歐盟 GDPR 與
中國網絡安全法
強制執行

了解ESET提供的企業方案
什麼是 GDPR?

什麼是 GDPR?

GDPR是歐盟針對企業數據保護訂下的新法規將於2018 年 5 月 25 日強制執行屆時未遵循法規的企業將面臨鉅額罰款。

此法規將適用於任何歐盟境內的企業及向歐盟境內提供產品或服務之境外企業。符合上述條件的企業必須於指定日期前完成相關的資料保護措施包括

建立網絡安全性方案 | 個人資料加密

根據 GDPR任何於限期前未能符合要求的企業將被處以年度全球營業額的 4%或 2,000 萬歐元的罰款 (兩者以較高數額為準)。

全球四大端點安全供應商之一具有30年網絡防護經驗的ESET提供多項端點網絡安全技術和加密服務為各規模的企業度身打造符合GDPR的解決方案。

calendar due date GDPR

Online compliance check

Does your organization comply with the regulation?

一步一步遵守GDPR

GDPR的影響是複雜的,所以我們將合規過程分為三類措施,你們應該考慮,細分為更詳細的解釋的各個領域。 只需點擊下圖中的橫條圖,方便您查看這些區域。

+In summary

Some of the principles set out in the GDPR are a continuation of those set out in the existing Data Protection Directive, namely: fairness, lawfulness and transparency; limitation of purpose; data minimization; data quality; security, integrity and confidentiality.

The GDPR establishes a new accountability principle by making data controllers responsible for demonstrating compliance with the principles. As well, the GDPR adds new aspects to the existing data protection principles, as follows

Lawfulness, fairness and transparency – Personal data must now be processed in a transparent manner in relation to the data subject.

Limitation of purpose – With some caveats, archiving of personal data which is in the public interest will not be considered incompatible with the original processing purposes.

Storage – Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Accountability – The data controller becomes responsible for, and must be able to demonstrate, compliance with the principles.

+Organizational structure requirements

Under the GDPR, you must implement a wide range of measures in order to ensure that you reduce the risk of breaching the GDPR and to allow you to prove that you take data governance seriously. Among the necessary accountability measures are: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a data protection officer (DPO).

The GDPR introduces the obligation for certain organizations to appoint a Data Protection Officer (DPO). Organizations must appoint a staff member or an external consultant as its DPO.

If you are a marketer with a large consumer database, you will probably need to appoint a DPO; national data protection authorities are expected to provide guidance on who qualifies.

Your DPO will be responsible for monitoring compliance with the GDPR, advising you of your obligations, advising on when and how a privacy impact assessment should be carried out, and be the contact point for enquiries from national data protection authorities and individuals.

The concept of a one-stop shop allows an organization which is established in several EU countries to deal with only one national data protection authority , although the rules for determining which DPA should take this role, and how they would handle complaints, are complex in some cases.

+Processes, procedures and policies

The GDPR redefines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”.

This is a broader definition than before and does not take into consideration whether the breach creates harm to the individual. If you suffer a data security breach, you must inform your national data protection authority immediately, or no later than 72 hours after discovering the breach.

However, you are exempted from notifying individuals if you have implemented appropriate technical and organizational measures to protect the personal data, such as encryption.

An important part of complying with the GDPR is privacy by design, i.e. designing each new process or product with privacy requirements front and center. This approach, while previously best practice, is now an explicit requirement.

A data protection impact assessment, also known as a privacy impact assessment (PIA), is intended to identify and minimize non-compliance risks.

The GDPR makes PIAs a formal requirement; specifically, controllers must ensure that a PIA has been run, before it begins, on any “high risk” processing activity.

If you operate internationally, your rules and processes for transferring data to non-EU jurisdictions will be a significant consideration, as the penalties for non-compliance or transfer of data to jurisdictions not recognized (by the European Commission) as having adequate data protection regulation will become much more severe under the GDPR.

+Awareness of data security

Now is the time to start explaining the need for GDPR compliance to your own employees. You may already need to start planning revised procedures to deal with the GDPR’s new transparency and individual rights provisions. This could have significant financial, IT and training implications.

+Accountability - technical measures

The GDPR makes controllers responsible for demonstrating compliance with its data protection principles, so you will need to make sure that you have clear policies in place to prove that you meet the required standards by regularly monitoring, reviewing and assessing your data processing procedures, building in safeguards, and ensuring that your staff are trained to understand their obligations – and be ready to demonstrate this at any time, when required to do so by your national data protection authority.

+Data breach – technical measures

You must prepare for data security breaches (defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”) by putting clear policies and tested procedures in place so as to ensure that you can react to and notify any data breach where required.

Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

+Ensure data subject rights - technically

The GDPR strengthens the rights of data subjects , for example by adding the right to require information about data being processed about themselves, access to the data in certain circumstances, and correction of data which is wrong.

One of the main aims of the GDPR is to bolster the rights of individuals. As a result, the rules for dealing with subject access requests will change, and you will need to update your procedures to reflect this.

In general, you will not be allowed to charge for complying with a request; also, you will typically have only one month to comply (the current limit is 40 days).

