Complete Guide to General Data P...
Complete Guide to General Data Protectio...

Complete Guide to General Data Protection Regulation (GDPR) Compliance

This page is regularly updated for accuracy & comprehensiveness
Last update: January 7, 2022

clock19 Min Read

Featured Image

What does it mean to be GDPR compliant?

在其核心, GDPR Compliance 指属于《新利18快乐彩下载app》(GDPR)范围内的组织符合法律中定义的妥善处理个人数据的要求.

The GDPR outlines certain obligations organizations must follow which limit how personal data can be used. It also defines eight data subject rights that guarantee specific entitlements for individual’s personal data. Ultimately giving individuals more autonomy over their personal information and how it is used.

Download the Ultimate Guide to GDPR Compliance

Overview of the GDPR

The GDPR is the strongest global privacy law in effect today. 由欧盟(EU)创建,以规范组织如何收集, handle, and protect personal data of EU residents. The GDPR took effect on May 25, 2018, and is a binding regulation written directly into Member States’ laws. It is designed to strengthen privacy rights by giving data subjects control of how their personal data is obtained, used, and shared.

The GDPR set out with three main goals in mind:

  1. Establish and protect the fundamental privacy rights of individuals.
  2. Unify privacy laws across the EU by replacing the 28 individual EU member state laws and the previous 1995 Data Protection Directive.
  3. Adapt privacy laws that reflect the change the technology landscape has made on personal data over the last 25 years.

GDPR Terminology

在深入研究细节之前,让新利18快乐彩下载app先定义GDPR的一些基本术语.

Data Subject is any person formally residing in the EU who has their data collected, held, or processed by a controller or processor.

Data Controller refers to the entity responsible for determining the purpose and lawful basis for processing personal data.

Data Processor, who collaborates with the Data Controller, 指代表控制器负责处理个人数据的个人.

Processing involves any automated or manual operation or set of operations performed on personal data or sets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and so on.

Personal data 指与自然人(“数据主体”)有关的任何信息,这些信息可以直接或间接地指认该人,因为这些信息涉及该人的隐私, professional, or public life, including a name, email address, photos, or even bank statements.

Obtaining the consent of the data subject refers to any “freely given, specific, 知情且明确的表示“资料当事人同意处理与其有关的个人资料”. 数据主体可以对声明或明确的平权行动表示同意.

Does the GDPR apply to your organization?

To decide whether you are covered under the GDPR, you need to consider both the ‘material scope’ (i.e.,您的处理活动是否受GDPR规管)和“地域范围”(i.e., whether you are in a jurisdiction where the GDPR applies).

Does the GDPR apply to US companies?

US organizations may fall within the scope of the GDPR. To determine whether or not your organization must comply, the same analysis must be applied by looking at the material and territorial scope of the law outlined below. In short, if your organization processes (i.e.,收集、记录、结构、储存、更改、使用、公开、删除等.)为交换商品或服务或监测欧盟公民行为而居住在欧盟的某人的个人信息, then you likely fall within the scope of the GDPR.

The Material Scope

The GDPR applies to the processing of personal data carried out wholly or partly by automated means. 它也适用于不使用自动化手段但构成文件系统的一部分或打算构成文件系统的一部分的处理. This covers most activities that organizations do with data, including collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing or deleting personal data.

The Territorial Scope: Does the GDPR apply outside the EU?

The GDPR applies to the processing of personal data by a controller, or a processor established in the EU, regardless of whether the processing takes place in the EU.

它还具有控制器或处理器的域外应用程序, which is not established in the EU, 如果控制器或处理器向欧盟内的数据主体提供商品或服务,或监控在欧盟内发生的数据主体行为. For example, the GDPR applies to a US online shopping website which attracts and offers goods to customers in the EU. 商品和服务的提供可以是免费的. 这可能包括外国政府机构或非营利组织. For example, GDPR适用于由美国州政府运营的旅游信息页面,该页面收集个人信息,如IP地址,而来自欧盟的网站访问者可以免费获取旅游信息.

