欧盟通用数据保护条例

Running an online business is difficult enough but it is going to get a little more challenging once the new data protection laws come into effect on the 25^th May 2018. The new General Data Protection Regulations (GDPR) are designed to give individuals more rights over their data and ensure that data is better protected by those who keep it – and that includes online businesses. In this post, we’ll look at the implications GDPR has for online businesses.

开展在线业务非常困难，但是一旦新数据保护法于2018年5月25 ^日生效，它将面临更多挑战。新的通用数据保护条例(GDPR)旨在赋予个人更多的权利他们的数据，并确保数据的保存者(包括在线业务)能更好地保护它们。 在本文中，我们将研究GDPR对在线业务的影响。

What are the new rights of consumers?

消费者的新权利是什么？

According to the ICO, the new legislation will give people a range of new rights over personal data held about them. These include being given clearer information about how their data is processed and used – indeed, in some circumstances, explicit consent will be needed before processing can go ahead.

根据ICO的规定，新法规将赋予人们一系列有关其个人数据的新权利。 其中包括获得有关其数据的处理和使用方式的更清晰的信息-实际上，在某些情况下，需要先获得明确的同意才能进行处理。

Individuals will also have improved access to any data you hold on them and have the ability to rectify any errors. They will also have the right to be forgotten, which means that customers who leave you can have all their data permanently erased.

个人还可以更好地访问您拥有的任何数据，并能够纠正任何错误。 他们也有权被遗忘，这意味着离开您的客户可以永久删除所有数据。

In addition, people must also be informed if data about them is accessed by unauthorised entities, e.g. if you are hacked or if an employee loses data. In addition, they will have more control over any automated decisions companies make using data profiling.

此外，还必须告知人们是否未经授权的实体访问了有关他们的数据，例如，如果您被黑客入侵或员工丢失了数据。 此外，他们将对公司使用数据分析做出的任何自动化决策有更多的控制权。

What are the implications for online business?

对在线业务有什么影响？

One of the biggest challenges for online businesses will be the need to keep records of user consent. From next year, when an individual gives you consent to store and process their personal data, you will need to keep a comprehensive record of how and when that consent was given. And that consent has to be explicit, not inferred.

在线业务面临的最大挑战之一是需要保留用户同意的记录。 从明年开始，当个人同意您存储和处理其个人数据时，您将需要保存有关如何以及何时获得同意的全面记录。 而且该同意必须是明确的，而不是推断的。

As people will also be able to withdraw consent at any time, new regulations now mean that their details must be permanently deleted. Their right to be forgotten means you cannot just move details from an active list to an inactive one.

由于人们也可以随时撤回同意，因此新法规现在意味着必须永久删除其详细信息。 他们被遗忘的权利意味着您不能仅将详细信息从活动列表移动到无效列表。

The new rules regarding data breaches are perhaps the ones which have the biggest impact. If data is lost or stolen, either through deliberate hacking or accidental loss, you will have a maximum of 72 hours, to inform the ICO of the full details of the breach and submit plans for how you will deal with the effects. You may also need to inform all those whose data is lost. Failure to protect data is now punishable by a fine of up to 4% of global annual turnover or €20 million – whichever is the highest.

有关数据泄露的新规则可能是影响最大的规则。 如果由于故意的黑客攻击或意外丢失而导致数据丢失或被盗，您将最多有72小时的时间将违规的全部详细信息通知ICO，并提交有关如何处理后果的计划。 您可能还需要通知所有数据丢失的人。 现在，如果未能保护数据，将处以高达全球年营业额4％或2000万欧元的罚款，以最高者为准。

In order to protect against data breaches, organisations will now need to keep track of all personal data. You’ll need to know exactly what data you hold on each person and where that data is stored. This might not be too difficult for organisations where data is held centrally, for those where each member of staff has copies of data held separately on individual devices, it might be far more challenging. If an employee leaves a pen drive containing personal data on a train and you are not aware of it, the repercussions will be significant.

为了防止数据泄露，组织现在需要跟踪所有个人数据。 您需要确切知道每个人拥有的数据以及这些数据的存储位置。 对于集中存储数据的组织来说，这可能并不困难；对于每个员工在单独设备上分别保存数据副本的组织而言，这可能更具挑战性。 如果员工将装有个人数据的笔式驱动器留在火车上，而您却不知道，那将产生很大的影响。

Privacy by design and by default

设计和默认情况下的隐私

One of the cornerstones of the new act is to make sure that privacy is at the heart of all projects that businesses carry out – what the ICO call ‘privacy by design and privacy by default’. This means that online businesses must take into account the effect that personal data processing can have on a customer’s privacy. Every process which involves personal data or affects the privacy of an individual should be designed with data protection compliance in mind.

新法案的基石之一是确保隐私是企业执行的所有项目的核心– ICO称之为“设计隐私和默认隐私”。 这意味着在线业务必须考虑到个人数据处理对客户隐私的影响。 在涉及个人数据或影响个人隐私的每个过程中，都应牢记数据保护合规性。

The aim of this is to ensure that highest levels of security are in place in any IT system or business procedure to automatically protect personal data. In other words, the customer should not need to do anything themselves to protect data held on your system, that protection should be built-in, by default. The intended outcome is that privacy becomes an integral part of the design and architecture of IT systems and business procedures, instead of being an afterthought.

这样做的目的是确保任何IT系统或业务流程中都具有最高级别的安全性，以自动保护个人数据。 换句话说，客户不需要自己做任何事情来保护系统中保存的数据，默认情况下该保护应是内置的。 预期的结果是，隐私成为IT系统和业务流程的设计和体系结构不可或缺的一部分，而不是事后的想法。

Things to do

要做的事

As an online business, there are a number of things you will need to do to make yourself ready for the implementation of GDPR. These include:

作为在线业务，您需要做很多事情以使自己为实施GDPR做好准备。 这些包括：

• Audit what personal information you currently take, process and store.审核您当前获取，处理和存储的个人信息。
• Assess how you can ensure that customers are fully aware of how and why the information is being taken, processed and stored and that you have their consent to use it.评估您如何确保客户完全了解信息的获取方式，处理方式和存储方式以及原因，以及您是否同意使用这些信息。
• Find ways to make sure customers can remove consent if they wish and have information permanently deleted if desired.寻找方法来确保客户可以删除同意，并根据需要永久删除信息。
• Audit where information is stored and processed in your business and ensure that records of what is stored, where it is sored and how it is processed are kept. Where possible, centralise data storage to reduce risk.审核您的业务中存储和处理信息的位置，并确保保留存储内容，存储位置和处理方式的记录。 在可能的情况下，集中数据存储以降低风险。
• Ensure that each place of storage has the highest levels of security in place: firewalls, intrusion monitoring, virus monitoring, strong passwords, access control, encryption, use of pseudonyms, etc.确保每个存储位置都具有最高级别的安全性：防火墙，入侵监视，病毒监视，强密码，访问控制，加密，使用假名等。

Conclusion

结论

GDPR will soon be law and will remain in force even when the UK leaves the EU. Any online business that takes email addresses, credit card details or any other form of personal information will be legally obliged to comply with it. It is important, therefore, to start taking measures now, so that by the time the law comes into force, you have everything ready.

GDPR将很快成为法律，即使英国退出欧盟也将继续有效。 任何使用电子邮件地址，信用卡详细信息或任何其他形式的个人信息的在线业务都将有法律义务遵守。 因此，重要的是立即开始采取措施，以便在法律生效之前，您已做好一切准备。

If you run an online business and are looking for highly secure hosting for your website and systems, including SSL, PersonalSign authentication, email scanning, server monitoring, intrusion protection, remote backups, and more, check out our range at eUKhost.com.

如果您经营在线业务，并且正在为您的网站和系统寻找高度安全的托管服务，包括SSL，PersonalSign身份验证，电子邮件扫描，服务器监控，入侵保护，远程备份等，请访问eUKhost.com并查看我们的范围。

翻译自: https://www.eukhost.com/blog/webhosting/how-the-new-general-data-protection-regulations-affect-online-business/

欧盟通用数据保护条例