Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Date

May 26, 2017

Attendees

  • Mark Lizar (Unlicensed)

  • Andrew Hughes

  • John Wunderlich
  • David Turner
  • Colin Wallis
  • Chris Cooper
  • Henrik Biering
  • Robert Lapes
  • Sal D'Agostino

Goals

Hi Everyone,

The GDPR does call out the requirement for open commonly used standards (which the CR is the only one in this space) and our ability to all contribute to this as open source will provide us with an opportunity to put this forward to the v.1.1 forward to Regulators to review. 
We have a lot of ambiguity to clear up in the V.1 and this call is intended to sort that out. 
Here is a link to the notes for this session with a bit of an agendas.
I am working on this now to put in all the links for this session.  (So this is a working session) 
Here is a link to the ICO consent  guidance 
Here is the link to the GDPR text (pdf)
The first draft of the mapping of the CR to GDPR is being developed separately and will be contributed into the CIS WG when it is more mature.
Agenda Plan

  • We are collecting a list of topic for consent legal. 

    1. GDPR Provides an excellent use case for the Consent Receipt v.1
      1. we are working on a mapping the consent receipt to the GDPR as an exercise
    2. Mark L -  contribute a starting point for mapping the CR to the GDPR (from Open Consent)
    3. Jens C-  has provided a review of the CR from a GDPR point of view
    4. Ensure Article 15 is addressed in CR v1 and how CR can be used for data portability & order of operations to ensure subject rights are met
    5. International use of the GDPR - guidance on how it might be interpreted in different places
    6. Design/design how to provide guidance on how the apply the CR to different situations; and 'technical overlay' or 'profile' or 'extensions' 
      1. Instructions for implementers
      2. Perhaps this is General Model/Viewpoint and Specific Viewpoints

  • We aim to use these two activities to raise specific issues, identify gaps etc
    1. Identified that Joint DC are missing  (have been added to mapping in highlighted yellow) 
    2.  Identified -  that in the Specification - recipients is missing   (needs to be with 3rd party) 
  • Review mapping 

Discussion Items

  • Mark has started a comparison between the CR v1 fields and the GDPR Articles and Recitals
  • Looks like GDPR 'Joint Controller' and 'Recipients' don't appear in the CR v1
    • John: Although GDPR allows for Joint Controllers, the Receipt is issued by one of those controllers (not by both simultaneous)
  • IAPP is interested in linking over to CR and Generator - they would also like to see some simple use cases e.g. for multiple controllers
  • Note: Article 15 (Right of access by the data subject) - CR provides for all the items in Article 15 in a 'receipt' structure
  • A consent receipt reduces risk of non-compliance - it does not mean that an org is actually compliant
  • Development of the CR was started before GDPR was published - so CIS WG has to go back and update the references to ICO Guidance and GDPR text
  • Mark asks interested contributors to add their analysis to the sheet
  • Consent for children is missing from the CR
    • Any missing fields should be raised as issues in the github for CR
  • Jens raised some interesting issues, in particular, the non-normative Considerations
  • Take a look at Chapter V article 44 for international use case analysis
  • Note: Any work that arises 
  • John: It would be interesting to have someone do a similar analysis for how the FTC applies fines in the US...

Action Items

  •  
  • No labels