submit talk/20180425 How will the GDPR impact open source communities.md

2024-12-26 21:30:55 +08:00 · 2018-05-31 14:35:23 +08:00 · 2018-05-31 14:35:23 +08:00 · e05b2db0d7
commit e05b2db0d7
parent ee94148ca5
2 changed files with 104 additions and 113 deletions
--- a/sources/talk/20180425
+++ b/sources/talk/20180425
@ -1,113 +0,0 @@
 pinewall translating
 # How will the GDPR impact open source communities?
 ![How will the GDPR impact open source communities?](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/OSDC_EU_flag.png?itok=4n9j74tL "How will the GDPR impact open source communities?")
 Image by : 
 opensource.com
 On May 25, 2018 the [General Data Protection Regulation][1] will go into effect. This new regulation by the European Union will impact how organizations need to protect personal data on a global scale. This could include open source projects, including communities.
 ### GDPR details
 The General Data Protection Regulation (GDPR) was approved by the EU Parliament on April 14, 2016, and will be enforced beginning May 25, 2018. The GDPR replaces the Data Protection Directive 95/46/EC that was designed "to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy."
 The aim of the GDPR is to protect the personal data of individuals in the EU in an increasingly data-driven world.
 ### To whom does it apply
 One of the biggest changes that comes with the GDPR is an increased territorial scope. The GDPR applies to all organizations processing the personal data of data subjects residing in the European Union, irrelevant to its location.
 While most of the online articles covering the GDPR mention companies selling goods or services, we can also look at this territorial scope with open source projects in mind. There are a few variations, such as a software company (profit) running a community, and a non-profit organization, i.e. an open source software project and its community. Once these communities are run on a global scale, it is most likely that EU-based persons are taking part in this community.
 When such a global community has an online presence, using platforms such as a website, forum, issue tracker etcetera, it is very likely that they are processing personal data of these EU persons, such as their names, e-mail addresses and possibly even more. These activities will trigger a need to comply with the GDPR.
 ### GDPR changes and its impact
 The GDPR brings [many changes][2], strengthening data protection and privacy of EU persons, compared to the previous Directive. Some of these changes have a direct impact on a community as described earlier. Let's look at some of these changes.
 #### Consent
 Let's assume that the community in question uses a forum for its members, and also has one or more forms on their website for registration purposes. With the GDPR you will no longer be able to use one lengthy and illegible privacy policy and terms of conditions. For each of those specific purposes, registering on the forum, and on one of those forms, you will need to obtain explicit consent. This consent must be “freely given, specific, informed, and unambiguous.”
 In case of such a form, you could have a checkbox, which should not be pre-checked, with clear text indicating for which purposes the personal data is used, preferably linking to an ‘addendum’ of your existing privacy policy and terms of use.
 #### Right to access
 EU persons get expanded rights by the GDPR. One of them is the right to ask an organization if, where and which personal data is processed. Upon request, they should also be provided with a copy of this data, free of charge, and in an electronic format if this data subject (e.g. EU citizen) asks for it.
 #### Right to be forgotten
 Another right EU citizens get through the GDPR is the "right to be forgotten," also known as data erasure. This means that subject to certain limitation, the organization will have to erase his/her data, and possibly even stop any further processing, including by the organization’s third parties.
 The above three changes imply that your platform(s) software will need to comply with certain aspects of the GDPR as well. It will need to have specific features such as obtaining and storing consent, extracting data and providing a copy in electronic format to a data subject, and finally the means to erase specific data about a data subject.
 #### Breach notification
 Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the authorization of the data subject. Once discovered, you should notify your affected community members within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This breach notification is mandatory under the GDPR.
 #### Register
 As an organization, you will become responsible for keeping a register which will include detailed descriptions of all procedures, purposes etc for which you process personal data. This register will act as proof of the organization's compliance with the GDPR’s requirement to maintain a record of personal data processing activities, and will be used for audit purposes.
 #### Fines
 Organizations that do not comply with the GDPR risk fines up to 4% of annual global turnover or €20 million (whichever is greater). According to the GDPR, "this is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts."
 ### Final words
 My article should not be used as legal advice or a definite guide to GDPR compliance. I have covered some of the parts of the regulation that could be of impact to an open source community, raising awareness about the GDPR and its impact. Obviously, the regulation contains much more which you will need to know about and possibly comply with.
 As you can probably conclude yourself, you will have to take steps when you are running a global community, to comply with the GDPR. If you already apply robust security standards in your community, such as ISO 27001, NIST or PCI DSS, you should have a head start.
