本周早些时候，Facebook宣告行将树立一个新的隐私中心，协助公司应对四个月后行将收效的欧洲GDPR数据监管新规。一周后就是数据隐私日，Facebook的声明刚好表现了美国公司在5月25日最晚期限到来前的预备缺乏。
许多公司并没有重视GDPR，由于他们以为这个规矩只适用于欧盟境内公司，或许说他们想看看Facebook或许Google有何行为，然后再做方案。在这里咱们有必要提示各位：只需你隶属于一家美国公司而且经手欧盟公民的个人信息，那GDPR对你就适用。违规后果严重，罚款最高可达2000万欧元或该公司全收收益的4%，取两者中较大值。
GDPR需求团队合作，公司里的每个人都有职责维护数据并了解该监管规矩。今日在这篇文章中，咱们就简略跟各位聊聊这个论题。
人物与职责
GDPR尽管需求团队合作，但保证合规高效则需求准确分配人物与职责以及部分间联动。以下是每个安排都该知道的三个首要合规参加方。
操控者：这个职务或部分决议方针、条件以及处理数据的办法，但自身并不实践处理数据。一起该职位或部分还担任外部承包商合规并向有关部分及时报告数据走漏事情。
处理者：这个职位或部分替操控方处理信息，应由第三方或公司职工担任。处理者应该遵从操控者拟定的合同并恪守保密规矩。一起，操控者需求运用技能和安排操控手法维护数据，并供给材料证明合规。
数据维护员（DPO）：数据维护员监管合规并和数据维护监管部分坚持交流。DPO向公司最高层办理人员报告，一般具有风控经历。留意，DPO不能参加数据处理，否则会形成利益冲突。该职务受保密条款约束。
由于GDPR规矩规模不只是网络安全，以下是保证合规所需求的其他事务部分：
法令：GDPR法令事务大部分有关监管规模的界说、公司的易遭攻击点和数据是否被合理运用。法令部分一起还需从合同上保证全部有序进行，比方保证合同中有相关条款规矩第三方合规。
IT：IT部分任务量最重。他们需保证IT体系、效劳和技能能够维护客户数据而且契合监管规矩。
安全：违背GDPR将遭致大额罚款，因而网络安全部分有必要尽可能削减数据走漏危险。最佳做法是在下文说到的六大网络安全点根底上整合尽力。
未来规划：以数据为中心的安全项目
各国和安排可能对个人信息有不同的界说，但依照GDPR的界说，个人信息指的是能够被用来辨认一个人身份的数据，比方名字、邮件地址、银行账号信息、交际媒体信息、健康信息等等。GDPR首要重视此类个人信息的收集、处理和活动，因而合规的最佳做法就是树立以数据为中心的信息安全项目并按以下六点评价。
数据办理：了解并实行你地点安排的GDPR责任。了解哪些数据受监管以及为什么被用来支撑事务功用的该数据是重要的。随后再采纳其他举动比方分类、办理介入权或拟定专门维护措施。
数据分类：为现行办理剖析并分类相关数据。数据分类进程即寄存数据并将之分类至某一类目（如高度约束、约束、内部运用、揭露），这样才干根据相关的事务和监管危险进行相应程度的数据维护。
数据发现：将敏感数据寄存在安排内部并为现行办理树立架构。安排有必要清楚知道他们受监管数据的寄存方位，不管是云端、本地、内部或第三方，有结构或无结构，以及它们被运用的方法。
数据接入：决议谁对数据有和应该有接入权并相应处理恳求。知道这一要害信息能够协助企业维护数据的商业需求并保证除方案意图外数据没有被乱用
数据处理：施行信息安全维护并为可能的走漏事情做好预备。安排有必要理解手上数据以及公司内部、公司之间和使用之间相互活动的数据所随同的危险，并施行恰当的维护措施。最重要的是，恰当的数据处理在发作意外导致走漏事情时能够协助你决议哪些是最重要的，由于GDPR要求公司发作走漏事情72小时内通报。
数据维护：树立恰当的安全项目维护敏感数据。GDPR要求安排采纳技能和安排手法保证与危险相适应的维护程度，但没有具体规矩怎么施行。
严厉监管的带来更多裨益
GDPR关于许多美国安排来说是过分强壮的对手，后者底子不敢与之抗衡，更不管输赢。咱们不应该将GDPR视为无法处理的难题，相反，它其实能够为公司树立一个有用的安全项目供给时机打下根底（人员、流程和技能）。究竟，假如你具有了完善的安全项目，那监管合规包含GDPR合规自然而然就完成了。
英文原文
Earlier this week, Facebook announced it is rolling out a new privacy center to help the company comply with Europe’s GDPR regulation that comes into effect in just four months. The company’s announcement comes just ahead of next week’s Data Privacy Day, and is a reminder of how slow U.S. companies have been in preparing for the May 25 compliance deadline.
