即将生效的欧盟隐私法规（GDPR）对消费者有何意义？

更新已有隐私服务只是GDPR中的一部分，而且可以说是最简单、最容易入手并且最能让外界看到成果的一部分。因为毕竟雇几个security和privacy专家，帮忙看一下公司目前涉及到的收集用户个人信息协议，可比从头开始规范全公司数据收集、管理、保护、归档等流程要快得多，而且代价更小。

举个栗子，在GDPR法规第五章中规定了数据所有者，也就是通常的企业的主要责任（文末英文部分）。这里面简单来看，先弄个lawfully的隐私协议是最快的，至少能像监管者和用户表面上证明企业已经开始重视合规要求了。接下来企业至少还需要搞清自己的数据流，就是要明白到底收集了哪些用户信息，从哪儿收集的，哪个部门收集的，为什么要收集，收集完了放哪儿了，都谁有权限查看这些信息，有没有共享给其他企业等等。要弄清这个数据流基本上就得公司上下各个部门都动起来。

拿HR部门来说，你从应聘者那边收集的简历就包含了个人信息甚至是个人敏感信息。这类数据的处理都必须符合GDPR的规定。例如，如果是纸质简历，不能随便扔的到处都是，发给其他部门人员筛选查看一定要记录好，简历要及时回收归档，并妥善保存，还得定期销毁过期简历。

对于用户来说，如果企业真的按照GDPR的要求去做了，那你至少不用担心收到莫名其妙的房产中介电话了。

呵呵呵呵呵，理想是丰满的，现实是骨感的。反正至少从天朝来看，BAT要想做到合规可能都要猴年马月才能实现，更别提其他量级的企业了。

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.