 You can find more information about the GDPR at the following sites/resources:
 *   [GDPR Portal][3] (by the EU)
 *   [Official Regulation (EU) 2016/679][4] (GDPR, including translations)
 *   [What is GDPR? 8 things leaders should know][5] (The Enterprisers Project)
 *   [How to avoid a GDPR compliance audit: Best practices][6] (The Enterprisers Project)
 ### About the author
 [![](https://opensource.com/sites/default/files/styles/profile_pictures/public/robinm-low-3-square.jpg?itok=8qH6iUZh)][7]
 Robin Muilwijk \- Robin Muilwijk is Advisor Internet and e-Government. He also serves as a community moderator for Opensource.com, an online publication by Red Hat, and as ambassador for The Open Organization. Robin is also Chair of the eZ Community Board, and Community Manager at [eZ Systems][8]. Robin writes and is active on social media to promote and advocate for open source in our businesses and lives.Follow him on Twitter... [more about Robin Muilwijk][9]
 [More about me][10]
 *   [Learn how you can contribute][11]
 ---
 via: [https://opensource.com/article/18/4/gdpr-impact][12]
 作者: [Robin Muilwijk][13] 选题者: [@lujun9972][14] 译者: [译者ID][15] 校对: [校对者ID][16]
 本文由 [LCTT][17] 原创编译，[Linux中国][18] 荣誉推出
 [1]: https://www.eugdpr.org/eugdpr.org.html
 [2]: https://www.eugdpr.org/key-changes.html
 [3]: https://www.eugdpr.org/eugdpr.org.html
 [4]: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1520531479111&uri=CELEX:32016R0679
 [5]: https://enterprisersproject.com/article/2018/4/what-gdpr-8-things-leaders-should-know
 [6]: https://enterprisersproject.com/article/2017/9/avoiding-gdpr-compliance-audit-best-practices
 [7]: https://opensource.com/users/robinmuilwijk
 [8]: http://ez.no
 [9]: https://opensource.com/users/robinmuilwijk
 [10]: https://opensource.com/users/robinmuilwijk
 [11]: https://opensource.com/participate
 [12]: https://opensource.com/article/18/4/gdpr-impact
 [13]: https://opensource.com/users/robinmuilwijk
 [14]: https://github.com/lujun9972
 [15]: https://github.com/译者ID
 [16]: https://github.com/校对者ID
 [17]: https://github.com/LCTT/TranslateProject
 [18]: https://linux.cn/
--- a/translated/talk/20180425
+++ b/translated/talk/20180425
@ -0,0 +1,104 @@
 # GDPR 将如何影响开源社区？
 ![How will the GDPR impact open source communities?](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/OSDC_EU_flag.png?itok=4n9j74tL "GDPR 法案将如何影响开源社区？")
 图片来源：opensource.com
 2018 年 5 月 25 日，[<ruby>通用数据保护条例<rt>General Data Protection Regulation, GDPR</rt></ruby>][1] 开始生效。欧盟出台的该条例将在全球范围内对企业如何保护个人数据产生重大影响。影响也会波及到开源项目以及开源社区。
 ### GDPR 概述
 GDPR 于 2016 年 4 月 14 日在欧盟议会通过，从 2018 年 5 月 25 日起开始生效。GDPR 用于替代 95/46/EC 号<ruby>数据保护指令<rt>Data Protection Directive</rt></ruby>，该指令被设计用于“协调欧洲各国数据隐私法，保护和授权全体欧盟公民的数据隐私，改变欧洲范围内企业处理数据隐私的方式”。
 GDPR 目标是在当前日益数据驱动的世界中保护欧盟公民的个人数据。
 ### 它对谁生效
 GDPR 带来的最大改变之一是影响范围的扩大。不管企业本身是否位于欧盟，只要涉及欧盟公民个人数据的处理，GDPR 就会对其生效。
 大部分提及 GDPR 的网上文章关注销售商品或服务的公司，但关注影响范围时，我们也不要忘记开源项目。有几种不同的类型，包括运营开源社区的（营利性）软件公司和非营利性组织（例如，开源软件项目及其社区）。对于面向全球的社区，几乎总是会有欧盟居民加入其中。
