Re: What's your GDPR state of the world?

[David Curry <david.curry () NEWSCHOOL EDU>]

Thanks to everyone who responded. As promised, I have assembled all the
responses. To avoid random email program formatting decisions, I've put
them together in a PDF, attached.

--Dave

--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.curry () newschool edu

[image: The New School]


On Thu, Sep 27, 2018 at 1:17 PM Hudson, Edward <ehudson () calstate edu> wrote:

> David, et al  our input inline
>
>    1. What tasks has your organization completed so far?- *We have in 3
>    “in country ”subsidiary  nonprofits so much of our efforts have been around
>    getting those entities, our international program contracts compliant, have
>    drafted our privacy statement for web presences. And generally, determine
>    the most likely legal basis for collection- for us it is ending up “Public
>    Task” as we are a statutorily created entity, followed by legitimate
>    interest, contract and lastly consent.*
>    2. What tasks are you currently working on? *DPIA prioritization and
>    checklists, continuing/ongoing contract and model clause issues with EU
>    entities*
>    3. What tasks have you decided to postpone (for whatever reason)? *No
>    conscious decision to postpone things, just prioritizing those activities
>    that directly impact fall term etc*.
>    4. Do you have an internal team/committee working on GDPR? If so, what
>    business units are represented? Or is it all being handled by just one
>    person/department (e.g., counsel's office, IT security)? And if that, who? *Yes.
>    See graphic below. We have a core group lead by myself (CISO) and our
>    Office of General Counsel (OGC) with a senior leader from International
>    Programs and CIO from one of our 23 campuses. This core groups draws on
>    representatives from other groups as needed. The “what” in the graphic is
>    our charter.*
>    5. Have you hired outside GDPR consulting services? If so, what did
>    you use them for? And what type of company was it (law firm, IT consulting
>    firm, other)? *We used assistance overseas for their expertise.
>    Candidly I have not found U.S. based providers adequately knowledgeable or
>    equipped in the Higher EDU space.*
>
>
>
> Happy to chat further with you, or anyone out of band
>
>
>
> Ed Hudson
>
> Systemwide CISO
>
> [image: signature_1043547252]
>
> 401 Golden Shore
>
> Long Beach, CA 90802
>
> Tel 562-951-8431
>
> ehudson () calstate edu
>
>
>
> I subscribe to e-mail classification: i=Information, a=Action, u=Urgent
>
>
>
>
>
>
>
>
>
> *From: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of David Curry <
> david.curry () NEWSCHOOL EDU>
> *Reply-To: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Tuesday, September 25, 2018 at 6:27 AM
> *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[SECURITY] What's your GDPR state of the world?
>
>
>
>
>
> As a university with a relatively small general counsel's office, we have
> been using an outside legal firm to help us with GDPR compliance. As I was
> commiserating with counsel last week about the costs of these services, we
> started wondering, now that some of the "urgency dust" has settled, what
> other universities in our situation have been doing in this regard.
>
>
>
> And so, a short little survey about GDPR compliance efforts:
>
>    1. What tasks has your organization completed so far?
>    2. What tasks are you currently working on?
>    3. What tasks have you decided to postpone (for whatever reason)?
>    4. Do you have an internal team/committee working on GDPR? If so, what
>    business units are represented? Or is it all being handled by just one
>    person/department (e.g., counsel's office, IT security)? And if that, who?
>    5. Have you hired outside GDPR consulting services? If so, what did
>    you use them for? And what type of company was it (law firm, IT consulting
>    firm, other)?
>
> Please respond to me privately (or share to the list if you want). I'll
> assemble all the responses together anonymously and post them here in a
> week or so.
>
>
>
> [Forgive the cross-posting; earlier GDPR discussions were split between
> the SECURITY and PRIVACY lists.]
>
>
>
> Thanks,
>
> --Dave
>
>
>
>
> --
>
> *DAVID A. CURRY, CISSP*
> *DIRECTOR OF INFORMATION SECURITY*
> INFORMATION TECHNOLOGY
>
> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
> +1 212 229-5300 x4728 • david.curry () newschool edu
>
> [image: The New School]

Attachment: responses.pdf
Description: