gdpr 下载_GDPR普通英语术语

最新推荐文章于 2020-08-12 17:42:14 发布

cumifi2519

最新推荐文章于 2020-08-12 17:42:14 发布

阅读量427

点赞数

文章标签：大数据人工智能 java 数据分析区块链

原文链接：https://www.freecodecamp.org/news/gdpr-terminology-in-plain-english-6087535e6adf/

版权

gdpr 下载

by Alex Ewerlöf

由AlexEwerlöf

My team builds the technologies for some of the highest traffic newsrooms in Sweden and Norway. Part of the revenue comes from selling ads. Ads sell best when personalised, and for personalization you need data. Internet’s default business model is based on ads. GDPR has big implications for online businesses like newsrooms.

我的团队为瑞典和挪威的一些访问量最高的新闻编辑室构建技术。部分收入来自销售广告。个性化广告时，广告卖得最好，而个性化则需要数据。 Internet的默认业务模型基于广告。 GDPR对新闻编辑室等在线业务产生重大影响。

But here’s the interesting part — the General Data Protection Regulation (GDPR) puts restrictions on what data can be gathered, how it can be used, and for how long it can be stored.

但这是有趣的部分-通用数据保护条例(GDPR)对可以收集哪些数据，如何使用数据以及可以存储多长时间进行了限制。

This post is about demystifying the core GDPR terms so everyone can understand this interesting topic. If you are European or have European users, you need to understand GDPR.

这篇文章旨在揭开GDPR核心术语的神秘面纱，以便每个人都可以理解这个有趣的话题。如果您是欧洲人或有欧洲用户，则需要了解GDPR。

TL;DR; this is a huge shift in how personal data is gathered from “by default” to “opt-in”. Plus some other perks.

TL; DR; 这是个人数据收集方式从“默认”到“选择加入”的巨大转变。再加上其他一些好处。

Here is a video that sums it up at a basic level:

这是一个基本总结的视频：

Before we start, a quick disclaimer: I don’t represent my current/previous employers on my personal blog. The information provided here is purely based on my own research, and doesn’t necessarily reflect my company’s policies, strategy or implementation of GDPR.

在我们开始之前，有一个快速的免责声明：我不会在我的个人博客上代表我的现任/前任雇主。此处提供的信息纯粹基于我自己的研究，并不一定反映我公司的政策，策略或GDPR的实施。

有点背景 (A bit of background)

GDPR came into effect on May 25. Despite making developers’ and marketers’ lives harder, it’s actually a very sweet deal for the end users. GDPR prevents the companies from gathering information they don’t need to (strictly speaking).

GDPR于5月25日生效。尽管使开发人员和营销人员的生活更加艰难，但对于最终用户而言，这实际上是一笔非常可观的交易。 GDPR防止公司收集不需要的信息(严格来说)。

Despite starting with the word ‘General’, GDPR is actually an European Union (EU) law that applies to:

尽管以“一般”一词开头，GDPR实际上是适用于以下方面的欧盟法律：

Companies that are based in the EU
位于欧盟的公司
Companies that gather personal data from European citizens.
收集欧洲公民个人数据的公司。

Maybe that ‘General’ is good, because a huge part of the internet is European!

也许“一般”很好，因为互联网的很大一部分是欧洲人！

The word ‘Regulation’ in GDPR means that it must be applied in its entirety across the EU.

GDPR中的“法规”一词意味着必须在整个欧盟范围内全面应用。

In the long run, this leads to privacy by design. This is a principle that calls for the inclusion of data protection from the start of designing the systems, rather than as an afterthought.

从长远来看，这会导致设计上的隐私。这是一个原则，要求从设计系统开始就包括数据保护，而不是事后才想到。

常用术语 (Common terminology)

Here’s a list of the most common GDPR terms:

