Privacy Level Agreement

Back to discussions
Expand all | Collapse all

Meeting Minutes July 18th, 2023.

  • 1.  Meeting Minutes July 18th, 2023.

    Posted Jul 25, 2023 08:41:00 AM

    Dear members,

    Please find below the minutes form our last call on the 18th of July:

    Minutes:

    The working group went through the  '2023_04_13_CPRA - PLA_CoP_Mapping (WiP)' document. The chairs had reviewed the mapping done in column C (for some rows) and provided their feedback which was then discussed with the group and finalized.

    • Reviewed rows and updated by the WG on the previous call: 113, 115, 116, 147, 197, 229.
    • Row 219 was voted as out-of-scope .
    • Row 224, 226 will be updated on the next call after assessment by the chairs.

    Previous action items:

    • Isabella to update row 24, column K with article 32 also, as agreed on the call. - DONE (article 32 was decided that is captured under Article 28(3)(f))
    • Isabella to update column K, row 42 saying that article 28 fully covers the relevant provision. - DONE
    • Isabella to update the status of column K, row 12 to 'agreed'. - PENDING
    • For row 23 to include footnote mentioning that 'In article 28, broadly, is no specific obligation for the processor to comply with the applicable obligations under the GDPR but exclusively the obligation to comply with the instructions of the controller.' - DONE
    • Isabella to include in Row 25 a footnote about the variation existing in the CCPA provision mentioning the obligation by the 3rd party or service provider (CSP) or contractor to notify the business if they are unable to follow the obligations needed. - DONE
    • To discuss row 3, where the red cell provision is marked as out-of-scope but 2 members partially disagree. - PENDING
    • To discuss row 4, 9, 12, column C by Emilio Mazzon. - PENDING
    • To discuss row 116 mapped by Mark. - DONE
    • Working group to continue the mapping for all the un-mapped red cells (column B - CPRA provisions) to GDPR articles (Column C). Review the red cells that have no other volunteer working on them (please check column J)– Identify the corresponding provision of CCPA with GDPR in column C.  That represents the obligations raised for the cloud provider towards their clients. Let's each volunteer choose 10 red cells/ controls to map. Please look at example from rows 25 and 26. - In progress

    New action items:

    • Isabella ( @Isabella Oldani) to update on the assessment made by chairs to rows 224 and 226.
    • Need volunteers to map the remaining red cells of CPRA provision to GDPR. The unmapped rows are: 261, 264, 267, 285-294. (Map column B (CPRA) to column C (GDPR))

    Document logic (color codes):

    The document shows the CCPA provisions after the CPRA changes applied to them: 

    In red cells are the new provisions introduced by the CPRA that didn't exist earlier. Here there is the need to do a new complete mapping to the GDPR as the specific provision appears for the first time.

    Green cells show that the specific provision is as before, and nothing has been added.

    Yellow cells indicate that the provision has been updated from its previous state, thus this GDPR mapping needs to be revised.

    • Column B are the CCPA/CPRA provisions,
    • Column C are the GDPR articles (some are already mapped to those CCPA/CPRA provisions from our previous work). 
    • Column D describes the type of provision. It only contains 2 kinds to choose from: Obligation or Definition and Procedures.
    • Column E is about the identified CSA Code of Conduct (CoC) controls that the cloud providers can check to show compliance with GDPR to their customers.
    • Column J: the name of the volunteer who wants and is working on the specific red cell provision. Mapping CCPA with GDPR for the red cells that are in scope.
    • How to work on the document:
      • E.g. Row 203: For 'Adv+Marketing', find the corresponding provision under GDPR, and fill it in column C, (use as another example to this one of the green cells that have the GDPR provision already filled in there). If there is no correspondence with GDPR, mark it as N/A. 
        • In column D include the 'Type of the provision', e.g. Definition and Procedures.
        • In order to avoid double work in the same row, each reviewer is requested to include their name next to the row they are working on, in column J.

    Next working group call:

    Date: Tuesday, August 1st

    Time: 08:00 a.m. PST / 11:00 EST / 16:00 GMT / 17:00 CET.

    URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09  (Meeting ID: 829 8738 2695, Passcode: 794440)

    Kind regards,
    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------