A cross-border merchant like Amazon or Walmart, or a financial service provider like Brex may aggregate customer information into a CRM system (e.g., Oracle’s RightNow or Pipedrive) and/or accounting reporting system (say, Pocketsuite or Expensify)

像亚马逊或沃尔玛这样的跨境商家，或者像布雷克斯这样的金融服务提供商可能会将客户信息汇总到CRM系统(例如Oracle的RightNow或Pipedrive)和/或会计报告系统(例如Pocketsuite或Expensify)

让我们以Brex为例， (Let’s take Brex as an example,)

Per Brex’s privacy policy, “Brex owns and controls the transaction data and other personal information”… Brex share with card issuing partners”.

根据Brex的隐私权政策，“ Brex拥有并控制交易数据和其他个人信息 ” …Brex与发卡合作伙伴共享 。

Brex directly collects the data and receives consent from you, the startup founder, or enterprise customer. You might then integrate your Brex account with Expensify for expense management, invoicing, or bill processing software. Expensify would then be a third-party service provider that processes the data on behalf of Brex.

Brex直接收集数据并获得您，初创公司创始人或企业客户的同意。 然后，您可以将您的Brex帐户与Expensify集成在一起，以进行费用管理，发票或账单处理软件。 然后，Expensify将成为代表Brex 处理数据的第三方服务提供商。

服务提供商也可能选择不成为控制者。 (A service provider may also opt not to be a controller.)

For example, under a PayFac model, a multi-vertical SaaS vendor like i3 Verticals or single vertical focused SaaS online booking vendors — e.g., StyleSeat (Beauty Services) and Vagaro (Salon, Spa, or Fitness Appointments), Textura (Construction) — have all been approved by a merchant acquirer to be a PayFac (Payment Facilitator).

例如，在PayFac模式下，诸如i3 Verticals的多垂直SaaS供应商或专注于垂直的单个SaaS在线预订供应商-例如， StyleSeat (美容服务) 和Vagaro (Salon，Spa或Fitness任命)， Textura (建筑) —已全部由商户收单行批准为PayFac(付款服务商)。

Vagaro maintains a master merchant account. Vagaro’s SMB merchant client (e.g., a SPA) accepts payments from consumers through a sub-merchant contract. Vagaro would then use a third-party payment processor (e.g., Adyen, EBANX, or Vantiv/FIS) to process payments on behalf of its clients.

Vagaro维护一个主商人帐户。 Vagaro的SMB商家客户(例如SPA)通过次级商家合同接受来自消费者的付款。 然后Vagaro将使用第三方支付处理器(例如Adyen，EBANX或Vantiv / FIS)来代表其客户处理付款。

When customers of the hair salon make payment to the salon through Vagaro, their personal information is collected directly by the payment processor (say hypothetically, Adyen); Not by Vagaro. In this case, Vagaro has no control over and is not responsible for, Adyen’s use and disclosure of the customer’s Personal Information. Adyen, in this case, would be both the controller and the processor.

当发廊的顾客通过Vagaro向发廊付款时，他们的个人信息将直接由付款处理者收集(假设是Adyen)； 不是Vagaro 。 在这种情况下，Vagaro无法控制Adyen对客户个人信息的使用和披露。 在这种情况下，Adyen既是控制器又是处理器。

对控制器的影响 (Impact on Controllers)

Data controllers (like Brex) are the ones directly working with (and receiving consent from) end customers to use their data. Thus, controllers face more significant portion of the data privacy burden than the processors.

数据控制器(如Brex)是直接与最终客户合作(并获得最终用户同意)使用其数据的控制器。 因此，与处理器相比，控制器面临更多的数据隐私负担。

控制器现在必须： (Controllers must now:)

a) Categorizes the type of data being collected

a) 分类收集的数据类型

b) Records the individual to whom the data is being attributed

b) 记录数据所归于的个人

c) Specifies how long the data can be held there before being erased

c)指定数据在删除之前可以保留多长时间

对数据处理器的影响 (Impact on Data Processors)

While less impacted than the data controllers, data processors still have a responsibility to protect the security of the data given to it by the data controller; think again Expensify (processor) protecting data received from Brex (controller).

