Privacy Level Agreement

Back to discussions
Expand all | Collapse all

PLA WG call - May 25th [Meeting Minutes]

  • 1.  PLA WG call - May 25th [Meeting Minutes]

    Posted May 28, 2021 10:32:00 AM

    Dear members,
                               please find below a summary of the discussions that took place during our recent meeting.

    Agenda Items (AIs):

    1. Specify gap descriptions for CCPA-GDPR mapping & gap analysis exercise
    2. Discuss CCPA-GDPR gap analysis views (by co-chair team and experts)
    3. Latest update on the submission of the Code to DPAs
    4. AoB


    Participants (6):

    Martim T. Barata
    Paul Benedek
    Bahar Mirzai
    Paul Lanois
    Lefteris Skoutaris (PM)
    Mark Vinkovits


    Meeting Minutes (MMs)

    1. Specify gap descriptions for CCPA-GDPR mapping & gap analysis exercise
    • The group discussed the next steps to the gap analysis exercise,
    • Those steps involved:
      • Step 1: Identifying and describing the CCPA missing requirements 'deltas' to the GDPR and documenting those under column 'F' 'Compensating Control' in the mapping tool.
      • Step 2: Map the identified CCPA deltas to the corresponding controls of the Code of Practice (CoP).
      • Step 3: Amend the corresponding controls of the CoP to include the missing CCPA deltas.
    • Was agreed that step 3 is out of scope of the current mapping activity, and was recommended that the group of professionals proceed with Steps 1 and 2,
    • Therefore, the objective until the next call is that professionals identify and describe the missing CCPA requirements (under 'F') for the partial and full gap cases of the mapped CCPA-GDPR pairs they have been working on during the previous phase (AP1).

    2. Discuss CCPA-GDPR gap analysis views (by co-chair team and experts)
    • The co-chair team has addressed all comments presented by the reviewers in the Reviewer's Final Reply column 'J' of the Gap Analysis table, where those comments disagreed with our review,
    • Further clarifications and comments were included in response to certain comments, in spite of a lack of disagreement with our review, where that was deemed helpful for the better understanding of the co-chair's team assessment,
    • The answers have been included in column 'K' and are colour-coded in red where we disagree with the Reviewer's input (and thus would maintain our previous assessment), and in green where we agree with the reviewer's input,
    • Reviewers are kindly invited to take into account the final resolutions of the co-chair team when working on the missing CCPA requirements description for AP1 (AP2).

    3. Latest update on the submission of the Code to DPAs

    • CSA discussed with CNIL the feedback received (from the CNIL and two other co-reviewer Supervisory Authorities) on the CSA Code of Conduct for GDPR Compliance,
    • In the course of that meeting, the CNIL:
      • Made some further minor suggestions for amendment to the CoC, which we promptly incorporated into the CoC and sent back to the CNIL for revision;
      • Provided some insight into the accreditation process for the CoC's Monitoring Body;
      • Confirmed that the content of the CoC – and, in particular, CSA's approach to data security within the CoC – was acceptable from the CNIL's perspective;
      • Explained that, once the co-review process for the CoC is finalized (the estimate for this was mid-May, though we are yet to hear back from the CNIL and co-reviewers to date), and assuming all of the responses given to the feedback received are satisfactory, the CoC will enter the "cooperation phase";
      • Explained that the "cooperation phase" involves providing all EEA Supervisory Authorities with the opportunity to read through the CoC and, if so willing, provide their feedback to the CNIL – if any such feedback is received which has not already been addressed previously by the CSA, we will receive further comments to address;
      • Explained that, after the "cooperation phase", the CoC will be shared with the European Data Protection Board, for its opinion. With a favourable opinion, the CNIL will be able to approve the CoC.
      • Provided an estimated timeline for approval: the first trimester of 2022 (though this assumes that no relevant feedback is received on the CoC between now and approval).
    4. AoB
    • Next call is scheduled on June 8th, 6 pm EEST (5 pm CET / 8 am PST / 11 pm EST). 


    Action Points (APs)

    AP1: Group is kindly invited to identify and describe under column F of the mapping tool the CCPA missing requirements.
    AP2: Reviewers are kindly invited to take into account the final resolutions of the co-chair team when working on the missing CCPA requirements description for AP1.


    Please let me know if something essential is missed above.
    Thank you again for your attendance and support.
    Best regards,
    Lefteris

    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------