Privacy Level Agreement

Back to discussions
Expand all | Collapse all

PLA WG call - October 27th [Meeting Minutes]

  • 1.  PLA WG call - October 27th [Meeting Minutes]

    Posted Oct 28, 2020 05:16:00 AM
    Edited by Lefteris Skoutaris Oct 28, 2020 05:49:15 AM
    Dear members,
                            please find below the minutes of yesterday's PLA WG's call.

    Agenda Items (AIs):

    1. Progress status check on CCPA-GDPR mapping validation exercise and reviewers' findings.
    2. Latest updates with regards to the PLA CoC submission to CNIL
    3. AoB

     

    Participants (6):

    Paul Benedek
    Martim T. Barata
    Ramon Codina
    Giulio Faini
    Lefteris Skoutaris (PM)
    Linda Strick

     

    Meeting Minutes (MMs):

    1. Progress status check on CCPA-GDPR mapping validation exercise and reviewers' findings.
    • From previous call, Mariusz has asked if the EDPB guidelines (noted by Ramon on the mapping) have an impact on the GDPR articles currently mapped and thereafter on the mapping itself,
    • Martim replied that the EDPB guidelines have been taken into consideration when developing the PLA CoP set of controls, but do not directly change the GDPR articles. In this context, the EDPB guidelines are integrated into the PLA CoP and will be considered as such during the gap analysis exercise,
    • Group members Paul and Ramon, have successfully completed their previous assignments (many thanks!),
    • New assignments to the group (AP1):
      • Angell Duran: rows 132 – 138
      • Mariusz Trajfacki: 284 – 307
      • Ramon Codina: 309 – 323
      • Paul Lanois: 324 - 333
      • Paul Benedek: 335 - 352
    • Link to CCPA-GDPR mapping tool.

     

    2. Latest updates with regards to the PLA CoC submission to CNIL.
    • The CoC (v4.0) has been formally submitted to the CNIL on 30 September – we now await their feedback,
    • Both the PLA CoC and CoP v4.0 are uploaded and made available to the WG in Circle.

           
    Main changes reflected into the PLA CoC & CoP v4.0:

    • De-scoping – the CoC now only addresses CSPs while acting as processors; controller-related controls have been removed or adapted,
    • The minimum security baseline has shifted from the ENISA Technical Guidelines for the implementation of minimum security measures for Digital Service Providers to the CSA CCMv3.0.1 – to address the CoC's security requirements,
    • CSPs need to support their CoC adherence submission with a link to a relevant entry on the CSA STAR Registry, showing at least a Level 1 STAR Self-Assessment in place,
    • The controls on data transfer have been revised in accordance with the Schrems II decision – in particular, Privacy Shield is no longer accepted as a lawful transfer mechanism, and requirements around the assessment of the validity of Standard Contractual Clauses to regulate specific transfers have been included.

     

    3. AoB
    • Next call is scheduled for November 10th , 6 pm EEST (5 pm CET / 8 am PST / 11 am EST).

     

    Actions Points (APs)

    AP1: Groups members are kindly asked to complete their assignments by our next meeting on November 10th .


    Please let me know if I have missed to include something essential from our meeting.

    Looking forward to your contributions by our next meeting.

    Best regards,

    Lefteris

    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------