hours of a company becoming aware of a data breach.

Data protection: Protect sensitive information with an appropriate security program. The GDPR requires that organizations take technical and organizational measures to ensure a level of security appropriate to the risk, but it doesn’t outline how to do this.

The bigger benefits

GDPR is such an intimidating opponent to many U.S. organizations that they don’t even appear to be showing up for the competition, let alone trying to win. Rather than considering GDPR a problem too tough to tackle, view it as an opportunity to put the right building blocks (people, processes, and technology) in place for an effective security program. After all, when you have a well-run security program, regulatory compliance — including GDPR compliance — will be a natural side-effect.


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

潘, 妍媛未央编辑团队

141
总文章数

TA还没写个人介绍。。。

GDPR的十个误解与争议

腾讯研究院... | 亿欧网 2天前

通用数据保护条例(GDPR)和区块链:威胁还是机遇?

Samuel Mar... 05-31

当区块链遇见欧盟的通用数据保护条例(GDPR)

链创国际资讯 05-29

GDPR法案为区块链创企带来更多监管困扰

高旭 | THE NEXT W... 05-22

FB修改服务条款 15亿用户将划出欧盟新规保护范围

惜辰 | 网易科技 04-21

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1