尽管其影响程度不如数据控制器，但数据处理器仍然有责任保护数据控制器提供给它的数据的安全性。 再想一想Expensify(处理器)保护从Brex(控制器)接收的数据 。

In general, processors include any vendor that houses a controller’s data, whether on its own or on a third-party’s data center. For those reasons, data processors will still be subject to a fine in the event of a data breach. In these cases, it is on the processor (e.g., Expensify) to inform the controller (e.g., Brex) “once” the processor (Expensify) becomes aware of the incident.

通常，处理器包括任何存储控制器数据的供应商，无论是其自身还是第三方的数据中心。 由于这些原因，如果发生数据泄露，数据处理器仍将受到罚款。 在这些情况下，一旦处理器(Expensify)知道该事件， 就在处理器(例如Expensify)上通知控制器(例如Brex) 。

修改或增强现有数据库基础架构 (Modify or Enhance Existing Database Infrastructure)

One of the basic requirements of some data privacy laws is that the controller will have to delete personal data, if it is requested by the data subject, barring any existing reason to hold that data. While finding a way to erase this data from a database is one issue, the larger issue may actually be determining where that data sits in a database.

某些数据隐私法的基本要求之一是，如果数据主体要求，控制者将必须删除个人数据，除非有任何现有理由保留该数据。 虽然找到一种从数据库中删除此数据的方法是一个问题， 但更大的问题实际上可能是确定该数据在数据库中的位置 。

Many businesses’ databases are outdated with no transparent view into the data they hold or who has access to that data — a huge issue, given the potential for hacking and security breaches.

许多企业的数据库已经过时，对其拥有的数据或谁有权访问这些数据 没有透明的视图 ，这是一个巨大的问题，考虑到潜在的黑客和安全漏洞。

That said, vendors such as BigID now enables businesses detect inventory personal data for every data subject

也就是说， BigID等供应商现在使企业能够检测每个数据主体的库存个人数据

控制器在这里几乎没有选择。 (Controllers have few options here.)

1)控制器必须 (1) Controllers either have to)

a) Completely upgrade or create a new database infrastructure if the database is too outdated to handle the updated regulation, or if the existing database is more or less sufficient and has only minor gaps to data compliance, they can…

a)如果数据库过时而无法处理更新的法规，或者如果现有数据库或多或少足够，并且在数据合规性方面仅有很小的差距，则可以完全升级或创建新的数据库基础结构，他们可以…

b) Purchase software modules (e.g., Data residency compliance InCountry’s SDK), to encrypt the data and provide control over who has access to this data.

b)购买软件模块(例如， 数据居留合规性InCountry的SDK )，以加密数据并控制谁可以访问此数据。

2)购买治理与合规模块 (2) Purchase a Governance & Compliance Module)

When it comes to data privacy laws, there are hundreds of articles listing different regulatory requirements. Likely the most important of them all, data privacy law’s requirement to categorize and document all personal data. It will require organizations to keep a record of the data it has, the individual to whom the data is attributed, and the length of time before being erased. As a business owner/operator, understanding whether you already meet some of these criteria or whether you need to make changes can be a daunting task without some sort of guidebook — and is costly if it results in non-compliance.

关于数据隐私法，有数百篇文章列出了不同的法规要求。 其中最重要的一点可能是数据隐私法对所有个人数据进行分类和记录的要求 。 它将要求组织保留其拥有的数据，数据归因于其的个人以及擦除之前的时间长度的记录。 作为企业所有者/运营商，如果没有某种指导手册，则了解您是否已经满足其中一些条件或是否需要进行更改可能是一项艰巨的任务，如果导致不遵守要求，则成本很高。

You might be the vendor providing solutions to this in the form of governance and compliance modules; this will help to bring companies into compliance in an interactive and step-by-step process. For example, ServiceNow’s Policy and Compliance Management and Audit Workbench dashboards provide customers with the ability to monitor their level of compliance to data privacy laws, which can be viewed globally or examined on an entity, system, or unit level. It also tracks data protection actions, remediation plans, and schedule audits.

