Читать книгу (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide - Mike Chapple - Страница 230

The European Union passed a new, comprehensive law covering the protection of personal information in 2016. The General Data Protection Regulation (GDPR) went into effect in 2018 and replaced the DPD on that date. The main purpose of this law is to provide a single, harmonized law that covers data throughout the European Union, bolstering the personal privacy protections originally provided by the DPD.

A major difference between the GDPR and the data protection directive is the widened scope of the regulation. The new law applies to all organizations that collect data from EU residents or process that information on behalf of someone who collects it. Importantly, the law even applies to organizations that are not based in the EU, if they collect information about EU residents. Depending on how this is interpreted by the courts, it may have the effect of becoming an international law because of its wide scope. The ability of the EU to enforce this law globally remains an open question.

The key provisions of the GDPR include the following:

 Lawfulness, fairness, and transparency says that you must have a legal basis for processing personal information, you must not process data in a manner that is misleading or detrimental to data subjects, and you must be open and honest about data processing activities.

 Purpose limitation says that you must clearly document and disclose the purposes for which you collect data and limit your activity to disclosed purposes.

 Data minimization says that you must ensure that the data you process is adequate for your stated purpose and limited to what you actually need for that purpose.

 Accuracy says that the data you collect, create, or maintain is correct and not misleading, that you maintain updated records, and that you correct or erase inaccurate data.

 Storage limitation says that you keep data only for as long as it is needed to fulfill a legitimate, disclosed purpose and that you comply with the “right to be forgotten” that allows people to require companies to delete their information if it is no longer needed

 Security says that you must have appropriate integrity and confidentiality controls in place to protect data.

 Accountability says that you must take responsibility for actions you take with protected data and that you must be able to demonstrate your compliance.