and gdpr of EU1Time is getting closer. From May 25, 2018, any organization that fails to meet the new regulations will face a fine of up to 4% of global revenue, or EUR 20 million – regardless of the fine – and any further data processing activities will be subject to a potential call off risk. Therefore, whether you are a member of the EU or not, as long as you are processing the data of EU citizens in any way, you must comply with the gdpr treaty.
That is to say, the regulation should not be regarded as imposed by some unknown official documents. Instead, it offers an opportunity for more active organizations to change their relationships with customers in the digital economy.
In the next blog series, we’ll learn more about this rule and what it means to us:
- Part 1 will provide an introduction to gdpr – this will cover the basic principles and key measures specified.
- Part 2 explores what gdpr means for our data platform.
- In part 3, we will discuss how mongodb’s products and services will support our business.
- In part 4, we will discuss how gdpr will help customers implement it, and provide several cases for study.
If you can’t wait for all four parts and want to know all of them now, you can download the full gdpr: impact to your data management landscape white paper.
Basic principles of gdpr
It is predicted that by 2021, cybercrime will cause a global economic loss of $6 trillion, an increase of $3 trillion over 2016. Described by some as “the biggest threat to every company in the world,” public attention to data security is growing – not just how criminals use stolen data to cheat, but also how the organizations we contact use our personal data. Many people are asking whether data in exchange for goods, services and employment can be used to:
- Damage our reputation?
- Deny health care or financial services that we might need?
- Discriminating against us based on our political views, religion, community or race?
- Reduce our autonomy, freedom and individuality?
The design of the general data protection regulation (gdpr) 2016 / 679 of the European Union (EU) faces these problems. The protection of individuals – the “data object” in gdpr terms – has become more than a legal obligation for organizations to collect and process data privacy, but also a fundamental human right for all EU citizens. Gdpr was announced on May 24, 2016 and will be implemented from May 25, 2018.
A series of requirements and control definitions regulate the collection, storage, processing, storage and sharing of personal data of EU citizens. However, Gartner predicts that more than 50% of companies affected by the gdpr will not be fully compliant by the end of 2018 – nine months after the rules come into effect.
In 1995 / EC / 46, data protection is increasingly considered inadequate in the future
- Achieving change across member states creates complexity, uncertainty and cost. Inconsistency not only affects the trust of users in the emerging digital economy, but also affects the competitiveness of the EU in the global market.
- Technological improvements over the past two decades have enabled private enterprises and authorities to collect and use personal data on an unprecedented scale for their activities. The emergence of social networks, cloud computing, e-commerce, web services, mobile devices and applications, the Internet of things, machine learning and so on, make the existing rules and regulations inadequate.
Introduce the gdpr reform to EU citizens to give them more control over their personal data. In this context, the scope of personal data has been expanded to include those that uniquely identify a person, such as name, ID number, location data, network identifier, or through one or more specific elements such as physical, physiological, genetic, psychological, economic, cultural, or personal social identity.
Key measures of gdpr
In the EU survey, nine out of ten Europeans were worried about mobile apps collecting personal data without their consent, and seven out of ten worried that companies might potentially use the data they disclosed. Gdpr tries to solve these problems through a series of new measures
- Individuals must provide explicit consent to data collection – “default consent” is no longer valid. Organizations seeking consent must also provide clear information on how the data is used, how long it is retained and how it is shared with third parties. Individuals can withdraw their consent at any time without prejudice. If the data is used for processing purposes beyond the original consent, additional permissions must be requested from the individual.
- The “right to be forgotten”, also known as the “right to delete”, is when the owner requests that the data be no longer retained or deleted, the organization has no reason to refuse the request.
- Organizations must have easier access to personal data, enabling them to view the data stored about them and how it is processed, the data shared with it, and the ability to migrate that data between service providers without restrictions.
- The right to review how to make automated decisions based on personal data, for example, to reduce transactions based on risk scores through machine learning algorithms.
- When personal data is violated, it must be disclosed to the member state’s “supervisory bodies” (independent public bodies of member states are responsible for monitoring the implementation of GDP) within 72 hours, so that individuals can be informed and appropriate remedial measures can be taken.
- Data protection must be designed. By default, data protection controls are required to be built into products and services from the earliest development stage, and privacy friendly default settings should be adopted in all applications that collect personal data.
- Organizations proven to be non compliant will receive punitive financial recourse (e.g., 4% of global revenue or 20 million euros).
The new rules aim to provide clear and consistent privacy rules that process citizen data for each organization, not only within the EU, but also globally, as part of the provision of products and services in the EU.
Gdpr introduces specific terms to define roles and responsibilities within an organization, including:
- Data Protection Officer（DPO）Is an individual employed by a data controller or processor to advise on gdpr requirements and report to top management. The DPO is ultimately the responsibility of the local regulator.
- Data controller, usually an organization that shares data with data subjects (individuals).
- Data processor, organizations and / or individuals working on behalf of controllers, such as direct employees of business analysts or developers, or external service providers such as credit rating agencies or payroll processors. A data processor is any entity or individual with access to personal data.
Definition of data leakage in gdpr
It is important to understand what data leakage means in the context of this new regulation. The application of gdpr is more extensive than the definition of only confidential or unauthorized processing of personal data, indicating that the data protection method is beyond the narrow concept of access. It also includes availability and integrity. The gdpr text stipulates that:
*"Disclosure of personal data" means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data sent, stored or otherwise processed*
The first part is a summary
This is the first part of the gdpr blog series. In part 2, you will examine the specific gdpr requirements and map them back to a set of required database functions.
For a comprehensive description of the provisions, roles and responsibilities of GDP, readers are advised to refer to the text of the official journal of the European Union (EU) 2016 / 679 (International Labour Organization (EU) 2016 / 679) and how the rules of legal interpretation apply to their organizations. In addition, in order to effectively implement the functions described in this blog series, it is essential to ensure that the database is implemented according to the instructions and instructions detailed in the mongodb security documentation. Readers should consider engaging mongodb global consulting services to assist in the implementation.
This article is translated from: https://www.mongodb.com/blog/post/gdpr-impact-to-your-data-management-landscape-part-1?jmp=twt
- GDPR: General Data Protection Regulation. ↩