Privacy Level Agreement

PLA WG call - February 16th [Meeting Minutes]

  • 1.  PLA WG call - February 16th [Meeting Minutes]

    Posted Feb 17, 2021 06:07:00 AM
    Dear members,
                               please find below a summary of the discussions that took place during our recent meeting.

    Agenda Items (AIs):

    1. Progress status check on the CCPA-GDPR Gap Analysis Activity
    2. Overview of PLA CoC activities for submission of the code to DPAs
    3. AoB


    Participants (7):

    Paolo Balboni (Co-chair)
    Martim T. Barata
    Paul Benedek
    Lefteris Skoutaris (PM)
    Linda Strick
    Mariusz Trajfacki
    Mark Vinkovits


    Meeting Minutes (MMs): 

    1. Progress status check on the CCPA-GDPR Gap Analysis Activity
    • The team made a progress status check on the current assignments of the gap analysis exercise. Would like to thank Mark, Paul, Ramon and Mariusz for the completion of all recent assignments.
    • New assignments (AP1):
      • Angell has been assigned: 86-101
      • Rishabh assigned: 103-111
      • Paul assigned: 113-128, 129-148
      • Mariusz assigned: 150 – 162
      • Mark assigned: 164-192
    Figure 1: Snapshot of CCPA-GDPR gap analysis progress status tab

    2. Overview of PLA CoC activities for submission of the code to DPAs
    • Paolo provided the panel with an overview of recent feedback provided by CNIL, in the context of submission and acceptance process of the PLA CoC. Two main points were discussed.
    First point:
    • A few remarks were made were on the STAR-level 1 program of CSA and the use of self-assessments by organizations to test compliance to the code, instead of pursuing only STAR-level 2 that is based on 3rd party certification.The supervisory authorities, CNIL, is questioning the reliability of the self-assessment, as it is based solely on an internal audit. And that testing SMEs statements does not substantially proves compliance to the code.
    • The panel was asked about how they see the self-attestation approach. Paul and Linda highlighted the benefits of self-assessments in terms of low cost and less time that is required for SMEs, which do not have the resources to conduct a formal independent 3rd party audit.
    • PM asked how the approach of evidence-based self-assessment would be viewed by the DPA authority, to which Paolo replied that yet such evidence is based on declarations (essentially quoting internal documentations) and not proofs of efficient security controls implementation at the corresponding systems/infrastructure.
    • Discussions are ongoing between CSA and CNIL.
    Second point:
    • 'ENISA security measures for digital service providers' were employed initially in the code to support the provision of controls that would need to be implemented for privacy and achieving compliance to the code. These were deemed not practically sufficient by the DPA.
    • CSA proposed CCM. CNIL suggested CCM is not personal data related as it does not support Risk management requirements for Privacy (GDPR article 32), but currently for Security only. Which is one of the challenges that the PLA team has to tackle and is working in that direction.

    3. AoB
    • Next call is scheduled for March 2nd , 6 pm EEST (5 pm CET / 8 am PST / 11 am EST). 

    Action Points (APs)

    • AP1: Professionals are kindly invited to complete the assigned tasks by our next call session on the 2nd of March.

    Please let me know if anything essential is missed above from our meeting.
    Thank you again for your attendance and support.
    Best regards,

    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance