...
- Mark has started a comparison between the CR v1 fields and the GDPR Articles and Recitals
- Looks like GDPR 'Joint Controller' and 'Recipients' don't appear in the CR v1
- John: Although GDPR allows for Joint Controllers, the Receipt is issued by one of those controllers (not by both simultaneous)
- IAPP is interested in linking over to CR and Generator - they would also like to see some simple use cases e.g. for multiple controllers
- Note: Article 15 (Right of access by the data subject) - CR provides for all the items in Article 15 in a 'receipt' structure
- A consent receipt reduces risk of non-compliance - it does not mean that an org is actually compliant
- Development of the CR was started before GDPR was published - so CIS WG has to go back and update the references to ICO Guidance and GDPR text
- Mark asks interested contributors to add their analysis to the sheet
- Consent for children is missing from the CR
- Any missing fields should be raised as issues in the github for CR
- Jens raised some interesting issues, in particular, the non-normative Considerations
- Take a look at Chapter V article 44 for international use case analysis
- Note: Any work that arises arises from the 'CR Legal' work has to be introduced to the CIS WG v1.1 work plan through the use of github issues. This formality will allow the WG to prioritize and schedule the work.
- John: It would be interesting to have someone do a similar analysis for how the FTC applies fines in the US...
...