Statement

Personal originality , Reprint should indicate the source https://www.cnblogs.com/milton/p/15885344.html

The history and current situation of personal information protection

The legislation of personal information protection can be traced back to Hesse, Germany 1970 year 《 Data protection law 》. thereafter , Switzerland （1973）、 The French （1978）、 The Norwegian （1978）、 Finland （1978）、 Iceland （1978）、 Austria （1978）、 Iceland （1981）、 The Irish （1988）、 Portugal （1991）、 Belgium （1992） And other countries have issued personal information protection laws .

1973 Released in the United States “ Fair information practice guidelines ” The report , Established five principles for processing personal information ：

1. Prohibit all confidential personal information file keeping systems ;
2. Ensure that individuals understand what archival information they are collecting , And how information is used ;
3. Ensure that individuals can prevent unauthorized use of their information for purposes other than their authorized use , Or provide its information to others , For purposes other than personal authorization ;
4. Ensure that individuals can correct or modify files about personally identifiable information ;
5. Ensure that the personal information in any organization's planned use information file must be reliable , And precautions must be taken to prevent abuse .

stay “ Fair information practice guidelines ” Based on the basic framework of personal information protection , The United States has also formulated 《 Consumer online privacy law 》《 Children's online privacy protection act 》《 Electronic Communications Privacy Act 》《 Financial Services Modernization Act 》（GLB）《 Health insurance circulation and liability law 》（HIPAA）《 Fair Credit Reporting Act 》.

Corporate responsibilities in the personal information protection law

China's 《 Personal information protection law 》 stay 2021 year 8 month 20 Passed by , Among them, for enterprises ( Institutions ) The regulatory requirements are ( excerpts )

• Article 28 Sensitive personal information is disclosed or illegally used , It is easy to cause the human dignity of natural persons to be infringed or personal 、 Personal information whose property safety is endangered , Including biometrics 、 Religious beliefs 、 Specific identity 、 Health care 、 Financial accounts 、 Information such as whereabouts and trajectories , And personal information of minors under the age of 14
• Article 45 An individual requests to transfer his personal information to his designated personal information processor , Meeting the conditions stipulated by the national network information department , The personal information processor should provide a means of transfer
• Article 47 Under any of the following circumstances , The personal information processor shall take the initiative to delete the personal information ; The personal information processor did not delete , Individuals have the right to request deletion , The third point Individual withdrawal of consent ;
• Article 54 The personal information processor shall regularly comply with the law for the processing of personal information 、 Conduct compliance audit in accordance with administrative regulations .
• Article 55 Under any of the following circumstances , The personal information processor shall conduct a personal information protection impact assessment in advance , And record the treatment
• Article 61 The department performing personal information protection duties shall perform the following personal information protection duties , The third point Organize to evaluate the protection of personal information such as applications , And publish the evaluation results

《 Personal information protection law 》 We have made a clearer definition of privacy data

• Specifies the personal information processor ( Enterprises and institutions ) Behavior requirements : compliance , Audit , The report , Evaluation .
• Specify the data processing requirements : classification , classification , to grant authorization , Transfer and destruction

The right to carry is borrowed from the European Union 《 General data protection regulations 》（GDPR） Establishment of data portability right , because " Transfer " and " The destruction " The existence of two requirements , Privacy data management is no longer an enterprise behavior , Third party supervision is needed .

Enterprise GRC management

GRC yes Governance, Risk, Compliance Abbreviation , In Chinese, it means " government , risk , compliance ", According to Chinese habits, it can be called risk compliance governance . Corporate responsibilities in the personal information protection law , Belong to GRC The functional scope of . At home , This piece is basically blank , Small businesses basically ignore , This part of the functions of large and medium-sized enterprises is mainly undertaken by the legal affairs and public relations departments , But it only stays at the level of manual processing , See the problem, deal with the problem , It's hard to deal with what you don't see in advance . stay 《 Personal information protection law 》 After implementation , Manual operation GRC Management becomes unrealistic .

From a market perspective GRC product

2016 year 11 month 7 Adopted by Japan 《 Network security law 》 Already since 2017 year 6 month 1 The effective date , A new term has emerged in the network security law, which is called network security level protection , Classify and supervise the security of enterprise information , In the security industry, it has promoted a security evaluation organization , The market composed of solution integrators and related security software and hardware manufacturers , 2021 Year begins , Enterprises that have done grade filing should be forced to conduct annual evaluation .

and 《 Personal information protection law 》 Release , It is almost certain that the supporting regulatory rules for the level protection of personal information will be issued , Under this new demand, new markets will emerge . if 《 Network security law 》 It is to supervise the unilateral data access of the enterprise , that 《 Personal information protection law 》 That is to strengthen the supervision of data grading and authorization , And the form is no longer the behavior of the enterprise , It's the behavior of both enterprises and individuals .

