Re: What's your GDPR state of the world?

["Hudson, Edward" <ehudson () CALSTATE EDU>]

David, et al  our input inline
What tasks has your organization completed so far?- We have in 3 “in country ”subsidiary  nonprofits so much of our 
efforts have been around getting those entities, our international program contracts compliant, have drafted our 
privacy statement for web presences. And generally, determine the most likely legal basis for collection- for us it is 
ending up “Public Task” as we are a statutorily created entity, followed by legitimate interest, contract and lastly 
consent. 
What tasks are you currently working on? DPIA prioritization and checklists, continuing/ongoing contract and model 
clause issues with EU entities
What tasks have you decided to postpone (for whatever reason)? No conscious decision to postpone things, just 
prioritizing those activities that directly impact fall term etc.
Do you have an internal team/committee working on GDPR? If so, what business units are represented? Or is it all being 
handled by just one person/department (e.g., counsel's office, IT security)? And if that, who? Yes. See graphic below. 
We have a core group lead by myself (CISO) and our Office of General Counsel (OGC) with a senior leader from 
International Programs and CIO from one of our 23 campuses. This core groups draws on representatives from other groups 
as needed. The “what” in the graphic is our charter.
Have you hired outside GDPR consulting services? If so, what did you use them for? And what type of company was it (law 
firm, IT consulting firm, other)? We used assistance overseas for their expertise. Candidly I have not found U.S. based 
providers adequately knowledgeable or equipped in the Higher EDU space.
 

Happy to chat further with you, or anyone out of band

 

Ed Hudson

Systemwide CISO

401 Golden Shore

Long Beach, CA 90802

Tel 562-951-8431

ehudson () calstate edu

 

I subscribe to e-mail classification: i=Information, a=Action, u=Urgent 

 

 

 

 

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Curry 
<david.curry () NEWSCHOOL EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, September 25, 2018 at 6:27 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] What's your GDPR state of the world?

 

 

As a university with a relatively small general counsel's office, we have been using an outside legal firm to help us 
with GDPR compliance. As I was commiserating with counsel last week about the costs of these services, we started 
wondering, now that some of the "urgency dust" has settled, what other universities in our situation have been doing in 
this regard.

 

And so, a short little survey about GDPR compliance efforts:

What tasks has your organization completed so far?
What tasks are you currently working on?
What tasks have you decided to postpone (for whatever reason)?
Do you have an internal team/committee working on GDPR? If so, what business units are represented? Or is it all being 
handled by just one person/department (e.g., counsel's office, IT security)? And if that, who?
Have you hired outside GDPR consulting services? If so, what did you use them for? And what type of company was it (law 
firm, IT consulting firm, other)?
Please respond to me privately (or share to the list if you want). I'll assemble all the responses together anonymously 
and post them here in a week or so. 

 

[Forgive the cross-posting; earlier GDPR discussions were split between the SECURITY and PRIVACY lists.]

 

Thanks,

--Dave

 


--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.curry () newschool edu

Attachment: smime.p7s
Description: