Privacy Level Agreement

Back to discussions
Expand all | Collapse all

Meeting Minutes 7 November, 2023.

  • 1.  Meeting Minutes 7 November, 2023.

    Posted Nov 22, 2023 09:53:00 AM

    Dear members,

    Please find the minutes from the last PLA WG call on the 7th of November:

    Minutes:

    • The chairs explained the new document shared and provided instructions on how to work on it: '2023_11_03_CPRA - PLA_CoP_Mapping (WiP)document:
    •  New action items are to happen in the "CPRA - PLA_CoC Mapping" tab (with the green label), while the other tabs are included in the file as a reference.
    • Members were assigned action items for next time.

    • Working from column E and onward: Identify the corresponding requirement under the Code of Conduct:

      • For the red cells (in scope): Complete columns D, E, F, G and H by doing the same mapping exercise under CCPA but this time under CPRA. i.e. The GDPR Code of Conduct controls (column C) meet the CPRA requirements. (please therefore ignore all RED cells that have been marked – in Column C – as "Out of Scope")
        1. Those who would like to contribute to this work can insert their name in Column I (and therefore become a "Reviewer");
        2. The Reviewer will then need to complete Column E by identifying the relevant Control (of the CSA CoC) that would allow CSPs to comply with the obligations stemming from the relevant CCPA provisions identified in Columns B and C. This can be done by first checking the tab "PLA Annex 10" of the Excel document Possible outcomes:
        • If a corresponding Control can be found in tab "PLA Annex 10", this Control can be added in Column E (by also adding "PLA – Annex 10" in brackets) and Column F can be completed with "No Gap";
        • If a corresponding Control cannot be found in tab "PLA Annex 10", the Reviewer should then check the "PLA Code of Practice (CoP) v4.1" tab of the Excel file:
          • If a corresponding Control is found in this tab, this Control can be added in Column E and Column F can be completed with "No Gap";
          • If a corresponding Control is found in this tab but the identified Control would not allow CSPs to fully comply with the obligations stemming from the relevant CCPA provisions identified in Columns B and C, this Control can be added in Column E and Column F can be completed with "Partial Gap";
          • If no corresponding Control can be found in this tab, Column F can be completed with "Full Gap".
        1. The Reviewer should then briefly summarize the results of their analysis in Column G;
        2. Lastly, in case Column F has been completed with "Full" or "Partial Gap", the Reviewer should identify the proposed compensating Control in Column H.

           

          Please note that the chairs have already completed row 22 of the "CPRA - PLA_CoC Mapping" tab as a reference for the group on how we would proceed.

      • Lastly, please also note that the group can also use as a reference the work that has been done in tab "CCPA - PLA_CoC Mapping (for pub)" of the Excel file which has been developed before the CPRA came into force (we now need to do the same exercise in relation to the amended text of the CCPA).

    New action items:

    • Louis ( @Louis Pinault) to work on rows 23, 24, 25, 42

    • Rajat ( @Rajat Dubey) to work on rows 115, 116, 147, 197, 198.

    • Unassigned red cells for the mapping of the CPRA to the GDPR: 199 to 202, 214, 215, 228 to 234, 263, 266, 269, 287 to 299, 304 to 309.

       

    Next working group call: 

    Day: Tuesday, 5th of December

    Time: 08:00 a.m. PST / 11:00 EST / 16:00 GMT / 17:00 CET.

    URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09  (Meeting ID: 829 8738 2695, Passcode: 794440)

    Kind regards,
    Marina

    ***********************************************************************************************************************************************************************

    Structure of the table included in the "CPRA - PLA_CoC Mapping" tab:

     

    This table is structured as follows:

    • Columns from A to C include the results of our previous CPRA – GDPR mapping exercise (all previous comments have been removed and the results of our discussion are now consolidated in column C);
    • Column D ("Type of Provision") is meant to be completed with an indication of the type of provision that is included in Columns B and C (whether "Obligation" or "Definition & Procedures"). The relevant type of provision should have been already selected for all provisions that we have examined so far.
    • Column E ("PLA Code of Practice Controls Mapping") needs to be filled out by adding a reference (if any) to the relevant Control (of the CSA CoC) that covers the relevant CCPA provisions identified in columns B and C (which raise obligations for Cloud Service Providers – "CSPs" or include definitions that are relevant for determining the scope of those obligations);
    • Column F ("Gap Identification") is meant to be used in order to specify whether the relevant CCPA provisions is covered or not by the identified Control (of the CSA CoC) and, if so, to what extent ("No Gap" / "Partial Gap" / "Full Gap"). In particular:
      • "No gap" should be selected when compliance with the Control identified in Column E would allow CSPs to fully comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C);
      • "Partial Gap" should be selected when compliance with the Control identified in Column E would allow CSPs to partly comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C), with the result that some compensating Controls would need to be added to the CoC;
      • "Full gap" should be selected when there is no corresponding Control that can be leveraged in order to ensure that CSPs can comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C), with the result that a new Control should be set up.
    • Column G ("Gap analysis") should be filled out with a summary of the analysis performed in Columns E and F;
    • Column H ("Compensating Control") should be completed with an indication of the "compensating control" that need to be added to the CoC (in order to ensure that CSPs can fully comply with the obligations stemming from the relevant CCPA provisions) in the event that a "Partial" or "Full Gap" has been identified in Column F (in other words, what Control need to be added to the CoC / how an existing Control needs to be amended in order to ensure that CSPs can fully comply with the relevant CCPA provision?);
    • Colum I ("Reviewer's Name") should be completed with the name of the participant to the PLA WG that would like to contribute to this analysis;
    • Column J ("Co-Chair Team Review") is meant to be completed with comments from the Co-Chair Team on the analysis performed by the Reviewer.

    *****************************************************************************************************************************************************



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------