 如果一个面向全球的社区有对应的在线平台，包括网站、论坛和问题跟踪系统等，那么很可能会涉及欧盟居民的个人数据处理，包括姓名、邮箱地址甚至更多。这些处理行为都需要遵循 GDPR。
 ### GDPR 带来的改变及其影响
 相比被替代的指令，GDPR 带来了[很多改变][2]，强化了对欧盟居民数据和隐私的保护。正如前文所说，一些改变给社区带来了直接的影响。我们来看看若干改变。
 #### 授权
 我们假设社区为成员提供论坛，网站中包含若干个用于注册的表单。要遵循 GDPR，你不能再使用冗长、无法辨识的隐私策略和条件条款。无论是每种特殊用途，在论坛注册或使用网站表单注册，你都需要获取明确的授权。授权必须是无条件的、具体的、通知性的以及无歧义的。
 以表单为例，你需要提供一个复选框，处于未选中状态并给出个人数据用途的明确说明，一般是当前使用的隐私策略和条件条款附录的超链接。
 #### 访问权
 GDPR 赋予欧盟公民更多的权利。其中一项权利是向企业查询个人数据包括哪些，保存在哪里；如果<ruby>数据相关人<rt>data subject</rt></ruby>（例如欧盟公民）提出获取相应数据副本的需求，企业还应免费提供数字形式的数据。
 #### 遗忘权
 欧盟居民还从 GDPR 获得了“遗忘权”，即数据擦除。该权利是指，在一定限制条件下，企业必须删除个人数据，甚至可能停止其自身或第三方机构后续处理申请人的数据。
 上述三种改变要求你的平台软件也要遵循 GDPR 的某些方面。需要提供特定的功能，例如获取并保存授权，提取数据并向数据相关人提供数字形式的副本，以及删除数据相关人对应的数据等。
 #### 泄露通知
 在 GDPR 看来，不经数据相关人授权情况下使用或偷取个人数据都被视为<ruby>数据泄露<rt>data breach</rt></ruby>。一旦发现，你应该在 72 小时内通知社区成员，除非这些个人数据不太可能给<ruby>自然人<rt>natural persons</rt></ruby>的权利与自由带来风险。GDPR 强制要求执行泄露通知。
 #### 披露记录
 企业负责提供一份记录，用于详细披露个人数据处理的过程和目的等。该记录用于证明企业遵从 GDPR 要求，维护了一份个人数据处理行为的记录；同时该记录也用于审计。
 #### 罚款
 不遵循 GDPR 的企业最高可面临全球年收入总额 4% 或 2000 万欧元 （取两者较大值）的罚款。根据 GDPR，“最高处罚针对严重的侵权行为，包括未经用户充分授权的情况下处理数据，以及违反设计理念中核心隐私部分”。
 ### 补充说明
 本文不应用于法律建议或 GDPR 合规的指导书。我提到了可能对开源社区有影响的条约部分，希望引起大家对 GDPR 及其影响的关注。当然，条约包含了更多你需要了解和可能需要遵循的条款。
 你自己也可能认识到，当运营一个面向全球的社区时，需要行动起来使其遵循 GDPR。如果在社区中，你已经遵循包括 ISO 27001，NIST 和 PCI DSS 在内的健壮安全标准，你已经先人一步。
 可以从如下网站/资源中获取更多关于 GDPR 的信息：
 *   [GDPR 官网][3] (欧盟提供)
 *   [官方条约 （欧盟） 2016/679][4] （GDPR，包含翻译）
 *   [GDPR 是什么？ 领导人需要知道的 8 件事][5] （企业人项目）
 *   [如何规避 GDPR 合规审计：最佳实践][6] （企业人项目）
 ### 关于作者
 [![](https://opensource.com/sites/default/files/styles/profile_pictures/public/robinm-low-3-square.jpg?itok=8qH6iUZh)][7]
 Robin Muilwijk \- Robin Muilwijk 是一名互联网和电子政务顾问，在 Red Hat 旗下在线发布平台 Opensource.com 担任社区版主，在 Open Organization 担任大使。此外，Robin 还是 eZ 社区董事会成员，[eZ 系统][8] 社区的管理员。Robin 活跃在社交媒体中，促进和支持商业和生活领域的开源项目。可以在 Twitter 上关注 [Robin Muilwijk][9] 以获取更多关于他的信息。
 [更多关于我的信息][10]
 *   [学习如何做出贡献][11]
 ---
 via: [https://opensource.com/article/18/4/gdpr-impact][12]
 作者: [Robin Muilwijk][13] 选题者: [@lujun9972][14] 译者: [pinewall][15] 校对: [校对者ID][16]
 本文由 [LCTT][17] 原创编译，[Linux中国][18] 荣誉推出
 [1]: https://www.eugdpr.org/eugdpr.org.html
 [2]: https://www.eugdpr.org/key-changes.html
 [3]: https://www.eugdpr.org/eugdpr.org.html
 [4]: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1520531479111&uri=CELEX:32016R0679
 [5]: https://enterprisersproject.com/article/2018/4/what-gdpr-8-things-leaders-should-know
 [6]: https://enterprisersproject.com/article/2017/9/avoiding-gdpr-compliance-audit-best-practices
 [7]: https://opensource.com/users/robinmuilwijk
 [8]: http://ez.no
 [9]: https://opensource.com/users/robinmuilwijk
 [10]: https://opensource.com/users/robinmuilwijk
 [11]: https://opensource.com/participate
 [12]: https://opensource.com/article/18/4/gdpr-impact
 [13]: https://opensource.com/users/robinmuilwijk
 [14]: https://github.com/lujun9972
 [15]: https://github.com/pinewall
 [16]: https://github.com/校对者ID
 [17]: https://github.com/LCTT/TranslateProject
 [18]: https://linux.cn/