What are the GDPR data subject rights?

The GDPR outlines eight fundamental data subject rights, plus the right to withdraw consent. Let’s take a closer look at these rights:   

  1. Right to be informed (GDPR Articles 12 to 14)

Data subjects have the right to be informed about the collection and use of their personal data.

  1. Right to access (GDPR Article 15)

资料当事人有权查阅及索取其个人资料的副本.

  1. Right to rectification (GDPR Article 16)

Data subjects have the right to request inaccurate or outdated personal information be updated or corrected.

  1. Right to be forgotten / Right to erasure (GDPR Article 17)

Data subjects have the right to request their personal data be deleted. 请注意,这不是一项绝对权利,可能会受到某些法律的豁免.

  1. Right for data portability (GDPR Article 20)

Data subjects have the right to ask for their data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format. 

  1. Right to restrict Processing (Article 18)

资料当事人有权要求限制或压制其个人资料. 

  1. Right to withdraw consent (GDPR Article 7)

Data subjects have the right to withdraw previously given consent to process their personal data. 

  1. Right to object (GDPR Article 21)

资料当事人有权反对对其个人资料的处理.

  1. Right to object to automated processing (GDPR Article 22)

数据主体有权反对仅基于自动决策制定或分析的数据做出的决策. 

GDPR Data Subject Rights

11 Step GDPR Compliance Checklist

Now that we understand the basics, 让新利18快乐彩下载app进入您的组织可以采取哪些步骤来满足GDPR遵从性. 根据组织的不同,GDPR遵从性看起来可能有点不同,但确实如此 specific steps 任何组织现在都可以创建符合GDPR的隐私计划:

  1. Create an Actionable Plan Using the 7 Principles of the GDPR
  2. Generate a Processing Register for Article 30
  3. 实施数据保护影响评估(DPIA)和隐私设计(PbD)
  4. Build a Framework for Consent Management
  5. Meet EU Privacy Cookie Compliance Requirements
  6. Build a Data Subject Rights Request Portal
  7. Review and Remediate Processor Risks
  8. Prepare an Incident Reporting & Breach Management Workflow
  9. Review Cross Border Data Transfer Mechanisms
  10. Implement GDPR Compliance Training
  11. Appoint a Data Protection Officer (DPO)

 Let’s take a deeper look at each step.

Download the Ultimate Guide to GDPR Compliance

Step 1: Create an Actionable Plan Using the 7 Principles of the GDPR

The GDPR sets out seven key principles 这应该是您处理个人数据方法的核心:

  • Lawfulness, fairness, and transparency – There should be a lawful basis for each processing activity. The data processing is not in a way that is unexpected, and the data subject is informed of the processing.
  • Purpose limitation – Be clear about your purposes for processing and record and specify them in the privacy notice to individuals. Limit the processing to those identified purposes.
  • Data minimization – Only process personal data to the extent necessary.
  • Accuracy -确保您处理的个人资料是准确和最新的. Correct or erase inaccurate personal data as soon as possible.
  • Storage limitation – Only keep personal data if you need it.
  • Integrity and confidentiality (security) – 是否有适当的保安措施以保护个人资料免受未经授权或非法处理及意外损失, destruction, or damage.
  • Accountability – 对你处理个人资料的行为负责,并备有适当的措施和记录,以证明你已遵守资料处理原则.

《新利18快乐彩》要求实施适当的技术和组织措施,有效落实数据保护原则,保障数据主体权利. This is called ‘data protection by design and by default’. 这意味着您必须从设计阶段跨越整个数据处理生命周期,将数据保护集成到处理活动和业务实践中.

GDPR Articles:

  • Article 5: Principles Relating to Processing of Personal Data
  • Article 24: Responsibility of the Controller

Resources:

Step 2: Generate a Processing Register for Article 30

GDPR要求组织保持其处理活动的记录,并确保这些记录始终是最新的. 数据映射描述了用于生成组织数据流的中央目录并使其保持最新的操作过程.

