The General Data Protection Regulation (GDPR) is a European law adopted by the European Parliament in May 2017 with 392 votes in favour, one abstention and one against that governs how companies’ personal data — EU-based or not — is used and how they deal with it and was a. It replaces the outdated 1995 Data Protection Directive.

《通用数据保护条例》(GDPR)是欧洲议会于2017年5月通过的一项欧洲法律，以392票赞成，0票弃权，0票弃权，决定了公司如何使用个人数据(无论是否基于欧盟)以及如何使用它们。处理它，是一个。 它取代了过时的1995年数据保护指令。

The GDPR establishes a new standard for the protection of digital personal data related to behaviour on the Internet and in the real world. This standard applies to the private data of internet users in the EU, regardless of which company holds its data.

GDPR建立了保护与互联网和现实世界中的行为相关的数字个人数据的新标准。 该标准适用于欧盟互联网用户的私人数据，无论哪个公司拥有其数据。

Simply put, if you have customers in an EU country and collect data about those customers as a result of your business transactions, you are subject to the provisions of the GDPR. This is because the size and scope of a company mean that any company with an internet presence can potentially be the subject of this law. They will be a business that does business with EU citizens, regardless of location or business.

简而言之，如果您在某个欧盟国家/地区拥有客户，并且由于您的业务交易而收集了与这些客户有关的数据，那么您就必须遵守GDPR的规定。 这是因为公司的规模和范围意味着任何具有互联网存在的公司都可能成为该法律的主题。 他们将成为与欧盟公民有业务往来的企业，无论其地点或业务如何。

It replaces the existing law on the use of personal data and enters into force on 25 May 2018 and applies to businesses in the European Union (EU and also to all members of the EU and the EEA, replacing many statutes in its current legislation, which are contained in the European Convention on Human Rights (ECHR) and European Union (EU) law.

它取代了现行的有关使用个人数据的法律，并于2018年5月25日生效，并适用于欧盟内的企业(欧盟以及欧盟和EEA的所有成员国)，取代了其现行法规中的许多法规。包含在《欧洲人权公约》(ECHR)和欧洲联盟(EU)法律中。

According to the EU GDPR website, the legislation aims to harmonise data protection laws to improve the protection and rights of individuals. Many aspects of the existing law remain, including laws based on data protection principles. Europe has long disagreed with the United States and other countries on how data should be protected and regulated.

根据欧盟GDPR网站，该立法旨在协调数据保护法律，以改善个人的保护和权利。 现有法律的许多方面仍然存在，包括基于数据保护原则的法律。 长期以来，欧洲在如何保护和管理数据方面与美国和其他国家不同。

This is because public concern about privacy dominates the business sector and ensures that the way companies use their citizens’ personal data is always taken into account, according to the European Commission.

这是因为，根据欧洲委员会的说法，公众对隐私的关注占据了商业领域的主导地位，并确保始终考虑公司使用其公民个人数据的方式。

The General Data Protection Regulation (GDPR) is one of the most significant changes to data protection law in the EU in recent years.

通用数据保护条例(GDPR)是近年来欧盟对数据保护法进行的最重大更改之一。

The Council of Europe negotiated many OECD recommendations, codified in the European Convention on Human Rights (ECHR) and the International Covenant on Civil and Political Rights. These guidelines which were also signed by the United States defined personal data as information relating to identifying a person.

欧洲委员会协商了经合组织的许多建议，这些建议已编入《欧洲人权公约》和《公民权利和政治权利国际公约》。 这些也由美国签署的准则将个人数据定义为与识别个人身份有关的信息。

Even then, however, there were signs that the EU was moving towards greater protection of privacy. For example, the European Union (EU) enforced rules to protect the privacy of its citizens, such as the Data Protection Directive (DPD) and the Digital Single Market Directive.