Many companies have taken little note of GDPR, believing it only affects companies in the European Union — or perhaps waiting for big fish like Facebook or Google to make a move first before investing in big audits of their own data. To be clear: If you’re part of a U.S. company that handles personal information of EU citizens, the GDPR applies to you. Failing to comply will result in significant penalties of up to €20 million or four percent of a company’s global revenue, whichever is greater.
GDPR is a team effort, and everyone within an organization has a responsibility to protect data and understand the main points of the GDPR. So, whether you’re a board member, C-suite executive, or part of the legal, IT, or security teams at your company, here’s what you need to know. The clock is ticking.
The players: Roles and departments
While GDPR is a team effort, effective GDPR compliance requires well-defined roles and division of responsibilities, as well as strong interdepartmental partnerships. There are three key players to GDPR compliance that every organization should be aware of:
The Controller: This person or office determines the purpose, conditions, and means of processing data, but they don’t actually do the processing. This person or office is also responsible for ensuring that outside contractors comply with regulations and reporting data breaches to the appropriate authorities.
The Processor: This person or office processes the information on behalf of the controller. A processor could be a third party or an employee within the organization. The processor should follow the contract as set by the controller and adhere to confidentiality. Additionally, the processor protects data with technical and organizational controls, and provides documentation to prove compliance.
The Data Protection Officer (DPO): The data protection officer oversees compliance and communicates with data protection authorities. The DPO reports to the highest management and generally has experience with risk management. Note: the DPO cannot be involved in data processing, as this would create a conflict of interest. This office is bound by confidentiality.
Because the GDPR extends beyond cyber security, there are three core business areas — in addition to the aforementioned roles — whose integrated efforts are necessary to achieve compliance:
Legal: A majority of the GDPR heavy lifting from a legal standpoint involves defining what’s in the scope of the regulation, where a company has vulnerabilities, and whether data is being used properly. Legal also must make sure everything is in order from a contracts standpoint, such as ensuring third-party relationships have the appropriate model contract clauses in place to enable compliance.
IT: The IT team is tasked with the biggest burden related to GDPR: It must ensure IT systems, services, and technologies protect customer data and comply with outlined regulations.
Security: Given the hefty financial penalties associated with GDPR, cyber security programs must mitigate breach risk as much as possible. This is best achieved by concentrating efforts on the six cyber security pillars outlined below.
The game plan: A data-centric security program
Countries and organizations may define personal information in different ways, but the GDPR defines it as data that can be used to identify a person, such as a name, an email address, bank account information, social media posts, health information, and more. Because the GDPR is laser-focused on the collection, processing, and movement of this personal information, one of the best ways to achieve compliance is to take a data-centric view of your information security program and evaluate it against the following six pillars.
Data governance: Understand and meet your organization’s GDPR obligations. Knowing what data is regulated and why this data is used to support business functions is essential before any other activity can be taken toward classifying it, administering access, or defining specific protections.
Data classification: Analyze and classify relevant data for ongoing management. The data classification process entails locating data and assigning it a certain category (e.g., highly restricted, restricted, internal use, public), so your business can enable the right level of protections based on the associated business and regulatory risks.
Data discovery: Locate sensitive data within the organization and set up structures for ongoing management. Organizations must be able to clearly articulate where their regulated data is — regardless of whether it’s in the cloud or on-premises, internal or third-party, structured or unstructured — and how it’s used.
Data access: Determine who has and should have access to data and manage permissions accordingly. Knowing this vital information helps organizations defend the business need for the data and ensure data isn’t used outside of its intended purpose.
Data handling: Implement safeguards for information and prepare for a potential data breach incident. Organizations must understand the risks associated with data at rest, as well as data that moves throughout the company, between companies and between applications, and implement appropriate protection measures. Perhaps most importantly, proper data handling lets you determine when an incident becomes a breach, which is essential, as GDPR requires notification within 72 hours of a company becoming aware of a data breach.
Data protection: Protect sensitive information with an appropriate security program. The GDPR requires that organizations take technical and organizational measures to ensure a level of security appropriate to the risk, but it doesn’t outline how to do this.
The bigger benefits
GDPR is such an intimidating opponent to many U.S. organizations that they don’t even appear to be showing up for the competition, let alone trying to win. Rather than considering GDPR a problem too tough to tackle, view it as an opportunity to put the right building blocks (people, processes, and technology) in place for an effective security program. After all, when you have a well-run security program, regulatory compliance — including GDPR compliance — will be a natural side-effect.