Although the GDPR does not specifically mention data mapping, it does require both controllers and processors (B2B and B2C) to maintain an inventory of processing activities. GDPR Article 30 is extremely specific in its requirements, so even if an organization has previously performed data mapping, it will need to be updated or redone to meet the GDPR requirements.

 GDPR Articles:

  • Article 6: Lawfulness of Processing
  • Article 30: Records of Processing Activities (Primary)
  • Article 32: Security of Processing

Resources:

 Step 3: 实施数据保护影响评估(DPIA)和隐私设计

 GDPR要求管制员在处理操作可能对个人造成高风险的情况下进行数据保护影响评估(DPIA). Many details within the GDPR make this more involved than a standard questionnaire; for example, 要求数据保护主任(DPO)参与特定的工作流程, tracking mitigation activities, documenting risk in terms of harm to the individual, data subject consultations, etc.

In addition, 在实践中,组织实施了一个轻量级的筛查问卷来分析风险,然后确定是否需要全面的DPIA. These workflow and documentation requirements, 以及业务用户的用户体验和集成期望, require purpose-built tools to operationalize the GDPR.

Operationalized properly, the DPIA can be an effective approach to meeting the Data Protection by Design and Default requirement.

GDPR Articles:

  • Article 25: Data Protection by Design and by Default
  • Article 35: Data Protection Impact Assessments
  • Article 36: Prior Consultation

Resources:

Step 4: Build a Framework for Consent Management

 GDPR为组织基于同意处理数据设置了更高的标准. For example, consent needs to be: specific, clear and in plain language, not buried in legal notices, not grouped with multiple notices, easy to withdraw, etc. In addition, organizations need to be able to demonstrate consent was received in granular ways.

GDPR Articles:

  • Article 7: Conditions for Consent

Resources:

Step 5: Meet EU Privacy Cookie Compliance Requirements

 Under the ePrivacy Directive, organizations must tell people if they are using cookies, and explain what the cookies do and why. 用户的同意必须在一个过程中获得,该过程必须允许组织证明该同意是积极而明确地给予的. The users also need to be informed about the different functions of the cookies used on the website, as well as the identity of organizations that deploy the cookies and use the data collected through them. There is an exception for cookies that are essential to provide an online service at the individual’s request, for example, to remember what’s in their online basket, or to ensure security in online banking. 如果其他类型的技术被用于存储或访问某人的设备上的信息(例如用于移动应用程序的sdk),同样的规则也适用。.

The ePrivacy Directive requirements apply no matter whether the cookies are processing anonymous or personal data. Even where the cookie data is anonymous, the user consent for collecting them needs to meet the GDPR standards. If the cookie data is not anonymous, the organization will also need to comply with additional GDPR rules for personal data protection, such as conducting a DPIA and recording such processing activity in their records of processing.

GDPR影响了《新利18快乐彩》的起草,该条例将取代当前的《新利18快乐彩下载app》,并与GDPR更加紧密地结合在一起. 这些组织将面临更多的处罚和更有针对性的监管行动 Draft ePrivacy Regulation.

GDPR Articles:

  • Article 7: Conditions for Consent
  • Article 21: Right to Object
  • ePrivacy Directive / Draft ePrivacy Regulation

Resources:

Step 6: Build a Data Subject Rights (DSAR) Request Portal

 The GDPR gives data subjects specific rights, such as: data portability, access, erasure or “right to be forgotten”, rectification, and more. Additionally, 在响应的时候有特定的记录保存要求, the ability to request an extension, the requirement to validate the identity, securely transmitting the response to the individual, to name a few. Having an automated portal 这可以帮助接收和分类这些请求是管理的一个重要步骤, tracking, and reporting on your DSAR requests.

