Dear members,
please find below a summary of the discussions that took place during our recent meeting.
Agenda Items (AIs):
1. Specify gap descriptions for CCPA-GDPR mapping & gap analysis exercise
2. Discuss CCPA-GDPR gap analysis views (by co-chair team and experts)
3. Latest update on the submission of the Code to DPAs
4. AoB
Participants (6):
Martim T. Barata
Paul Benedek
Bahar Mirzai
Paul Lanois
Lefteris Skoutaris (PM)Mark VinkovitsMeeting Minutes (MMs)
1. Specify gap descriptions for
CCPA-GDPR mapping & gap analysis exercise
- The group discussed the next steps to the gap analysis exercise,
- Those steps involved:
- Step 1: Identifying and describing the CCPA missing requirements 'deltas' to the GDPR and documenting those under column 'F' 'Compensating Control' in the mapping tool.
- Step 2: Map the identified CCPA deltas to the corresponding controls of the Code of Practice (CoP).
- Step 3: Amend the corresponding controls of the CoP to include the missing CCPA deltas.
- Was agreed that step 3 is out of scope of the current mapping activity, and was recommended that the group of professionals proceed with Steps 1 and 2,
- Therefore, the objective until the next call is that professionals identify and describe the missing CCPA requirements (under 'F') for the partial and full gap cases of the mapped CCPA-GDPR pairs they have been working on during the previous phase (AP1).
2. Discuss CCPA-GDPR gap analysis views (by co-chair team and experts)
- The co-chair team has addressed all comments presented by the reviewers in the Reviewer's Final Reply column 'J' of the Gap Analysis table, where those comments disagreed with our review,
- Further clarifications and comments were included in response to certain comments, in spite of a lack of disagreement with our review, where that was deemed helpful for the better understanding of the co-chair's team assessment,
- The answers have been included in column 'K' and are colour-coded in red where we disagree with the Reviewer's input (and thus would maintain our previous assessment), and in green where we agree with the reviewer's input,
- Reviewers are kindly invited to take into account the final resolutions of the co-chair team when working on the missing CCPA requirements description for AP1 (AP2).
3. Latest update on the submission of the Code to DPAs
- CSA discussed with CNIL the feedback received (from the CNIL and two other co-reviewer Supervisory Authorities) on the CSA Code of Conduct for GDPR Compliance,
- In the course of that meeting, the CNIL:
- Made some further minor suggestions for amendment to the CoC, which we promptly incorporated into the CoC and sent back to the CNIL for revision;
- Provided some insight into the accreditation process for the CoC's Monitoring Body;
- Confirmed that the content of the CoC – and, in particular, CSA's approach to data security within the CoC – was acceptable from the CNIL's perspective;
- Explained that, once the co-review process for the CoC is finalized (the estimate for this was mid-May, though we are yet to hear back from the CNIL and co-reviewers to date), and assuming all of the responses given to the feedback received are satisfactory, the CoC will enter the "cooperation phase";
- Explained that the "cooperation phase" involves providing all EEA Supervisory Authorities with the opportunity to read through the CoC and, if so willing, provide their feedback to the CNIL – if any such feedback is received which has not already been addressed previously by the CSA, we will receive further comments to address;
- Explained that, after the "cooperation phase", the CoC will be shared with the European Data Protection Board, for its opinion. With a favourable opinion, the CNIL will be able to approve the CoC.
- Provided an estimated timeline for approval: the first trimester of 2022 (though this assumes that no relevant feedback is received on the CoC between now and approval).
4. AoB
- Next call is scheduled on June 8th, 6 pm EEST (5 pm CET / 8 am PST / 11 pm EST).
Action Points (APs)
AP1: Group is kindly invited to identify and describe under column F of the mapping tool the CCPA missing requirements.AP2: Reviewers are kindly invited to take into account the final resolutions of the co-chair team when working on the missing CCPA requirements description for AP1.
Please let me know if something essential is missed above.Thank you again for your attendance and support.Best regards,Lefteris------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------