的 General Data Protection Regulation (GDPR) is a regulation that requires businesses in the European Union (EU) to protect citizens' personal data and privacy in the EU. 的 GDPR 适用于欧盟所有涉及数据收集的交易，并对违规行为施加严厉惩罚. It sets new standards for consumer rights and challenges organizations to maintain compliance, especially for security teams that need to enforce these new rules.
One of the reasons for these difficulties is that the GDPR defines Personally Identifiable Information (PII) more broadly than previous data protection measures. 例如, 姓名等数据, address, and social security number have long been considered PII, but the GDPR also treats digital data like cookies and IP addresses as PII. 另一个问题是，GDPR提到了对PII的“合理”保护水平，但没有进一步定义这个术语. 这种模糊性为GDPR监管机构在评估对违规行为的惩罚时提供了很大的回旋余地.
Red团队安全 is well-versed in the arena of GDPR compliance. 冰球突破豪华版试玩不会让公司遵守GDPR，但冰球突破豪华版试玩的服务可以满足一些合规要求. Schedule a free consultation with our cybersecurity experts today to learn more about how we can help you become GDPR compliant. 在线冰球突破豪华版试玩 或打电话 (952) 836-2770 今天来讨论你的网络安全需求.
欧洲议会于2016年4月通过了GDPR，取代了1995年颁布的数据保护指令. It carries provisions for the protection of PII, including the export of personal data outside the EU. All 28 members of the EU have passed the provisions of the GDPR into legislation, allowing all organizations within the EU to follow the same standard. 然而, 该标准要求大多数公司投入大量资源来实现和维护GDPR的合规性.
的 GDPR covers many types of PII, including the following:
的 GDPR protects EU citizens when their PII is stored, processed, or transmitted within the EU. It also regulates the exportation of PII outside the EU.
的 GDPR affects all organizations that directly handle PII on EU citizens, as well as their vendors and other third parties.
Organizations with a physical presence in the EU are bound by the GDPR, even if they don't have a business presence in the EU. GDPR also applies to organizations that process the PII of EU residents. GDPR automatically applies to organizations with at least 250 员工, while the GDPR is somewhat more complex for smaller organizations. 在这些情况下, 如果该组织的数据处理影响了欧盟公民的权利或包括了受保护的PII类型，则GDPR适用. In practical terms, this means a company's size doesn't affect the applicability of the GDPR.
Companies outside the EU are also greatly affected by the GDPR. A 2016 调查 普华永道(PwC)的数据显示，92%的美国企业在中国的销售业绩都在下降.S. companies consider the GDPR a top priority for data protection. Fifty-three percent of the respondents in a 2018 调查 by Propeller Insights indicated the technology sector would be most affected by the GDPR. 其他人则认为是在线零售商等行业, 软件公司, 金融服务, and online services would experience the most significant impact.
GDPR对数据控制器和数据处理器的PII保护规定了同等的责任. Data controllers are the organizations that own the data, while data processors are organizations that participate in managing the data. 如果其中一个数据处理器不一致，那么数据控制器也不一致. 的 GDPR also places strict rules for all organizations within this group to inform customers of their rights under the GDPR and report data breaches.
这种集体责任意味着数据所有者与客户和云提供商等第三方签订合同, 薪资服务提供商, and SaaS vendors must specify each party's responsibilities with respect to PII. 的y must also define consistent processes for managing and protecting data in addition to the specific methods for reporting breaches
Third-party data processors represent the largest expenditure of resources when a data owner is attempting to become GDPR compliant. Data processors typically have access to a large amount of PII from the data owner, GDPR明确表示，数据所有者需要确保其供应商遵守GDPR. 与客户签订的合同也需要反映由于GDPR而导致的政府法规的变化. This regulation also requires leaders in business, IT, and security to understand how their organizations store and process data to develop a compliant process for reporting data breaches. 这一进程是一项重要的工作, 但是，从安全的角度确定组织需要关注的供应商是必要的.
的 GDPR may also change the mindset of organizational stakeholders when it comes to data. 的y traditionally view their data as an asset to leverage, but this perception may shift to view the accumulation of data as an increase in liability. 组织需要跟踪数据流，因为它离开了他们的控制，并采取适当的保护措施, 他们必须在合同中明确哪些条款. 这一步将帮助第三方了解他们可以和不能用他们从客户那里获得的数据做什么.
Reporting a breach is especially important under the GDPR, which allows a 72-hour window from when a breach occurs to the time it must be reported. This requirement can be challenging when a vendor with many clients is breached. Each client may have a different entity for the vendor to notify, 可能是会计部门的人, 应收账款, 或采购. 供应商和客户之间的合同必须清楚地定义发生违约时的报告路径. GDPR需要策略, 程序, 和响应结构，将允许一个组织快速完成其报告过程.