GDPR Articles:

  • Article 7: Conditions for Consent
  • Article 12: Transparent Information, 资料当事人行使权利的沟通和方式
  • Article 13: Information to be Provided Where Personal Data are Collected from the Data Subject
  • Article 14: Information to be Provided where Personal Data have not been Obtained from the Data Subject
  • Article 15: Right of Access by the Data Subject
  • Article 16: Right to Rectification
  • Article 17: Right to Erasure (“Right to be Forgotten”)
  • Article 18: Right to Restriction of Processing
  • Article 19: Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing
  • Article 20: Right to Data Portability
  • Article 21: Right to Object

Resources:

Step 7: Review and Remediate Processor Risks

 GDPR要求控制器对处理器的行为或违规行为负责. 用与内部处理活动相同的勤勉程度来分析处理器数据传输和合同义务是至关重要的,这样才能在处理器违约的不幸事件中保持一种可防御的姿态. In addition, it allows organizations to quickly understand what data was impacted in that breach.

 GDPR Articles:

  • Article 28 (1)-(3): Processor
  • Article 24 (1): Responsibility of the Controller
  • 第29条:在财务主管或处理器的授权下处理
  • Article 46 (1): Transfers Subject to Appropriate Safeguards

Step 8: Prepare an Incident Reporting & Breach Management Workflow

 GDPR包括严格的72小时通知监管当局和, when a data breach is likely to cause a high risk to the rights and freedoms of natural persons, an additional notification to the data subjects. It’s critical for organizations to have a systematic process in place to meet these requirements.

 GDPR Articles:

  • 第33条:通知监察机关违反个人资料
  • Article 34: Communication of Personal Data Breach to the Data Subject

Resources:

Step 9: Review Cross Border Data Transfer Mechanisms

 The GDPR requires the same level of protection for personal data transferred outside of the EEA. 这要求各组织审查并确保它们有适当的跨国界数据传输机制.

The first thing to consider when transferring personal data to a third country is if there is an ‘adequacy decision’. 适当性决定是指欧盟委员会决定由第三国或国际组织确保数据保护的适当水平. 但是,这一决定须经委员会审查,可以收回(e.g., EU-US Privacy Shield). Another example is the European Commission granting the UK two adequacy decisions following Brexit.

To learn more about the UK Adequacy decision check out our UK Adequacy FAQ blog.

In the absence of an adequacy decision, 如果控制器或处理器提供了“适当的保护措施”,则GDPR允许转移.’ The most commonly used safeguard is the ‘Standard Contractual Clauses’ (SCCs), which set obligations on the data exporter and the data importer and provide rights for the data subjects.

如果没有适当的决策或适当的保障措施,数据传输仍然是可能的. In this scenario, organizations can rely on a derogation, such as explicit consent from the data subject or the transfer is necessary for the performance of a contract. However, this is not recommended, since without appropriate safeguards, there are more risks of a data breach.

To learn more about the Schrems II Ruling, check out DataGuidance’s Definitive Guide to Understanding Schrems II.

GDPR Articles:

  • Article 44: General Principle for Transfers
  • Article 45: Transfers on the Basis of an Adequacy Decision
  • Article 46: Transfers Subject to Appropriate Safeguards
  • Article 47: Binding Corporate Rules
  • 第四十九条:减损为特定的情况

 Resources:

Step 10: Implement GDPR Compliance Training

The GDPR requires a data protection officer to monitor an organization’s compliance with the GDPR, which includes raising awareness and training staff. 各组织应向其员工提供初步和进修培训. There should also be a mechanism in place to keep records of the trainings for showing compliance.

GDPR Articles:

  • Article 39: Tasks of the Data Protection Officer
  • Article 47: Binding Corporate Rules

 Resources:

Step 11:  Appoint a Data Protection Officer (DPO)

The GDPR requires an organization to appoint a data protection officer (DPO) if it is a public authority or body, or if the organization’s core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or the core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

The DPO is responsible for ensuring GDPR compliance. They assists the organization to monitor internal compliance, inform and advise on data protection obligations, 提供有关数据保护影响评估(DPIAs)的建议,并充当数据主体和数据保护当局的联络点.

GDPR Articles:

  • Article 37: Designation of the Data Protection Officer
  • Article 38: Position of the Data Protection Officer
  • Article 39: Tasks of the Data Protection Officer

Resources:

How OneTrust Helps with GDPR Compliance

OneTrust提供了一套产品和新利18快乐彩来操作您的隐私, security, and governance programs, 为您提供构建整体GDPR合规程序所需的工具.

