Do you have a webinar going?

Hi Charles,

What are your thoughts on the IAPPs CIPP/E/US and CIPM in relation to the GDPR and other regulation? In addition, will you be attending the Summit in Washington at the end of this month?

Nice Avatar BTW ^^

TVM

How does my firm register to perform an audit of GDPR?

@robert-sisson this is a tough one. Most websites need IP information for transactional purposes. Many sites have their cookie consent pop-ups implemented and ready for GDPR. Similar to IP can we prevent people from using or accessing our site if they do not consent to cookies. As far as logging is concerned this is a transaction with a user of a service for the fulfillment of that service. As long as there are processes to be able to respond to a SAR and that the data is adequately protected there should be no cause for alarm. 

@Sheffeld You need certain data for processing a transaction. This may include a number of data elements to include their home address. However the bigger question is when a salesperson manually inputs a user into your CRM, does it flag them for future communications. Will these individuals be directly marketed to in the future? Did we adequately capture their consent for that purpose?

I received some questions from a Community member who couldn't participate live. Could you answer these, Chuck? 

1) Given that we are in the throes of Digital Transformations and its disruptive demands to organisations, there are many different interpretations of what GDPR actually means. Can you be absolutely explicit and explain exactly what you understand GDPR actually is and why you have to undergo the privacy by security and security by design processes internally to ensure you are protecting the data subjects?

2) There are many vendors, who state their tools are "GDPR ready"? But what does this mean? How can the mere mortal human being actually prove this?

3) I come from a very large international organisation, myself, and I fully appreciate the processes, and controls inherent within each contract and a complete change in culture required within an organisation to deal with GDPR. Do you think the experience has changed (ISC)²'s perspective too?

@Ymusaji We have a webinar coming up in the next few weeks. I will say to everyone on the board that I'm tackling this from a security perspective, but it has taken the work of our entire organization to get us GDPR compliant. Legal and I have been attached at the hip since last August. This can't be purely a security problem, it is an organizational challenge that will take unprecedented amounts of cross-functional coordination. 

ouch, if people are only now getting started than they have a tough road ahead of them. The place I started was with DFDs. Organization need a comprehensive view of the PII data flows in and out of their systems and with their third parties. ALso where organizations will spend a lot of time, or at least for us, was with direct marketing and sales. 

@Canopy_Privacy Okay this just goes to show how complex systems can be. There is some organizations who may have to keep records for an indefinite amount of time. Example: A member sends us a SAR for the erasure of their data. If they are certified and we remove their data we have no way of managing their certification. On the flip side if someone loses their certification due to an ethics violation and they send us a removal request how are we going to keep the information about the ethicscomplaintt in a compliant manner so that they could not simply recertify. This is just one example and other organizations out there are going to have similar problems and will need to work through these cases individually.  

@jtny internally we built an audit for Compliance. There are the backend artifacts such as evidence of encryption, breach notification processes. Then the most important piece is what is exposed to your customers. This includes cookie notification, consent opt-ins, very clear and understandable privacy policies, and being transparent about what you do with the users' data. I have seen a number of sites who have developed a user journey for their customers that breaks down how their data is processed. This is huge in being absolutely transparent with users. Lastly, a formal process for excepting SARs and communicating how your org will handle these reqs. Keep in mind... you have to respond to a SAR no matter how it is submitted. This means staff training on understanding when they receive this type of req. 

Great Certifications. A number of people here, myself included, are working towards these certifications. GDPR is just the start. It isn't really a matter of compliance it is about giving back control to your customers regarding their data. 

As far as I am aware there is no certification process as with other standards. We went external and had a 3rd party audit of our processes, and then developed an internal control audit. I would imagine that very soon we may see a standardization around GDPR "Certification". For now, privacy shield is likely the closest thing. 

Thanks everyone! And thank you @geekwise for answering the questions! He's off to a GDPR meeting actually ... we keep him very busy ... so if he didn't get to your question that was already posted, he'll check back in later. 

That's all for today's Inside (ISC)²! Be sure to join us next month when Adrian Davis aka @adriandavis will be stopping by to talk about his new role as Director of Cybersecurity Advocacy in EMEA! 

@geekwise Can you share the links for a couple of those sites that are providing the user/data processing journey for customers? I would love to see examples and model something for my GDPR clients. Thanks!