的 sheer number of contracts that a company may need to update also complicates the process of getting vendor contracts into compliance with the GDPR. 一个组织必须知道它拥有什么数据, 它是怎样处理, and w在这里 it goes before defining the responsibilities for handling that data. Many organizations find themselves having to play catch-up in completing the operational and technical issues needed to get the proper contracts in place before a deadline. 的 GDPR requires organizations to know what their operational processes with vendors will be. In particular, they need to know how their vendors' security framework operates.
的 GDPR defines three roles for ensuring compliance with its requirements, 包括数据控制器, 数据处理器, 及资料保障主任(DPO).
数据处理器维护和处理PII. 他们可能是组织内部的，也可能是组织外部的，并且可能执行这些活动中的一部分或全部. 的 GDPR holds processors liable for noncompliance and breaches, so it's possible that both an organization and its data-processing partners could be subject to penalties under the GDPR even if the partner was entirely at fault.
的 GDPR requires the controller and a processor to designate a DPO, 谁 ensures compliance for a particular data set by overseeing its data security strategy. Organizations need a DPO if they meet any of the following criteria:
Eighty-two percent of the respondents in the Propeller Insights 调查 indicated their organization already has a DPO on staff. 然而, 77 percent said they planned to hire a new DPO before the planned deadline of May 25, 2018年实施《冰球突破试玩》. 该法规还将要求大多数组织雇佣额外的人员，以遵守GDPR. 大约55%的受访者表示，他们至少为此招聘了6名员工.
的 GDPR allows regulatory bodies to assess penalties as high as €20 million or four percent of the organization's global annual turnover, 哪个更大. 然而, most of the fines that have been imposed are well below this limit. GDPR执法跟踪报告显示，截至5月29日，欧盟已对违规行为开出了282张罚单, 2020. 的 great majority of these fines have been for thousands or tens of thousands of euros. DLA Piper's GDPR Data Breach Survey reports that the largest fine so far is for €50 million, which was imposed against Google in January 2020. 的 reasons for this fine included the lack of valid consent and transparency.
监管机构承认，他们缺乏处理收到的数据泄露报告的资源, so they'll require more time to establish identifiable precedents for this process. 的 fines are also inconsistent across different regulators, adding to the uncertainty of the fines for noncompliance. Regulators currently disagree sharply on how they should calculate these fines, and observers believe that GDPR is still years away from providing legal certainty on this issue.
暂时, 表现出遵守GDPR的真诚努力应该足以保护组织免受严厉惩罚. 英国信息专员, 莉斯德纳姆, stated in a 2018 speech that enforcement is a last resort and that the Information Commissioner's Office (ICO) would reserve hefty fines for organizations that "persistently, 故意或疏忽地藐视法律.她补充说，那些自我报告的组织, 与ICO合作解决问题, and demonstrate effective accountability can expect the ICO to take these factors into account when considering regulatory action.
的 GDPR is currently the world's strictest law on data privacy and security. 的 fact that it applies to any organization that collects data on people in the EU means that the GDPR can affect organizations worldwide, 即使他们的总部不在欧盟. 的 specific requirements for the GDPR are extensive, which you can find 在这里.
GDPR.eu is also a valuable resource for learning more about GDPR requirements. 这个网站包含了173个规章摘录和99个条款以及检查清单和指南. It also includes a PDF document of the entire GDPR. 的se materials all help you walk through how the GDPR may apply to you and your organization.
以下步骤还将帮助您在与GDPR遵从性不直接相关的几个方面改进业务. 例如, the procedural and technical changes needed to comply with GDPR can also create efficiencies in how organizations manage and protect their data, 节省成本. It can also increase consumer confidence, making your business more competitive.
如果您对GDPR的审查让您觉得您的组织面临重大的不合规风险, t在这里 are several steps you can take to address these deficiencies. 首先必须在组织的最高管理层中灌输一种紧迫感. Executive leadership must prioritize the task of becoming GDPR compliant before you can expect to make significant progress.
It's also important to get other stakeholders involved, as your IT department won't be able to meet the GDPR requirements by itself. Form a cross-functional task force that includes representatives from any department that collects or uses customers' PII, 包括金融, 市场营销, 操作, 和销售. 的se team members must effectively share the information needed to implement the procedural and technical changes that will get your organization in compliance with GDPR. 他们还需要为这些变化对各自部门的影响做好准备.