以下是最常见的GDPR术语列表：

A Data Subject is a person (such as you and me) whose personal data is processed by a data controller (such as a company or service we use).
数据主体是指其个人数据由数据控制器处理的人(例如您和我) (例如我们使用的公司或服务)。
A Data Controller is an organisation that collects data from EU residents. It determines the purposes, conditions and means of processing the personal data.
数据管理员是一个从欧盟居民那里收集数据的组织。它确定了处理个人数据的目的，条件和方式。
The entity that does the actual data processing is called a Data Processor — an example might be a cloud service provider.
进行实际数据处理的实体称为数据处理器 -例如云服务提供商。
Processing involves any operation performed on personal data, whether or not by automated means. This includes collection, use, recording, feeding it to machine learning algorithms (read how ML is affected by GDPR), and so on.
处理涉及对个人数据执行的任何操作，无论是否通过自动化方式进行。这包括收集，使用，记录，将其提供给机器学习算法( 了解ML如何受到GDPR的影响 )等等。

Your personal data is any information that can be used to directly or indirectly identify you. For example: your name, home address, photo, email address, bank details, posts on social networking websites, medical information, or a computer or mobile IP address.

您的个人数据是可用于直接或间接识别您的任何信息。例如：您的姓名，家庭住址，照片，电子邮件地址，银行详细信息，社交网站上的帖子，医疗信息或计算机或移动IP地址。

This data is usually used for profiling, in which automated processes evaluate, analyse, or predict your behaviour. As an example, knowing your age means you’ll be exposed to ads that are targeted to your age group. This is also true about data that you’re not explicitly giving to a company, like your IP address, which will be used to guess your location.

此数据通常用于概要分析 ，在该概要分析中，自动化流程将评估，分析或预测您的行为。例如，知道您的年龄意味着您将接触到针对您的年龄段的广告。对于未明确提供给公司的数据(例如IP地址)，这些数据将用于猜测您的位置，这也是正确的。

Now that GDPR is in effect, companies have limitations on what personal data they can gather and how long they can store it. They should justify why they need it.

既然GDPR生效了，公司就可以收集哪些个人数据以及可以存储多长时间限制了。他们应该说明为什么需要它。

The data controller (company) cannot just go and gather user data. They have to first ask for your permission or consent.

数据控制器(公司)不能只是去收集用户数据。他们必须首先征求您的同意。

The consent must be explicit for data collected and for the purposes the data is used. The consent is freely given (if you say ‘no’, the company should still serve you as well as possible without your data). The consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. The consent should be specific and explicit about what data is gathered and how it is processed. The user have the right to withdraw his or her consent at any time but more importantly it shall be as easy to withdraw as to give consent.

对于收集的数据和使用数据的目的，同意必须是明确的。同意书是免费提供的(如果您说“不”，公司仍应在没有您的数据的情况下尽可能为您服务)。如果数据主体没有真正或自由选择或无法无损地拒绝或撤回同意，则不应视为同意。对于收集什么数据以及如何处理数据，同意应该是明确的。用户有权随时撤回其同意，但更重要的是，撤回应与同意一样容易。

Companies can no longer force you to tick a checkbox that says “I accept all terms and conditions and privacy policies”. That is why you were getting those emails from many websites informing you about their policies before the May 25th deadline.

公司不能再强迫您在“我接受所有条款和条件以及隐私政策”复选框上打勾。这就是为什么您会在5月25日截止日期之前从许多网站收到有关这些政策的电子邮件的原因。

The area of GDPR consent has a number of implications for businesses who record calls as a matter of practice. The typical “calls are recorded for training and security purposes” warnings will no longer be sufficient to gain assumed consent to record calls.

GDPR同意范围对作为实践记录电话的企业有很多影响。典型的“出于培训和安全目的而记录呼叫的警告”警告将不再足以获得假定的同意进行记录呼叫。

There must be a reasonable legal basis for gathering an exact piece of data. According to the GDPR’s site, these can be when:

收集准确的数据必须有合理的法律依据。根据GDPR的网站，这些时间可能是：

Processing is necessary for the fulfillment of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
为了履行数据主体所参与的合同，或者在订立合同之前应数据主体的请求采取步骤，必须进行处理。
Processing is necessary for compliance with a legal obligation to which the controller is subject.
为了遵守控制者所承担的法律义务，必须进行处理。
Processing is necessary to protect the vital interests of the data subject or of another natural person.
为了保护数据主体或另一个自然人的切身利益，必须进行处理。
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
为了执行出于公共利益或行使控制者所赋予的官方权力而执行的任务，必须进行处理。
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.
出于控制者或第三方追求的合法利益的目的，必须进行处理，除非这些利益被数据主体的利益或基本权利和自由所取代，而这需要保护个人数据，尤其是在数据主体受到保护的情况下是一个孩子。