但是，即使到那时，也有迹象表明欧盟正在朝着更大的隐私保护方向发展。 例如，欧盟(EU)实施了保护其公民隐私的规则，例如数据保护指令(DPD)和数字单一市场指令。

GDPR takes into account the challenges of a rapidly evolving digital world, which entails privacy risks for the person concerned and will be more detailed and precise in some areas, and stricter in others. It marks a significant change in the way organisations, businesses, and individuals deal with customer information and will change the way they deal with it. In general, the Regulation applies to all personal data collected, stored, processed, or used in any way, including electronic or paper records.

GDPR考虑到了快速发展的数字世界带来的挑战，这给相关人员带来了隐私风险，并且在某些领域将更加详细和精确，而在另一些领域将更加严格。 它标志着组织，企业和个人处理客户信息的方式发生了重大变化，并将改变他们处理信息的方式。 通常，该法规适用于以任何方式收集，存储，处理或使用的所有个人数据，包括电子或纸质记录。

From the point of view of IT security, a Data Protection Impact Assessment (DPIA) should, therefore, be one of your organisation’s core concerns. The GDPR looks at the data protection impact assessment from the perspective of IT security, with ISO 27001 playing an important role. There is a need to assess the risk of personal data being breached and the potential impact on your business and your customers.

因此，从IT安全的角度来看，数据保护影响评估(DPIA)应该成为您组织的核心问题之一。 GDPR从IT安全的角度着眼于数据保护影响评估，其中ISO 27001扮演着重要角色。 有必要评估个人数据被泄露的风险以及对您的业务和客户的潜在影响。

One of the aims of the regulation is to strengthen the protection of personal data and the right to privacy while facilitating the free flow of personal data.

该法规的目的之一是在促进个人数据自由流通的同时，加强对个人数据的保护和隐私权。

The GDPR will play a crucial role in categorising and assessing these risks, and on the basis of this assessment, the implementation of guidelines to protect your organisation and comply with the GDPR may require you to remove documents containing personal data of EU data subjects. However, compliance with the GDPR typically involves not only a risk assessment of the risk of infringement but also a thorough analysis of where personal data is stored and whether there is a legal justification for storing and processing this information.

GDPR将在分类和评估这些风险中发挥关键作用，在此评估的基础上，实施保护您的组织并遵守GDPR的准则可能会要求您删除包含欧盟数据主体个人数据的文档。 但是，遵守GDPR通常不仅涉及对侵权风险的风险评估，而且还涉及对个人数据存储位置以及是否有合法理由存储和处理此信息的全面分析。

Articles 25 and 32 devote a good deal of their time to the technical and organisational measures required by the Regulation to ensure compliance with the requirements of the GDPR and the protection of the personal data of EU citizens concerned. The first configuration awareness can be used as a starting point for implementing these measures in your company and as part of your overall compliance strategy.

第25和第32条将大量时间投入到该法规要求的技术和组织措施上，以确保符合GDPR的要求并保护有关欧盟公民的个人数据。 最初的配置意识可以用作在公司中实施这些措施的起点，也可以用作整体合规性策略的一部分。

As we have seen with the recent high-profile breaches, public and regulatory authorities are losing tolerance for arbitrary security operations. It is essential for information security professionals to understand what constitutes the normal use of information resources and when changes occur in the environment.

正如我们在近期的重大违规事件中所看到的那样，公共和监管机构正在失去对任意安全操作的容忍度。 信息安全专业人员必须了解什么构成信息资源的正常使用以及环境中何时发生变化。

Many of these requirements do not relate directly to information security, but the processes and system changes required to comply with them could affect existing security systems and protocols. None of us want to fend off a regulator that asks us why we need to do this, and the compliance process could cause significant disruption to our business.

这些要求中有许多与信息安全性没有直接关系，但是遵守这些要求所需的过程和系统更改可能会影响现有的安全系统和协议。 我们谁都不想抵制问我们为什么需要这样做的监管机构，合规流程可能会严重破坏我们的业务。

To take conform steps, organizations need to understand what data they have, who has access to it, and which applications and systems are involved in transferring the data. Business departments, in cooperation with IT, are responsible for knowing why data is collected, how long it is kept, and how to ensure that data subjects can exercise their GDPR — legal rights.