您可能是以管理和合规性模块的形式提供解决方案的供应商； 这将有助于使公司通过交互式的逐步过程达到合规性。 例如， ServiceNow的“策略和合规性管理”以及“审核工作台”仪表板使客户能够监视其对数据隐私法律的合规性水平，这些数据可以在全球，实体，系统或单位级别进行查看或检查 。 它还跟踪数据保护措施，修复计划和计划审核。

3)迁移到第三方云托管提供商 (3) Migrate to a Third-Party Cloud Hosting Provider)

For businesses that can migrate to a third-party cloud hosting provider, data privacy compliance could be a lot less painful. Cloud service providers already provide tools to identify, locate, and control who has access to your data in the cloud. While the controller will still have to do the heavy lifting (e.g., instructing Google Compute Engine to delete Client X’s data on request), controllers are more easily able to do this when the framework is already in place.

对于可以迁移到第三方云托管提供商的企业而言，数据隐私合规性可以减轻很多麻烦。 云服务提供商已经提供了识别，定位和控制谁可以访问您的云中数据的工具。 尽管控制器仍然必须承担繁重的工作 (例如，指示Google Compute Engine根据请求删除Client X的数据)，但在框架已经就绪的情况下，控制器可以更轻松地做到这一点。

Working with you, as a third-party vendor, might also be more advantageous to potential customers, in that any data privacy is likely not a one-time thing but more a regulation that will shift over time. Any additional changes to compliance can be flowed through you, as a vendor, relieving your customers of having to bear the burden and the costs of handling these changes on their own.

作为第三方供应商，与您合作可能对潜在客户也更有利，因为任何数据隐私都可能不是一次性的事情，而是随着时间推移而变化的法规 。 作为供应商，可以对您进行合规性的任何其他更改，从而使您的客户不必自己承担处理这些更改的负担和费用。

证明您的软件符合数据隐私 (Certifying Your Software as Data Privacy-Compliant)

If you the vendor who is not looking to monetize the regulation directly, you probably reaffirming the safety of your offerings and your role as a data privacy compliant data processor. (check the ISO 17024 qualification by IBITGQ)

如果您不想直接从法规中获利，那您可能会重申产品的安全性以及作为数据隐私兼容数据处理器的角色。 (通过IBITGQ检查ISO 17024资格)

What this distills down to is whether your (payment or other) data processor has security procedures in place to protect your controller’s data, has approval from for cross-border data flows (moving data in and out of the European Union), and a system in place to detect and notify controllers of a security breach in a timely manner.

这归结为您(付款或其他)数据处理者是否已制定安全程序来保护您的控制器数据，是否获得跨境数据流的批准(将数据移入和移出欧盟)以及系统可以及时发现并通知控制器安全漏洞。

加强安全性 (Bolster Security)

Finally, some data privacy requirement to disclose breaches within a short timeframe (for example, 72 hours) could prompt enterprises to bolster security spending as a result. While data privacy laws typically have language related to security, they do not, for the most part, clarify a specific checklist of technical capabilities required to be in compliance.

最后，一些在短时间内(例如72小时)内披露违规行为的数据隐私要求可能会促使企业增加安全支出。 尽管数据隐私法通常使用与安全性相关的语言，但在大多数情况下，它们并未明确规定合规性所需的特定技术能力清单。

That said, the need to disclose breaches in less than 72 hours, for example, could prompt you to invest in more security operations headcount (in-sourced or out-sourced), as well as related tools like SIEM, threat analytics, etc — this could be difficult technically because the time from infection to detection is often several weeks.

也就是说，例如，需要在72小时内披露违规信息，可能会促使您投资于更多的安全操作人员(内部或外部) ，以及诸如SIEM，威胁分析等相关工具-从技术上讲这可能很困难，因为从感染到发现的时间通常是几周。

名誉损害 (Reputational Damage)

Perhaps the most impactful item in driving more investment in security vis-a-vis data privacy regulations is the potential reputational damage as a result of a breach — this in itself could drive security spending throughout the stack on prevention capabilities (from managed security services, and security and vulnerability management to identity and access management and endpoint) so an enterprise could reduce the probability of this event happening.

相对于数据隐私法规而言，推动对安全性进行更多投资的最有影响力的项目可能是由于违反而造成的潜在声誉损失-这本身可能会推动整个堆栈在预防功能方面的安全支出(来自托管安全服务，以及身份和访问管理以及端点的安全性和漏洞管理)，这样企业就可以降低发生此事件的可能性。