The most important benefit of GDPR is that it gives controls to the users to:

GDPR的最重要好处是，它使用户可以控制：

Erase their data whenever they like (also known as the Right to be Forgotten). Data Erasure requests don’t stop at the data controller. If third party data processors are involved, they too have to stop processing the data and erase it. I’m guessing there’ll be a de facto standard API for that, but so far it’s more ad-hoc and depends on how services talk to each other. I’m sure in the future there’ll be services where you give them your personal info and they’ll check thousands of online services to give you an aggregated report of which sites have your information. The companies should provide a way to query if they have data for a particular user (without requiring registration). Trivia: this is essentially in contradiction with how Blockchain works! Read more about the implications of GDPR for Blockchain here.
随时删除其数据(也称为“被遗忘权” )。 数据擦除请求不会在数据控制器处停止。如果涉及第三方数据处理器，它们也必须停止处理数据并擦除它。我猜想会有一个事实上的标准API，但是到目前为止，它是临时的，取决于服务之间如何通信。我敢肯定，将来会有服务向您提供您的个人信息，并且他们会检查成千上万的在线服务，以便为您提供有关哪些站点拥有您的信息的汇总报告。公司应提供一种查询是否具有特定用户数据的方式(无需注册) 。琐事：这与区块链的工作原理基本矛盾！在此处阅读有关GDPR对区块链的影响的更多信息。
Own their data! The data subjects (users) can download and see their data and how it is processed. Furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing, with whom the data is shared, and how it acquired the data. This is called right of access or subject access right. Personal data cannot be transferred to countries outside the European Union unless they guarantee the same level of data protection.
拥有他们的数据！数据主体(用户)可以下载并查看其数据及其处理方式。此外，数据控制器必须向数据主体通知有关处理的详细信息，例如处理的目的，与之共享数据以及如何获取数据。这就是所谓的访问或主题访问权 的权利 。除非个人数据保证相同级别的数据保护，否则无法将其转移到欧盟以外的国家/地区。
Move their data to competitors. This is good for competition and eventually the users win. The data must be provided by the controller in a structured and commonly used standard electronic format. No more lock-in! This is known as data Portability. This will probably open up a whole new business segment for converting data formats from one controller to another controller.
将他们的数据移交给竞争对手。这对竞争有利，最终用户会获胜。数据必须由控制器以结构化且常用的标准电子格式提供。不再需要锁定！这就是所谓的数据可移植性 。这可能会打开一个全新的业务部门，以将数据格式从一个控制器转换为另一个控制器。
Update/correct their data. The data subjects have the right to ask the data controllers to immediately correct (public or private) data that is invalid.
更新/更正其数据。数据主体有权要求数据控制者立即纠正无效的(公共或私有)数据。

I personally find the data breach announcement amazing.

我个人发现数据泄露公告令人惊讶。

The data controller is under a legal obligation to notify the relevant supervisory authority of any data breach without undue delay, unless the breach is likely to result in a risk to the rights and freedoms of the individuals affected.

数据控制者有法律义务立即将任何数据泄露通知相关监管机构，除非泄露可能会给受影响个人的权利和自由带来风险。

Individuals have to be notified if an adverse impact is determined. There is a maximum of 72 hours after becoming aware of the data breach to make the report. In addition, the data processor will have to notify the data controller without undue delay after becoming aware of a personal data breach.

如果确定不利影响，则必须通知个人。意识到数据泄露后最多可以报告72小时。另外，在意识到个人数据泄露之后，数据处理器将必须毫不延迟地通知数据控制器。

Do you remember when Yahoo kept its breach secret for two years? Well, not anymore!

