cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inside (ISC)² with Charles Gaughf

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inside (ISC)² with Charles Gaughf

Web Logs

Kaity
Community Manager

This is your chance to get Inside (ISC)² as managers from our organization will be swinging by the Community to answer your questions. Joining us today is Charles (Chuck) Gaughf, senior manager of security at (ISC)².

 

Chuck heads up our security group, and is currently knee-deep in the privacy sphere as he leads our GDPR preparations. He holds several of our certifications (CISSP, SSCP and CCSP), so he’s a member as well as an employee!

 

Reply to this post with your questions and Chuck aka @geekwise will be answering them from 1-1:30pm EST. 

 

And join us again next month (March 28) when Adrian Davis, CISSP – our Cybersecurity Advocate in EMEA – will be joining us!

29 Comments
EricBrown
Viewer II

Is there a certification and training for GDPR yet? -Thanks, Eric

Chad
Reader I

The tone and content of GDPR appear to be targeted at business to consumer relationships, specifically the consent to process data and right to be forgotten provisions. 

 

Has there been any clarification on how these related to business to business software vendors? 

Is the vendor (data processor) expected to get individual consent from each of the client's (data controller) users? 

Is the vendor (data processor) required to allow individual employees of the client (data controller) to be able to submit their request to be 'forgotten'? 

CMcBag62
Newcomer I

As a software vendor, how do I approach the SME customers who are looking for advice on how to get started?  What are the general guidelines for SMEs?

Francois1208
Newcomer I

Hi Charles,

 

Is first + last name considered personal data under GDPR. Most people say it is if it allows you to identify a specific individual, but I've also heard it has to be combined to something else to validate it is a EU resident. Any insight?

Thanks

Canopy_Privacy
Newcomer I

Regarding Erasure (Art. 18), what is the current thinking regarding anonymisation and pseudonimization? Are there are standards emerging for GDPR?

Canopy_Privacy
Newcomer I
Sorry, Art. 17
robert-sisson
Viewer II

As IP Addresses are considered personal information - how do we handle logging within our infrastructure.  Particularly web server logs an other network logs that hold the source IP.  We have a log retention policy for 1 year -and the logs are used for incident response and other security / performance reasons (all the reasons you have the logs).  The logs are stored - and we will be encrypting them, but beyond encryption are there any other requirements.    What about lack of consent or restriction of processing requests for "legitimate interests".  Most of the users have no bound contractural agreement that we can use for alternate lawful basis.

Sheffeld
Viewer II

What method is recommended for determining which data in your application is under the purview of GDPR? PII has been a known quantity for some time, but the GDPR could expand that into areas such as where a user's home address may be related to an item in Sales Orders. Please comment.

geekwise
ISC2 Former Staff

@EricBrown There is no formal training that I have seen. I have seen some training offerings from different vendors but none from any of the big training providers. Als, there is a huge market for this type of training and for certification of DPOs. I would imagine due to some of the vagueness and uncertainty around GDPR the big players are hesitant to put out anything official. 

jtny
Viewer II

What artifacts do you believe are necessary to say an organization is GDPR compliant?

 

geekwise
ISC2 Former Staff

@Chad We have been at this for quite a while and my stance was to look at this from both directions. We (Legal & Security) reviewed all of our B2B or vendor to vendor relationships. The thought was to review all contracts and verify compliance where we the controller or the processor. Even the platform here is a relationship where we share a subset of data with a service provider. We worked to verify we were sharing information in a compliant manner and that we had the capability to respond to any Subject Access Request in a timely manner. 

JBatman
Viewer II

Is there any clarification on what a "Data Subject" is and applies to? I assume this extends to any EU citizen, irregardless of their physical location/residency but what about:

 

  • Non-EU citizen's data who are physically within the borders of the EU (visiting/vacation/etc)
  • The processing of remote non-EU citizen data by a processor located in the EU (ie a 3rd party EU-based business processing non-EU client data)

If any of the above are true, how does one correlate what subset of data would fall under GDPR compliance? example: If I travel to the EU and rent a car while I am there, the data processed during would fall under GDPR. However lets say I am back in the US and I update my information on file with the EU-based rental car company, does this processing of data not fall under GDPR since I no longer am physically within the borders or the EU?

 

Thanks,

 

Joe

geekwise
ISC2 Former Staff

@Francois1208 if we look at GDPR and what it aims to accomplish then privacy by default and by design includes all customers. Eventually, other countries will catch up and put forth the same requirements. My last point is it is based on residency and not location. So... in that regard how can you protect EU data differently than all other data. GEO-IP is not going to cut it I'm afraid. We as security practitioners should really look at our privacy programs holistically and not for a subset of users. 

geekwise
ISC2 Former Staff

@Francois1208 I have always understood PII to include any two data points that can be used to uniquely identify a person. If I'm sharing data or collecting data from a third party and it includes first name + last with no pseudo anonymization between us it is PII.

JBatman
Viewer II
@geekwise - So to say the data of a US citizen living abroad in the EU is not subject to GDPR at any point in the lifetime of the data?