| 肖冬梅,谭礼格.欧盟数据保护影响评估制度及其启示[J].中国图书馆学报,2018,44(5):76~86 |
| 欧盟数据保护影响评估制度及其启示 |
| EU Data Protection Impact Assessment and Its Implications |
| 投稿时间:2018-06-08 |
| DOI: |
| 中文关键词: 数据保护影响评估 隐私影响评估 欧盟 |
| 英文关键词: Data protection impact assessment Privacy impact assessment European Union |
| 基金项目:本文系国家社会科学基金重点项目“云环境下数字学术信息资源安全的法律保障体系研究”(编号:14AZD076)的研究成果之一 |
|
| 摘要点击次数: 2889 |
| 全文下载次数: 1181 |
| 中文摘要: |
欧盟数据保护影响评估制度起源于隐私影响评估制度,数据保护影响评估制度的实施主体是数据控制者,规制对象是具有高风险的数据处理行为,具体流程包括审查、咨询、评估、报告和保障及复审五个阶段。欧盟数据保护影响评估制度对数据保护有风险防控作用,企业可因此更被消费者信赖。数据保护影响评估制度有指导性规范与行业自律结合、强制性义务两种模式。欧盟数据保护影响评估制度对于我国个人信息和重要数据安全风险评估制度配套法规的制定和落地,尤其是在安全风险评估的适用范围、评估性质、流程设计与机构设置等方面,具有重要的借鉴意义。图3。表1。参考文献19。
|
| 英文摘要: |
The research on the European Union's Data Protection Impact Assessment (DPIA) is to detect how EU addresses data security risks in the era of big data through a sophisticated assessment system. DPIA, originated from Privacy Impact Assessment (PIA), is contained in the PIA. The main differences of them lie in the scope, nature and time of generation.The implementing subject of DPIA is the data controller. The data controller, as the decision maker and implementer, plays the core role in the whole process of DPIA. Its main tasks are to identify the need to implement DPIA, organize the DPIA group, consult the Data Protection Officer(DPO) under stipulated circumstances, seek the views of data subjects or their representatives on the measures after implementing a DPIA, and consult data supervisory authority beforehand when the risk is high.
The regulated object of DPIA is the data processing which will result in a high risk to the rights and freedoms of natural persons. Adopting a new technology is often risky; as a result, GDPR sets this as the general statutory situation of high risks. In addition, GDPR lists three special situations of high risks, i.e., automatic, systematic processing and evaluation of personal information, large scale processing of sensitive data and large scale monitoring of publicly accessible area.
A DPIA involves five stages: examination, consultation, assessment, report, safeguard and review. The examination is to conduct a preliminary analysis of the data processing behavior involved to identify the need to perform a DPIA. The consultation is interspersed in the various periods of review, assessment, report and safeguard. Based on the basic information obtained during the examination, the assessment determines the protection objectives, identifies the potential attackers, the motives of the attackers, and the types of attack outcomes through the simulation exercise of the project or plan, and then the assessment criteria will be identified.
The risk level of the project or plan will be determined according to the criteria, and the results of the assessment must be audited by a neutral and objective organization. After the assessment, the data controller needs to create and publish a DPIA report in a special format; it has four response modes of control, acceptance, termination and transfer for different levels of assessment, which can be used separately or combined. The review is that, after the report is completed, the data controller should verify whether the data processing has taken corresponding safeguard measures according to the assessment results when necessary. And the purpose of the review is to monitor continuously.
The EU DPIA strengthens the prevention and control of data risks by establishing data controllers obligations and sophisticated process. On one hand, such arrangements of the system will help relevant companies to save costs and to gain consumers trust and market reputation. On the other hand, it is beneficial for data subjects to realize the control and protection of their own data. From the evolution path and development of modes of the EU PIA to DPIA, China has two alternatives in the legislative mode in the case of data protection impact assessment. The first is to actively promote industry self discipline on the basis of national guidance. The second is to set the data protection impact assessment as mandatory requirement. The EU DPIA can act as a meaningful reference to the formulation and enforcement of Chinese laws and regulations on security risk assessment system for personal information and important data, especially to the scope of application, nature of assessment, design of process and mechanism of security risk assessment. 3 figs. 1 tab. 19 refs.
|
|
查看全文
查看/发表评论 下载PDF阅读器 |
|
|
|