您还记得雅虎将其泄露秘密保密了两年吗？好吧，不再了！

Since GDPR is quite a big thing, governments are involved to protect their citizens and enforce the regulations. There are two terms to understand:

由于GDPR非常重要，因此政府需要参与保护其公民并执行法规。有两个术语需要理解：

National Data Protection Authorities (DPA) are appointed by each EU country to implement and enforce data protection law, and to offer guidance. Supervisory Authority (SA) is another name for DPO. As set out in Chapter 16, DPAs have significant enforcement powers, including the ability to issue substantial fines. They are also the place to go to in case of a violation of data protection legislation (in the scope of the GDPR for EU citizens) and for advice and specific questions and/or assistance from the perspective of organisations.
每个欧盟国家都任命国家数据保护机构 ( DPA )，以实施和执行数据保护法并提供指导。 监督机构 (SA) 是 DPO的别称。如第16章所述，DPA具有强大的执行权力，包括可以处以高额罚款的能力。在违反数据保护法规(在欧盟公民的GDPR范围内)以及从组织的角度寻求建议和特定问题和/或帮助的情况下，它们也是值得一去的地方。
A Data Protection Officer (DPO) is a an employee of the data controller (company) who is formally tasked with ensuring that an organisation is aware of, and complies with, its data protection responsibilities. More about this in the next section.
数据保护官员 ( DPO )是数据控制者(公司)的雇员，其正式职责是确保组织了解并遵守其数据保护职责。下一节将对此进行更多介绍。

Each EU member has a main establishment where key decisions about data processing are made.

每个欧盟成员都有一个主要机构，负责制定有关数据处理的关键决策。

The upper fine limit for contravening GDPR is pretty expensive: up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year… whichever is higher!

违反GDPR的罚款上限非常昂贵：最高可达2000万欧元，或上一财政年度全球年度营业额的4％……以较高者为准！

Companies that gather data have a responsibility and the liability to implement and demonstrate that they comply with GDPR. This is called compliance.

收集数据的公司有责任和义务实施和证明其遵守GDPR。这称为合规性 。

The companies are supposed to keep a log of who accessed what information for when the authorities ask for an audit. Records of processing activities must be maintained, that include purposes of the processing, categories involved and envisaged time limits.

当当局要求进行审计时，这些公司应该保留谁访问了哪些信息的日志。必须保留加工活动的记录，其中包括加工目的，涉及的类别和设想的时限。

The records must be made available to the supervisory authority on request. The interesting part is that even if the actual processing happens by another company (a data processor on behalf of the data controller), it is still the company that gathers the data that bears the main responsibility.

必须根据要求将记录提供给监管机构。有趣的是，即使实际处理是由另一家公司(代表数据控制器的数据处理器)进行的，收集数据的公司仍然是主要责任。

This whole new range of requirements is complicated enough to create a new job title: data protection officer (DPO)! This is an enterprise security leadership role responsible for overseeing data protection strategy and implementation to ensure compliance.

全新的要求范围非常复杂，足以创建新的职位：数据保护官(DPO)！这是企业安全领导角色，负责监督数据保护策略和实施以确保合规性。

They also:

他们也：

Educate the company and employees on important compliance requirements
对公司和员工进行重要的合规要求教育
Are the point of contact between the company and supervisory authorities
是公司与监管部门之间的联系点
Monitor and provide advice on data protection efforts across the company
监控整个公司的数据保护工作并提供建议
Keep tabs on all data processing activities at the company, including the purpose of all processing activities, which must be made public on request
保留公司所有数据处理活动的选项卡，包括所有处理活动的目的，这些信息必须根据要求公开
Answer inquiries from users regarding how their data is being used, data erasure right and queries regarding what measures the company has put in place to protect their personal information
回答用户有关其数据使用方式，数据擦除权以及有关公司为保护其个人信息采取了哪些措施的询问
Identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data, which is called Data Privacy Impact Assessment. The GDPR mandates a DPIA be conducted where data processing is likely to result in a high risk to the rights and freedoms of natural persons.
通过分析处理的个人数据以及为保护数据而制定的政策来识别和减少实体的隐私风险，这称为数据隐私影响评估 。 GDPR 要求执行DPIA ，如果数据处理可能会给自然人的权利和自由带来高风险。

The DPO must have a support team and will also be responsible for continuing professional development to be independent of the organization that employs them, effectively as a “mini-regulator.”

DPO必须拥有一个支持团队，并且还将负责持续的专业发展，使其独立于雇用他们的组织，有效地充当了“微型监管者”。

If a business has multiple establishments in the EU, it will have a single supervisory authority as its lead authority, based on where the main data processing activities take place.

如果一家企业在欧盟有多个机构，则根据主要数据处理活动的发生地，它将有一个监督机构作为牵头机构。

Since GDPR enforces privacy by design, it affects software architecture and its implementation. For example, we can no more keep logs of sensitive information (as mentioned before, IP addresses are considered personal information). This makes tracing bugs a bit harder.

由于GDPR 通过设计强制执行隐私，因此会影响软件体系结构及其实施。例如，我们不能再保留敏感信息的日志(如前所述，IP地址被视为个人信息)。这使得跟踪错误变得更加困难。

Privacy settings must therefore be set at a high level by default. So we have to make sure checkboxes that expose personal data are not ticked by default.

因此，默认情况下必须将隐私设置设置为较高级别。因此，我们必须确保默认情况下未选中公开个人数据的复选框。

If the Cloud is used for data storage, only the data owner, not the cloud service, should hold the decryption keys.

如果将云用于数据存储，则只有数据所有者(而非云服务)才应拥有解密密钥。

We cannot store data for longer than necessary. Database columns should have a data retention deadline which specifies when the data should be deleted.

我们不能将数据存储超过必要的时间。数据库列应有一个数据保留期限 ，该期限指定何时删除数据。

Personally identifiable information should be pseudonymised in a way that it can no longer be linked (or ‘attributed’) to a single data subject without the use of additional data.

个人可识别信息应以无法再链接(或“归因”)到单个数据主体的方式假名，而无需使用其他数据。

在我的新文章中阅读有关技术假名化的更多信息。

What good is a law if it is not meant to be broken? Don’t get too excited about your rights because the following cases are not covered by the regulation:

如果法律不打算被打破，那有什么好处？不要为自己的权利而感到兴奋，因为该法规未涵盖以下情况：

Lawful interception, national security, the army, the police, justice
合法拦截，国家安全，军队，警察，司法
Statistical and scientific analysis for research
统计和科学分析以供研究
Deceased persons are subject to national legislation
死者须遵守国家法律
There is a dedicated law on employer-employee relationships. The GDPR was developed with a focus on social networks and cloud providers, but did not consider enough requirements for handling employee data.
关于雇主与雇员的关系，有专门的法律。 GDPR的开发侧重于社交网络和云提供商，但并未考虑处理员工数据的足够要求。
Processing of personal data by a natural person in the course of a purely personal or household activity
自然人在纯粹的个人或家庭活动过程中处理个人数据

致谢 (Acknowledgement)

Thanks to my colleague Ioana Norgen for proof-reading this post before publishing. Any possible errors are still mine.

感谢我的同事Ioana Norgen在发布之前对这篇文章进行校对。任何可能的错误仍然是我的。

资料来源 (Sources)

有趣的阅读 (Interesting reading)

ePrivacy, a set of related regulations that are also enforced at the same time as GDPR. It targets any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing (eg. telecom operators and online communication services like Skype and WhatsApp). Its most important aspect is protection against spam SMS/email and marketing calls.
ePrivacy ，一组相关法规，也与GDPR同时执行。它以提供任何形式的在线通信服务，使用在线跟踪技术或从事电子直接营销的任何业务为目标(例如，电信运营商和Skype和WhatsApp等在线通信服务)。它最重要的方面是防止垃圾短信/电子邮件和市场营销电话。
An excellent guide to GDPR for developers and some nice slides
优秀的开发人员GDPR指南和一些不错的幻灯片
Belitsoft has made a great checklist for businesses about GDPR although not all items in the checklist are a requirement by GDPR and some like 2 factor authentication are more of a best practice.
Belitsoft已为企业制定了关于GDPR的出色检查清单，尽管检查清单中的并非所有项目都是GDPR的要求，并且某些因素(如2要素认证)更是最佳实践。
How GDPR affects cookies used for tracking
GDPR如何影响用于跟踪的Cookie
The data protection reform package also includes a separate Data Protection Directive for the police and criminal justice sector that provides rules on personal data exchanges at national, European, and international levels.
数据保护改革计划还包括针对警察和刑事司法部门的单独的数据保护指令，该指令提供了有关国家，欧洲和国际层面的个人数据交换的规则。
Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR
在GDPR的第一天，Facebook和Google遭受了88亿美元的诉讼
Privacy by design
设计隐私

The bottom line is: GDPR is an obvious right. Europe pioneered its establishment but this should be a global right. Talk about it with your friends, colleagues and law makers if you want to enjoy the same protection and choice as Europeans.