隐私风险是指某人可能会遇到由数据处理引起的问题以及这些问题发生时的影响.
What is the impact of privacy risk? 在过去的几年中,许多新的隐私法律法规生效:欧盟通用数据保护条例(GDPR)于2018年5月25日生效, 日本于2020年6月5日颁布了《澳门赌场官方下载》修正案, 美国修订后的《澳门赌场官方下载》(CCPA)于2020年7月1日生效,巴西的《澳门赌场官方软件》(LGPD)是最新出台的法律.
In China, 全国人民代表大会常务委员会计划于2020年起草并发布个人信息保护法和数据安全法.
这种不断增加的立法趋势促使更多的组织关注管理隐私风险,以赢得消费者的信任并建立声誉.
What Is the Best Way to Manage Privacy Risk?
|
Privacy Risk Management Steps |
|
|
Stage 1: Establish privacy governance |
Stage 1-1: Define privacy governance goals |
|
Stage 1-2: Establish an enterprise privacy risk management framework |
|
|
Stage 1-3: Realize the benefits of privacy risk management |
|
|
Stage 2: Conduct privacy risk management activities |
Stage 2-1: Define privacy risk assessment frameworks |
|
Stage 2-2: Conduct privacy risk assessments |
|
|
Stage 3: Implement risk response |
Stage 3-1: Establish response procedures for privacy risk |
|
Stage 3-2: Respond to privacy risk |
|
|
Stage 3-3: Evaluate privacy risk response |
|
There are three stages to manage privacy risk:
- Stage 1: Establish privacy governance—澳门赌场官方下载应该明确隐私治理目标,然后建立自己的隐私管理框架. 一个成熟的隐私风险管理框架可以帮助权衡数据处理的好处和风险,并确定应该采取哪些风险应对措施.
- Stage 2: Conduct privacy risk management activities—澳门赌场官方下载应开展与隐私风险相关的活动,如数据保护影响评估(DPIA)。, privacy impact assessment (PIA) and vendor risk assessment. Enterprises should conduct the appropriate activities when necessary.
- Stage 3: Implement risk response—澳门赌场官方下载应建立合适的响应程序,并选择合适的响应程序. Ongoing evaluation promotes evolving effective privacy risk management.
What Is the Practical Guidance for Chinese Enterprises?
Since the enactment of the Cybersecurity Law of the People’s Republic of China, 已经发布了一系列国家标准和配套的推荐指南. There are four steps Chinese enterprises should follow:
- Step 1: Determine scope of privacy legislations. A chapter has been added to the civil code to address general principles related to the right to privacy and protection of personal information; the long-awaited update to the national standard on personal information protection has been released: Information Security Technology-Personal Information Security Specification GB/T 35273-2020 (short for “the 2020 Specification”). There are also some sector-specific regulations on personal data protection (e.g., 个人金融信息保护技术规范JR/T 0171-2020[《澳门赌场官方软件》的简称], 《澳门赌场官方软件》(以下简称《澳门赌场官方下载》), 金融移动应用软件安全管理规范JR/T 0092-2019, etc.
- Step 2: Conduct personal information security impact assessment.
| Personal Information Security Impact Assessment in China | |
|
Subject |
Personal information controller in China |
|
Target |
|
|
Content |
|
|
Steps |
|
- Step 3: Implement risk response. 在2020规范中增加第三方访问管理的要求是转移风险方法的一个例子. Enterprises should also share risk with customers (e.g., 只有在征得个人信息主体明确同意后,才能进行额外处理).
- Step 4: Conduct ongoing risk evaluation. Financial consumers’ protection measures require that financial institutions check the potential risk of personal financial information security at least once every 6 months; the 2020 Specification regulates that Chinese enterprises audit the effectiveness of personal information protection policies, relevant procedures and security measures; prevent unauthorized reading, altering or deleting of audit records; safeguard audit records and ensure their retention period meets the applicable regulatory requirements
Privacy is not just a compliance issue anymore. 它是关于在数据生命周期中管理消费者信任和保护个人数据. 实施隐私风险管理是为有效的隐私管理提供基础的关键步骤.
Editor’s note: For further insights on this topic, read Andrea Tang’s recent Journal article, “Privacy Risk Management,” ISACA Journal, volume 4, 2020.