Enterprises in Europe and the United States have already carried out services in this field , 2016 Established in OneTrust It is the leading enterprise in this field Gartner Review, Headquartered in Atlanta and London , More employees than 1500 people .

GRC Product function

Because there is no corresponding mature product in China , To borrow OneTrust See the function list of the product series

• Privacy management : assessment , consulting , train , Implement a Privacy Impact Assessment 、 Data protection impact assessment 、 Design privacy and other internal privacy and security assessments , Maintain data flow , Cross border transmission and complete processing records ,
• Data discovery and classification : Yes IT Analyze and classify the data in the system , Maintain data mapping and compliance
• Supplier risk management : Manage the whole life cycle of suppliers , Evaluate vendor privacy and security practices , Link the supplier to your processing records , And work with suppliers to assess the impact of cross-border data transmission
• Emergency response : Formulate incident response plan and plan , Provide complete guidance on automatic violation notification of violation notification laws , Quickly remedy potential risk factors
• rights of privacy (DSAR) compliance ( consulting ): Use for GDPR、CCPA、LGPD And other privacy regulations with privacy rights , Manage complete privacy rights from receipt to fulfillment (DSAR) Request workflow
• Target data governance : Use machine automation to complete the manual tasks required for privacy requests , Including the discovery of 、 Delete and update others IT Personal data in the system
• DSAR edit : Use AI driven classification to scan and edit files and emails , As a right of privacy (DSAR) Part of the fulfillment process
• CCPA Toll free number : By leveraging managed service options for shared or dedicated lines , Or with your existing IVR Provider integration , Satisfy CCPA Requirements for free number retrieval options for consumer rights
• Cookie testing : Scan the website to identify cookie Collection mechanism , Generate specific cookie Authorization tips
• Mobile application detection : Scan mobile applications , Generate application analysis 、 Advertising and other types of mobile tracking licenses
• Policy and notification management : Focus on creating 、 Edit and distribute privacy policies 、 Notification and disclosure
• Information technology security risk management : distinguish 、 To measure 、 The report 、 Respond to and monitor business data risks
• Audit and control management : Simplify the audit work through a guided workflow , To meet the reporting requirements
• Supplier risk management : Centrally manage supplier lifecycle and cross team work through automation
• Strategic management : Map business practices to standards that comply with internal rules and external regulations

You can see from above , Product forms can be divided into three categories : Evaluation and consultation , Compliance program , system service , The target is not only the customer itself , It also includes the upstream and downstream industries of customers .

From the perspective of enterprises GRC The implementation of

GRC The implementation of will be a challenge to the existing data form , Because of the classification of data , The cost of authorization and governance will far exceed the cost of the enterprise business itself , Before the introduction of regulatory rules , It is not possible to carefully evaluate the difficulty of realizing these functions , But predictably , This will bring about changes in the way enterprises store data .

GRC There may be three forms of implementation

Form one : Enterprise entity maintenance

As a separate entity , Enterprises maintain data security by themselves , classification , classification , Authorization and destruction , The process may be self research and procurement of third-party services . This form will bear all the costs , Also get the maximum degree of freedom .

Form two : Third-party platform

Cut private data from non private data , All private data is processed by third-party platforms , The enterprise only retains the non privacy part , This form GRC The cost of is borne by the third-party platform , Enterprises only need to pay for services , Or take the data value as the exchange without paying . The advantage of this form is to reduce costs , The disadvantage is that the business has to bear the risk of third-party platforms .

Form three : National platform

Same as form two , However, private data is maintained and operated by national institutions , Enterprises need authentication access , Similar to the current state credit center , This pattern is due to the inefficiency of government agencies , Unable to cope with a large number of enterprises , It will change to national concentration , The way of channel authentication , The channel of market operation , Provide services for enterprises under certain licenses .

Last

For the emerging regulatory needs , and 《 Network security law 》 equally , We need to observe specific cases for twoorthree years , Waiting for a clear explanation and detailed rules of administrative law enforcement . For enterprises in the security industry , You can know the regulatory requirements in advance , Layout products and services , Evaluate the impact on the future Internet industry .