cancel
Showing results for 
Search instead for 
Did you mean: 

Inside (ISC)² with Charles Gaughf

cancel
Showing results for 
Search instead for 
Did you mean: 

Inside (ISC)² with Charles Gaughf

Inside (ISC)² with Charles Gaughf

Community Manager

This is your chance to get Inside (ISC)² as managers from our organization will be swinging by the Community to answer your questions. Joining us today is Charles (Chuck) Gaughf, senior manager of security at (ISC)².

 

Chuck heads up our security group, and is currently knee-deep in the privacy sphere as he leads our GDPR preparations. He holds several of our certifications (CISSP, SSCP and CCSP), so he’s a member as well as an employee!

 

Reply to this post with your questions and Chuck aka @geekwise will be answering them from 1-1:30pm EST. 

 

And join us again next month (March 28) when Adrian Davis, CISSP – our Cybersecurity Advocate in EMEA – will be joining us!

29 Comments
Viewer II

Is there a certification and training for GDPR yet? -Thanks, Eric

Reader I

The tone and content of GDPR appear to be targeted at business to consumer relationships, specifically the consent to process data and right to be forgotten provisions. 

 

Has there been any clarification on how these related to business to business software vendors? 

Is the vendor (data processor) expected to get individual consent from each of the client's (data controller) users? 

Is the vendor (data processor) required to allow individual employees of the client (data controller) to be able to submit their request to be 'forgotten'? 

Newcomer I

As a software vendor, how do I approach the SME customers who are looking for advice on how to get started?  What are the general guidelines for SMEs?

Newcomer I

Hi Charles,

 

Is first + last name considered personal data under GDPR. Most people say it is if it allows you to identify a specific individual, but I've also heard it has to be combined to something else to validate it is a EU resident. Any insight?

Thanks

Newcomer I

Regarding Erasure (Art. 18), what is the current thinking regarding anonymisation and pseudonimization? Are there are standards emerging for GDPR?

Newcomer I
Sorry, Art. 17
Viewer II

As IP Addresses are considered personal information - how do we handle logging within our infrastructure.  Particularly web server logs an other network logs that hold the source IP.  We have a log retention policy for 1 year -and the logs are used for incident response and other security / performance reasons (all the reasons you have the logs).  The logs are stored - and we will be encrypting them, but beyond encryption are there any other requirements.    What about lack of consent or restriction of processing requests for "legitimate interests".  Most of the users have no bound contractural agreement that we can use for alternate lawful basis.

Viewer II

What method is recommended for determining which data in your application is under the purview of GDPR? PII has been a known quantity for some time, but the GDPR could expand that into areas such as where a user's home address may be related to an item in Sales Orders. Please comment.

Moderator

@EricBrown There is no formal training that I have seen. I have seen some training offerings from different vendors but none from any of the big training providers. Als, there is a huge market for this type of training and for certification of DPOs. I would imagine due to some of the vagueness and uncertainty around GDPR the big players are hesitant to put out anything official. 

Viewer II

What artifacts do you believe are necessary to say an organization is GDPR compliant?

 

Moderator

@Chad We have been at this for quite a while and my stance was to look at this from both directions. We (Legal & Security) reviewed all of our B2B or vendor to vendor relationships. The thought was to review all contracts and verify compliance where we the controller or the processor. Even the platform here is a relationship where we share a subset of data with a service provider. We worked to verify we were sharing information in a compliant manner and that we had the capability to respond to any Subject Access Request in a timely manner. 

Viewer II

Is there any clarification on what a "Data Subject" is and applies to? I assume this extends to any EU citizen, irregardless of their physical location/residency but what about:

 

  • Non-EU citizen's data who are physically within the borders of the EU (visiting/vacation/etc)
  • The processing of remote non-EU citizen data by a processor located in the EU (ie a 3rd party EU-based business processing non-EU client data)

If any of the above are true, how does one correlate what subset of data would fall under GDPR compliance? example: If I travel to the EU and rent a car while I am there, the data processed during would fall under GDPR. However lets say I am back in the US and I update my information on file with the EU-based rental car company, does this processing of data not fall under GDPR since I no longer am physically within the borders or the EU?

 

Thanks,

 

Joe

Moderator

@Francois1208 if we look at GDPR and what it aims to accomplish then privacy by default and by design includes all customers. Eventually, other countries will catch up and put forth the same requirements. My last point is it is based on residency and not location. So... in that regard how can you protect EU data differently than all other data. GEO-IP is not going to cut it I'm afraid. We as security practitioners should really look at our privacy programs holistically and not for a subset of users. 

Moderator

@Francois1208 I have always understood PII to include any two data points that can be used to uniquely identify a person. If I'm sharing data or collecting data from a third party and it includes first name + last with no pseudo anonymization between us it is PII.

Viewer II
@geekwise - So to say the data of a US citizen living abroad in the EU is not subject to GDPR at any point in the lifetime of the data?
Viewer II

Do you have a webinar going?

 

Community Champion

Hi Charles,

 

What are your thoughts on the IAPPs CIPP/E/US and CIPM in relation to the GDPR and other regulation? In addition, will you be attending the Summit in Washington at the end of this month?

 

Nice Avatar BTW ^^

 

TVM

Viewer II

How does my firm register to perform an audit of GDPR?

 

Moderator

@robert-sisson this is a tough one. Most websites need IP information for transactional purposes. Many sites have their cookie consent pop-ups implemented and ready for GDPR. Similar to IP can we prevent people from using or accessing our site if they do not consent to cookies. As far as logging is concerned this is a transaction with a user of a service for the fulfillment of that service. As long as there are processes to be able to respond to a SAR and that the data is adequately protected there should be no cause for alarm. 

Moderator

@Sheffeld You need certain data for processing a transaction. This may include a number of data elements to include their home address. However the bigger question is when a salesperson manually inputs a user into your CRM, does it flag them for future communications. Will these individuals be directly marketed to in the future? Did we adequately capture their consent for that purpose?