标准2025通用数据保护条例(GDPR)将于5月25日在欧盟全面生效,这意味着数据隐私法规的重大变化。 对于企业来说,不遵守GDPR的高昂成本可高达全球年营业额的4%或2000万欧元。目前有三项标准涉及相关内容,它们是ISO / IEC 27001 、/ ISO / IEC 27018、和 BS
10012——通用数据保护法规包,遵守这三项自愿性协商一致标准指南有助于符合新法规的法律要求。
尽管GDPR将应用于欧盟内部的组织,但是如果它们向欧盟数据主体提供商品或服务或监控其行为,它也会影响欧盟以外的组织。该条例取代了数据保护的95/46 / EC指令,旨在协调整个欧洲的数据隐私法律,保护和授权所有欧盟公民的数据隐私,并重新制定整个地区
的组织机构处理数据隐私的方式。
ISO / IEC 27001,ISO / IEC 27018和BS 10012三项标准—可以帮助企业充分遵守GDPR。这些标准提供了采用欧洲GDPR所有必要的指南,因为标准中包括管理安全技术,个人可识别信息和数据保护。
ISO/IEC 27001:2013,信息技术——安全技术——信息安全管理体系——要求,明确了在组织范围内建立、实施、维护和持续改进信息安全管理体系的要求。它还包括根据组织的需要评估和处理信息安全风险的要求。
ISO/IEC 27018:2014,信息技术-安全技术-用于保护作为PII处理器的公共云中的个人可识别信息(PII)的规程,根据ISO/IEC 29100关于公共云计算环境的隐私原则,确立了共同接受的控制目标、控制和实施措施的指南,以保护个人可识别信息(PII)。
BS 10012:2017,数据保护,个人信息管理体系规范的制定是为了有效实施GDPR,该项标准的施行将为各组织实施恰当的“信息治理”战略提供支持。
The GDPR and Business Compliance: Access the General Data Protection Regulation Standards Package
The General Data Protection Regulation (GDPR), which goes into effect on May 25 across the European Union, means major changes in data privacy regulation. For businesses, the high cost of non-compliance with the GDPR is a fine of up to 4 percent of annual global turnover—or €20 Million. Three standards, available as the ISO/IEC 27001 / ISO/IEC 27018 / BS 10012 – General Data Protection Regulation Package, and adherence to their voluntary consensus guidelines can help to comply with the legislative requirements of the new regulation.
While the GDPR will apply to organizations located within the EU, it will also impact organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. The regulationreplaces the Data Protection Directive 95/46/EC, and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy, and to reformulate the way organizations across the region approach data privacy.
The standards ISO/IEC 27001, ISO/IEC 27018, and BS 10012—can help organizations adequately adhere to the GDPR. The standards provide all of the necessary guidance required to employ the European GDPR, as they include security techniques for management, personally identifiable information, and data protection.
The standard ISO/IEC 27001:2013, Information Technology-Security Techniques-Information security management systems-Requirements, specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
ISO/IEC 27018:2014, Information technology-Security techniques-Code of practice for practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
BS 10012:2017, Data protection. Specification for a personal information management system, was written in recognition of the publication of the GDPR, and utilization of the standard will support organizations in their implementation of an appropriate “Information Governance” strategy