要采取一致的步骤，组织需要了解他们拥有哪些数据，有权访问哪些数据以及传输数据涉及哪些应用程序和系统。 业务部门与IT部门合作，负责了解为什么收集数据，将数据保存多长时间以及如何确保数据主体可以行使其GDPR(法律权利)。

This means knowing where and how the information moves, who has access to it, and what they do with it. If you do not know where your information is, what it is crucial for, who you have access to or who has access to it, you are in a less secure situation than if you are currently in compliance with the GDPR and other provisions.

这意味着知道信息在何处以及如何移动，谁可以访问信息，以及他们如何处理信息。 如果您不知道自己的信息在哪里，对于什么至关重要，您可以访问谁或有权访问谁，那么与目前正在遵守GDPR和其他规定的情况相比，您所处的环境就不太安全。

The Internet is full of articles and comments dealing with these issues and roles without, in my opinion, creating much clarity about the role of information security in the GDPR.

我认为，互联网上充斥着涉及这些问题和角色的文章和评论，但我并未清楚地了解信息安全在GDPR中的作用。

Cited Sources

被引来源

• https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/

  https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/

• https://www.cooleygo.com/intro-to-eu-general-data-protection-regulation-gdpr/

  https://www.cooleygo.com/intro-to-eu-general-data-protection-regulation-gdpr/

• https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection

  https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection

• https://www.nyu.edu/life/information-technology/it-security-and-policies/general-data-protection-regulation.html

  https://www.nyu.edu/life/information-technology/it-security-and-policies/general-data-protection-regulation.html

• https://www.lawfareblog.com/summary-eu-general-data-protection-regulation

  https://www.lawfareblog.com/summary-eu-general-data-protection-regulation

• https://www.techrepublic.com/article/the-eu-general-data-protection-regulation-gdpr-the-smart-persons-guide/

  https://www.techrepublic.com/article/the-eu-general-data-protection-regulation-gdpr-the-smart-persons-guide/

• https://cybersecurityventures.com/what-you-really-need-to-know-about-the-general-data-protection-regulation-gdpr/

  https://cybersecurityventures.com/what-you-really-need-to-know-about-the-general-data-protection-regulation-gdpr/

• https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

  https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

• https://www.pulselearning.com/blog/3-tips-achieve-effective-general-data-protection-regulation-training/

  https://www.pulselearning.com/blog/3-tips-achieve-effective-general-data-protection-regulation-training/

• https://www.optiv.com/blog/gdpr-part-3-gdpr-and-the-information-security-program

  https://www.optiv.com/blog/gdpr-part-3-gdpr-and-the-information-security-program

• https://www.tripwire.com/state-of-security/regulatory-compliance/new-eu-general-data-protection-regulation-gdpr-security-view-part-ii/

  https://www.tripwire.com/state-of-security/regulatory-compliance/new-eu-general-data-protection-regulation-gdpr-security-view-part-ii/

• https://www.forbes.com/sites/ciocentral/2018/07/20/dont-confuse-gdpr-compliance-with-security/

  https://www.forbes.com/sites/ciocentral/2018/07/20/dont-confuse-gdpr-compliance-with-security/

• https://www.himss.org/resources/gdpr-security-and-privacy-need-knows

  https://www.himss.org/resources/gdpr-security-and-privacy-need-knows

• https://www.tripwire.com/state-of-security/regulatory-compliance/new-eu-general-data-protection-regulation-gdpr-security-view/

  https://www.tripwire.com/state-of-security/regulatory-compliance/new-eu-general-data-protection-regulation-gdpr-security-view/

• https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-protection-to-personal-data-in-office-365

  https://docs.microsoft.com/zh-cn/microsoft-365/compliance/apply-protection-to-personal-data-in-office-365