Educause Security Discussion mailing list archives
Re: What's your GDPR state of the world?
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Mon, 8 Oct 2018 10:28:44 -0400
Thanks to everyone who responded. As promised, I have assembled all the responses. To avoid random email program formatting decisions, I've put them together in a PDF, attached. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.curry () newschool edu [image: The New School] On Thu, Sep 27, 2018 at 1:17 PM Hudson, Edward <ehudson () calstate edu> wrote:
David, et al our input inline 1. What tasks has your organization completed so far?- *We have in 3 “in country ”subsidiary nonprofits so much of our efforts have been around getting those entities, our international program contracts compliant, have drafted our privacy statement for web presences. And generally, determine the most likely legal basis for collection- for us it is ending up “Public Task” as we are a statutorily created entity, followed by legitimate interest, contract and lastly consent.* 2. What tasks are you currently working on? *DPIA prioritization and checklists, continuing/ongoing contract and model clause issues with EU entities* 3. What tasks have you decided to postpone (for whatever reason)? *No conscious decision to postpone things, just prioritizing those activities that directly impact fall term etc*. 4. Do you have an internal team/committee working on GDPR? If so, what business units are represented? Or is it all being handled by just one person/department (e.g., counsel's office, IT security)? And if that, who? *Yes. See graphic below. We have a core group lead by myself (CISO) and our Office of General Counsel (OGC) with a senior leader from International Programs and CIO from one of our 23 campuses. This core groups draws on representatives from other groups as needed. The “what” in the graphic is our charter.* 5. Have you hired outside GDPR consulting services? If so, what did you use them for? And what type of company was it (law firm, IT consulting firm, other)? *We used assistance overseas for their expertise. Candidly I have not found U.S. based providers adequately knowledgeable or equipped in the Higher EDU space.* Happy to chat further with you, or anyone out of band Ed Hudson Systemwide CISO [image: signature_1043547252] 401 Golden Shore Long Beach, CA 90802 Tel 562-951-8431 ehudson () calstate edu I subscribe to e-mail classification: i=Information, a=Action, u=Urgent *From: *The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Curry < david.curry () NEWSCHOOL EDU> *Reply-To: *The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *Date: *Tuesday, September 25, 2018 at 6:27 AM *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> *Subject: *[SECURITY] What's your GDPR state of the world? As a university with a relatively small general counsel's office, we have been using an outside legal firm to help us with GDPR compliance. As I was commiserating with counsel last week about the costs of these services, we started wondering, now that some of the "urgency dust" has settled, what other universities in our situation have been doing in this regard. And so, a short little survey about GDPR compliance efforts: 1. What tasks has your organization completed so far? 2. What tasks are you currently working on? 3. What tasks have you decided to postpone (for whatever reason)? 4. Do you have an internal team/committee working on GDPR? If so, what business units are represented? Or is it all being handled by just one person/department (e.g., counsel's office, IT security)? And if that, who? 5. Have you hired outside GDPR consulting services? If so, what did you use them for? And what type of company was it (law firm, IT consulting firm, other)? Please respond to me privately (or share to the list if you want). I'll assemble all the responses together anonymously and post them here in a week or so. [Forgive the cross-posting; earlier GDPR discussions were split between the SECURITY and PRIVACY lists.] Thanks, --Dave -- *DAVID A. CURRY, CISSP* *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.curry () newschool edu [image: The New School]
Attachment:
responses.pdf
Description:
Current thread:
- Re: What's your GDPR state of the world? David Curry (Oct 08)