OneTrust DataGuidance™ Research

整个OneTrust平台是由数据指导监管研究提供支持的. 该监管研究门户网站由40名内部研究人员和来自300个司法管辖区的800名法律撰稿人提供支持. 让您及时了解GDPR合规、执行和新闻的最新情况. Learn more.

OneTrust Maturity & Benchmarking

Assess the maturity of your GDPR privacy, security, 和数据治理程序和基准的类似组织. 了解您的差距在哪里,并利用洞察力来改进您的合规工作. Learn more.

OneTrust Awareness Training

Build a “privacy-first” culture through industry, role, 以及通过OneTrust的内置LMS交付或导入到您现有LMS的GDPR特定意识培训课程. Learn more.

OneTrust Assessment Automation

Operationalize GDPR specific privacy impact assessments (PIAs), data protection impact assessments (DPIAs), privacy by design (PbD), and other internal privacy and security assessments. Learn more.

OneTrust Data Mapping

Maintain an evergreen map of data flows, cross-border transfers, complete records of processing, and leverage pre-defined Article 30 templates. Automatically generate a searchable inventory and visual data maps based on the underlying data inventory. Learn more.

OneTrust Data Discovery & Classification

Automatically find IT systems, discover and classify the data within, 个人数据映射到身份, and keep your data map and compliance reporting evergreen. Learn more.

OneTrust Vendor Risk Management

Manage the full vendor lifecycle, assess your vendor’s privacy and security practices, link vendors to your record of processing, 并与供应商合作,评估跨境数据传输的影响. Learn more.

OneTrust Incident Management

Operationalize your incident response plan, manage the incident lifecycle, 并在数百条违规通知法律中获得自动违规通知指导. Learn more.

Privacy Rights (DSAR)

管理完整的隐私权(DSAR)请求工作流,从接收到完成预先构建的工作流程,以及GDPR和其他隐私权要求的隐私法规的指导. Learn more.

OneTrust Cookie Consent

扫描您的网站,以识别cookie和跟踪器,并产生特定地理位置的cookie横幅, preference centers, and cookie policies. Within the cookie banner, 为访问者提供一个偏好中心,让他们控制选择进入和退出跟踪. Learn more.

OneTrust Universal Consent Management

跨渠道、平台和系统收集、集中和同步用户同意的数据. 向监管机构单独展示同意,并向数据主体提供一份清单,列出他们同意的所有事项,以便他们接受或撤回同意. Learn more.

Let OneTrust help your organization build a GDPR compliance program that puts trust at the forefront. to learn more about how OneTrust can help your Privacy, Security, and Governance initiatives, today.

 

Further GDPR Compliance Resources:

Further GDPR Reading:

Next Steps for GDPR Compliance:

 

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on global privacy compliance.

You Might Also Be Interested In


MAR 31, 2022
Consent and Preferences

Digital Privacy Experience Summit

MAR 10, 2022

投资者的ESG投资组合管理:私募股权如何获取和管理ESG数据

FEB 24, 2022
Third-Party Risk

你需要知道的:NIST更新软件供应链网络安全 & Proposed Landmark US Legislation

FEB 15, 2022
Data Discovery

OneTrust在2022年库平格科尔(KuppingerCole)数据目录和元数据管理报告领导指南针(Leadership Compass for Data catalogand Metadata Management Report)中被公认为整体领导者

FEB 22, 2022
Regulations

Japan APPI: Are You Ready for The Upcoming Amendments?

FEB 08, 2022
ESG

Guide to Board Disclosures & ESG Skills Disclosure

FEB 08, 2022
Privacy Management

An Overview of Data Localization Laws

FEB 07, 2022
Privacy Management

Understanding Data Transfers Under the GDPR eBook

BackToTop
Onetrust All Rights Reserved
友情链接: 1 2 3 4 5 6 7 8 9 10