...
We are collecting a list of topic for consent legal.
- GDPR Provides an excellent use case for the Consent Receipt v.1
- we are working on a mapping the consent receipt to the GDPR as an exercise
- Mark L - contribute a starting point for mapping the CR to the GDPR (from Open Consent)
- Jens C- has provided a review of the CR from a GDPR point of view
- Ensure Article 15 is addressed in CR v1 and how CR can be used for data portability & order of operations to ensure subject rights are met
- International use of the GDPR - guidance on how it might be interpreted in different places
- Design/design how to provide guidance on how the apply the CR to different situations; and 'technical overlay' or 'profile' or 'extensions'
- Instructions for implementers
- Perhaps this is General Model/Viewpoint and Specific Viewpoints
- GDPR Provides an excellent use case for the Consent Receipt v.1
- We aim to use these two activities to raise specific issues, identify gaps etc
- Identified that Joint DC are missing (have been added to mapping in highlighted yellow)
- Identified - that in the Specification - recipients is missing (needs to be with 3rd party)
- Review mapping
...
- Mark has started a comparison between the CR v1 fields and the GDPR Articles and Recitals
- Looks like GDPR 'Joint Controller' and 'Recipients' don't appear in the CR v1
- John: Although GDPR allows for Joint Controllers, the Receipt is issued by one of those controllers (not by both simultaneous)
- IAPP is interested in linking over to CR and Generator - they would also like to see some simple use cases e.g. for multiple controllers
- Note: Article 15 (Right of access by the data subject) - CR provides for all the items in Article 15 in a 'receipt' structure
- A consent receipt reduces risk of non-compliance - it does not mean that an org is actually compliant
- Development of the CR was started before GDPR was published - so CIS WG has to go back and update the references to ICO Guidance and GDPR text
- Mark asks interested contributors to add their analysis to the sheet
- Consent for children is missing from the CR
- Any missing fields should be raised as issues in the github for CR
- Jens raised some interesting issues, in particular, the non-normative Considerations
- Take a look at Chapter V article 44 for international use case analysis
- Note: Any work that arises
- John: It would be interesting to have someone do a similar analysis for how the FTC applies fines in the US...