的 risk assessment is usually the greatest obstacle to GDPR compliance. 行动的第一步应该是获得组织IT基础设施的完整图像, including a list of all applications that it runs. Specific information on the applications that process PII can significantly reduce this phase's scope and the time it requires.
Conduct risk assessments regularly to ensure you know what PII you process on EU citizens and the risks associated with it. 的se assessments must also describe the measures needed to mitigate these risks. 风险评估的另一个关键组成部分是识别涉及PII的影子IT过程, 无论大小. 的se solutions often pose the greatest risk for noncompliance, since they tend to have a low profile and less documentation.
许多应用程序满足这些标准, making it challenging for large organizations to identify all of them. 在最近的一次 article 在CSOonline.com, 马特·费雪, 斯诺软件公司高级副总裁, 估计超过39个,000个商业应用程序使用PII. Only a fraction of these applications typically have high visibility, while the hidden majority is a severe risk to noncompliance.
Fisher还指出，IT配置的最新趋势是实现GDPR遵从性的一个复杂因素. 他估计，到2020年，业务部门将占到组织IT预算的一半左右, causing the IT department to lose track of the applications that an organization uses. This loss of visibility can threaten compliance.
Organizations will generally need a DPO to comply with GDPR, which may require them to hire a new team member if they don't have one qualified for this role. 的 GDPR doesn't require the DPO to be dedicated to this task, 因此，由已经在执行类似职责的人来填补这个职位是有可能的. 然而, management needs to ensure that this dual role won't create a conflict of interest.
的 DPO may not be a full-time position, depending on the organization. A virtual DPO may be an option in these cases, allowing the DPO to serve multiple organizations. GDPR允许这种安排, provided the individual can meet a DPO's requirements for all the organizations. Most organizations already have a Data Protection Plan (DPP), but the DPO will need to review it and modify it as necessary to meet GDPR requirements. 的 DPO also needs to review the DPP on a recurring basis, especially after operational changes.
Mobile devices require additional measures to comply with GDPR. A 最近的调查 Lookout公司,. shows that 64 percent of 员工 access PII with mobile devices, 通常属于客户, 员工, 或合作伙伴. This practice can significantly increase the organization's risk of noncompliance due to a loss of control over PII access.
Eighty-one percent of the Lookout 调查 respondents said their companies allowed them to install personal apps on the mobile device they use for work. 如果这些应用使用PII, they must do so in a way that complies with GDPR, even if the device doesn't belong to the company. This is a particularly challenging requirement to meet since many 员工 use apps on their mobile devices that their organization hasn't specifically authorized.
的 GDPR requires extensive documentation of an organization's progress towards compliance. 例如, 组织必须完成GDPR第30条所述的《冰球突破试玩》(RoPA). A RoPA is an inventory of applications that process PII, 包括在, 谁, and how the organization is processing this data. This document is particularly important for the early stage of becoming compliant.
Once an organization has identified risks to data security and developed the appropriate measures for mitigating those risks, 它必须实现它们. 在大多数情况下，这一步骤涉及修订组织现有的风险缓解程序. 一旦GDPR团队完成了RoPA, it can identify and investigate risks to determine the appropriate measures for risk mitigation. Small organizations may need help with this phase, as they often lack the required resources. 可以使用各种外部资源来降低不符合GDPR的风险, which can minimize the disruption to an organization's normal 操作.
的 GDPR requires organizations to report data breaches within 72 hours of their occurrence, so they also need to test their incident response plans. A prompt response time is essential for minimizing the damage caused by the breach and will also affect the risk of fines.
A process for performing ongoing assessments is required for compliance with GDPR, including monitoring and the goal of continuous improvement. Some organizations also implement a program of penalties and incentives to ensure 员工 comply with the new policies. Forty-seven percent of the respondents in a 调查 by Veritas Technologies reported that their organization would probably add policies making it mandatory for 员工 to comply with GDPR requirements. Thirty-four percent of respondents said their organization would reward GDPR compliant 员工, while 25 percent said 员工 might lose bonuses or other benefits for GDPR violations.
Red团队's services can meet some GDPR requirements. 例如, we can assist you in complying with Articles 25 and 32, 要求组织向欧盟公民提供“合理”的数据和隐私保护.
Red团队 can provide a free consultation for GDPR compliance. 冰球突破豪华版试玩的服务可以识别和记录可能对欧盟公民的数据安全和隐私构成的威胁. We can also assess the probability of data breaches and their impact on your organization and develop proper security measures to mitigate these risks. 冰球突破豪华版试玩 在线或致电 (952) 836-2770 安排您的免费网络安全评估