Privacy Level Agreement

Dear members,

Please find the minutes from the last PLA WG call on the 5th of December:

Minutes:

• The working group discussed the action items concluded from the previous call on '2023_11_03_CPRA - PLA_CoP_Mapping (WiP)' document in tab "CPRA - PLA_CoC Mapping" (with the green label), while the other tabs are included in the file as a reference.

• Working from column E and onward: Identify the corresponding requirement under the Code of Conduct:

  • For the red cells (in scope): Completed columns D, E, F, G and H by doing the same mapping exercise under CCPA but this time under CPRA. i.e. The GDPR Code of Conduct controls (column C) meet the CPRA requirements. (please therefore ignore all RED cells that have been marked – in Column C – as "Out of Scope")

Previous action items:

• Louis to work on rows 23, 24, 25, 42. - DONE

  • For row 42 Isabella suggested to add the control of cooperation between the controller and the processor in order to meet data subject's requests. 

• Rajat to work on rows 115, 116, 147, 197, 198. - DONE

  • For Row 116: Isabella suggested (and was agreed) to exclude the specific control for the scope of our analysis because it applies to the business.
• Unassigned red cells for the mapping of the CPRA to the GDPR: 199 to 202, 214, 215, 228 to 234, 263, 266, 269, 287 to 299, 304 to 309. - Partially DONE (Rajat completed 199-202)
  

New action items:

• Rajat ( @Rajat Dubey) to work on rows 228 to 234 and reassess as he thinks is appropriate for rows 214-215.
• Louis ( @Louis Pinault) to work on rows 263, 266, 269 and 291 - 299,
• Yuvaraj ( @Yuvaraj Madheswaran) to work on rows 287-290,
• Wei ( @wei cao) to work on rows 304-309,
• Isabella ( @Isabella Oldani) to review Row 26 and check there is a gap and a new control is needed, or if the Code of Conduct provides any info on remediation for the business or cloud customer, based on the controls Louis provided from the previous action item. Review also row 200 and check why Article 29 was selected as relevant.

How to contribute:

In google document: 2023_11_03_CPRA - PLA_CoP_Mapping (WiP)' document, tab "CPRA - PLA_CoC Mapping" (with the green label), while the other tabs are included in the file as a reference.

• • For the red cells (in scope): Complete columns D, E, F, G and H by doing the same mapping exercise under CCPA but this time under CPRA. i.e. The GDPR Code of Conduct controls (column C) meet the CPRA requirements. (please therefore ignore all RED cells that have been marked – in Column C – as "Out of Scope")

1. Column I: name of "Reviewer";
2. The Reviewer will then need to complete Column E by identifying the relevant Control (of the CSA CoC) that would allow CSPs to comply with the obligations stemming from the relevant CCPA provisions identified in Columns B and C. This can be done by first checking the tab "PLA Annex 10" of the Excel document  Possible outcomes:

• • 4. • If a corresponding Control can be found in tab "PLA Annex 10", this Control can be added in Column E (by also adding "PLA – Annex 10" in brackets) and Column F can be completed with "No Gap";
       • If a corresponding Control cannot be found in tab "PLA Annex 10", the Reviewer should then check the "PLA Code of Practice (CoP) v4.1" tab of the Excel file:
         • If a corresponding Control is found in this tab, this Control can be added in Column E and Column F can be completed with "No Gap";
         • If a corresponding Control is found in this tab but the identified Control would not allow CSPs to fully comply with the obligations stemming from the relevant CCPA provisions identified in Columns B and C, this Control can be added in Column E and Column F can be completed with "Partial Gap";
         • If no corresponding Control can be found in this tab, Column F can be completed with "Full Gap".
    5. The Reviewer should then briefly summarize the results of their analysis in Column G;
    6. Lastly, in case Column F has been completed with "Full" or "Partial Gap", the Reviewer should identify the proposed compensating Control in Column H.

        

       Please note that the chairs have already completed row 22 of the "CPRA - PLA_CoC Mapping" tab as a reference for the group on how we would proceed.

  • Lastly, please also note that the group can also use as a reference the work that has been done in tab "CCPA - PLA_CoC Mapping (for pub)" of the Excel file which has been developed before the CPRA came into force (we now need to do the same exercise in relation to the amended text of the CCPA).

Next working group call: 

Day: Thursday 21st of December

Time: 08:00 a.m. PST / 11:00 EST / 16:00 GMT / 17:00 CET.

URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09  (Meeting ID: 829 8738 2695, Passcode: 794440)

Kind regards,
Marina

*******************************************************************************************************************************************************************

Structure of the table included in the "CPRA - PLA_CoC Mapping" tab:

 

This table is structured as follows:

• Columns from A to C include the results of our previous CPRA – GDPR mapping exercise (all previous comments have been removed and the results of our discussion are now consolidated in column C);
• Column D ("Type of Provision") is meant to be completed with an indication of the type of provision that is included in Columns B and C (whether "Obligation" or "Definition & Procedures"). The relevant type of provision should have been already selected for all provisions that we have examined so far.
• Column E ("PLA Code of Practice Controls Mapping") needs to be filled out by adding a reference (if any) to the relevant Control (of the CSA CoC) that covers the relevant CCPA provisions identified in columns B and C (which raise obligations for Cloud Service Providers – "CSPs" or include definitions that are relevant for determining the scope of those obligations);
• Column F ("Gap Identification") is meant to be used in order to specify whether the relevant CCPA provisions is covered or not by the identified Control (of the CSA CoC) and, if so, to what extent ("No Gap" / "Partial Gap" / "Full Gap"). In particular:
• "No gap" should be selected when compliance with the Control identified in Column E would allow CSPs to fully comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C);
• "Partial Gap" should be selected when compliance with the Control identified in Column E would allow CSPs to partly comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C), with the result that some compensating Controls would need to be added to the CoC;
• "Full gap" should be selected when there is no corresponding Control that can be leveraged in order to ensure that CSPs can comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C), with the result that a new Control should be set up.
• Column G ("Gap analysis") should be filled out with a summary of the analysis performed in Columns E and F;
• Column H ("Compensating Control") should be completed with an indication of the "compensating control" that need to be added to the CoC (in order to ensure that CSPs can fully comply with the obligations stemming from the relevant CCPA provisions) in the event that a "Partial" or "Full Gap" has been identified in Column F (in other words, what Control need to be added to the CoC / how an existing Control needs to be amended in order to ensure that CSPs can fully comply with the relevant CCPA provision?);
• Colum I ("Reviewer's Name") should be completed with the name of the participant to the PLA WG that would like to contribute to this analysis;
• Column J ("Co-Chair Team Review") is meant to be completed with comments from the Co-Chair Team on the analysis performed by the Reviewer.

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------