The right to be forgotten (‘erasure’ in the terminology of the GDPR) allows individuals to require your data controllers to erase their personal data without undue delay in certain situations, for instance where there is a problem with the underlying legality of the processing, or where they withdraw consent.

Third parties with whom you share individuals’ data are also covered by these rules.

The GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement”; however, there is some ambiguity about how data subjects’ right not to be subject to decisions based on profiling will be enforced.

The GDPR introduces a new right to data portability, which goes beyond individuals’ right to require that you provide their data in a commonly used electronic form this and requires that the controller provide information in a structured, commonly used and machine-readable form.

There are some limits to this rule, for instance it only applies to personal data processed by automated means.

As part of its aim to bolster the rights of individuals, the European Commission is also granting a right to restrict certain processing and a right to object to personal data being processed for direct marketing purposes, including profiling activities for direct marketing purposes.

Once an individual objects, their data must not be processed for direct marketing any further and the individual’s contact details should be added to an in-house suppression file.

Organizations must inform individuals about their right to object to the processing of their data in a way which is explicit and separate from other information which they must also provide to individuals.

+Communicating privacy info (consents, fair processing notices)

You may need to review how you seek, obtain and record consent; a data subject’s consent to processing of their personal data must be as easy to withdraw as to give, and must also be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.

The GDPR grants special protections when it comes to the handling of personal data pertaining to children, particularly in relation to commercial internet services like social networking.

Online, parental prior consent is required for use personal data for anyone under 13 years of age; Member States can set their own rules for those aged 13 to 15. If they choose not to, parental consent is required for children under 16 years of age.

As a result, you should start thinking about how to implement robust systems to verify individuals’ ages and to gather parents’ or guardians’ consent to process such data.

Consent must be verifiable, and when collecting children’s data your privacy notice must be written in language that children will understand.

The GDPR will probably increase the range of things you have to tell data subjects , for instance your legal basis for processing their data, your data retention periods and their right to complain to their national data protection authority if they think there is a problem with the way you are handling their data; note that the GDPR requires this information to be provided in concise, clear language.

+Data security (integrity and confidentiality)

The GDPR sets out data security principles similar to those in the current directive, including: fairness, lawfulness and transparency; purpose limitation; data minimization; data quality; security, integrity and confidentiality.

You must ensure that personal data is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage: “The organisation and any outsourced service provider shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk”.

The regulation suggests a number of security measures which can be used to achieve data protection, including: pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring personal data processing security.

The GDPR specifies encryption as one approach that can help to ensure compliance with some of its obligations. To quote from the regulation:

Article 32 – Security of processing

“1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controllers and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data […]”

Article 34 – Communication of a personal data breach to the data subject

“3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption […]”

+Data documentation, legal basis and audit

You should document what personal data you hold, where it came from and with whom you share it.

If you have inaccurate personal data and have shared this with another organization, the GDPR requires that you tell the other organization about the inaccuracy so that it can correct its own records. To do this may require an information audit across your organization or within particular business areas. This will also help you to comply with the GDPR’s accountability principle.

Under the GDPR, you should examine how you process personal data and identify the legal basis on which you carry out and document these processes.

This is necessary because some individuals’ rights will be modified by the GDPR depending on your legal basis for processing their personal data. One example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. However, consent is just one of a number of different ways of legitimizing processing activity and may not be the best (as it can be withdrawn).

The information presented on this webpage does not constitute a legal opinion, and users should not rely on its accuracy when making financial or business decisions. ESET will not be liable for outcomes resulting from such actions. Always seek independent legal advice.

Join our GDPR webinar

Talk to our experts about how the new General Data Protection Regulation will affect your business. ESET is hosting webinars to explain the issues around the GDPR. These webinars are free to attend: just sign up below and we’ll invite you to the next event.

什麼是中國網絡安全法?

什麼是中國網絡安全法?

中國政府於2017年6月1日起正式實行《網絡安全法》規定任何在中國的人士包捨透過互聯網提供服務者必須履行網絡安全的責任以防止數據泄露、未經授權的破壞、篡改或竊取。



個人信息的儲存及安全控制
數據傳遞過程要求加密
採購網絡安全產品
含個人信息的載體包括電子方式的銷毀
定期數據備份
每年至少一次安全檢測評估


全球四大端點安全供應商之一具有30年網絡防護經驗的ESET提供多項端點網絡安全技術和加密服務為各規模的企業度身打造符合GDPR的解決方案。

了解ESET提供的企業方案

eset data encryption file download

歐盟GDPR
快速指南

準備好遵守新的數據規定嗎?
歐盟新的GDPR說明。

立即下載
eset data encryption file download

GDPR是好消息
還是壞消息?

想了解更多關於GDPR引入的最重要的變化及其實際意義? 商業改革的利弊。

立即下載
了解ESET提供的方案

謝謝!

下載您的GDPR指南

eset data encryption file download

歐盟GDPR
快速指南

準備好遵守新的數據規定嗎?
歐盟新的GDPR說明。

立即下載
eset data encryption file download

GDPR是好消息
還是壞消息?

想了解更多關於GDPR引入的最重要的變化及其實際意義? 商業改革的利弊。

立即下載