[KI-LC] GDPR and Kantara approach question

Andrew Hughes andrewhughes3000 at gmail.com
Wed Mar 1 09:22:21 CST 2017


Hmmm.... I sense a need for a Kantara Global Innovation Centre Portal :-)

You are spot-on Mary - packaging collectively-created works into a
consumable package is essential if we want to reach a wider audience.

As to what mix of Kantara staff and WG volunteers is needed to do this - we
can figure it out.

I'm really sensitive to avoiding adding yet another thing to WG
contributors' workload - which is a reason I'm thinking of this as a
separate activity instead of in-WG.

*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *

On Wed, Mar 1, 2017 at 7:17 AM, mary hodder <hodder at gmail.com> wrote:

> Interesting discussion.
>
> Another way to look at this is that Kantara makes things in WGs but once
> those things are made, they need a "productizing" phase group, in this case
> for the GDPR.
>
> A toolkit is part of it.. it's also about explaining how, what for, why,
> whom and when to use things, and to test them through the user's
> perspective of implementation and then both adjust them (based upon
> learnings from the productization process) and market them in the right
> places and with early adopters.
>
> It makes a lot of sense to me that we would have a group that takes all
> the WGs stuff .. and frames it, tests it, makes it accessible and focuses
> on solving a user's problem (I know the work groups do this now for a
> certain percentage of this, but it's the final piece of showing the end
> user of our work), putting things together from different WGs to solve a
> problem the end user has.
>
> So the first problem set we could address is how to deal with the GDPR
> with our tools, and communicate the solutions to end users (folks who need
> to implement solutions for GDPR).
>
> Later the group could add more "product areas" as Allan mentioned: privacy
> issues generally, US FIPPS and Privacy Shield issues (if that continues to
> exist in light of Trump's recent executive order that negated it), etc. We
> could chooses the end user cases to solve and then communicate and factor
> the "products" to address those needs.
>
> mary
>
>
> On Wed, Mar 1, 2017 at 6:42 AM, Andrew Hughes <andrewhughes3000 at gmail.com>
> wrote:
>
>> This is why I'm testing this team on what, if anything, Kantara needs to
>> do to help our members and the community address GDPR.
>>
>> We know there's a new industry forming up around it - and if we wait
>> until implementation time it will be too late & our work products will go
>> unnoticed. So my feeling is that now is the time to get organized about
>> what Kantara can offer.
>>
>> andrew.
>>
>> *Andrew Hughes *CISM CISSP
>> Independent Consultant
>> *In Turn Information Management Consulting*
>>
>> o  +1 650.209.7542 <(650)%20209-7542>
>> m +1 250.888.9474 <(250)%20888-9474>
>> 1249 Palmer Road,
>> Victoria, BC V8P 2H8
>> AndrewHughes3000 at gmail.com
>> ca.linkedin.com/pub/andrew-hughes/a/58/682/
>> *Identity Management | IT Governance | Information Security *
>>
>> On Wed, Mar 1, 2017 at 6:36 AM, John Wunderlich <john at wunderlich.ca>
>> wrote:
>>
>>> Thanks Allan, for voicing what was in the back of my mind as well. The
>>> GDPR - since it's not implemented yet - serves as kind of a Rorshach test.
>>> You take away from it what you bring to it. It's a big piece of legislation
>>> with many potential impacts. But it seems to me that as people start to
>>> grapple with the GDPR in terms of real world prospects  &  problems (to
>>> your point about specific work products) or prospect new work group ideas
>>> will emerge or existing work groups will need to factor this into their
>>> roadmaps. Otherwise we might hare madly off in all directions.
>>>
>>> For example, one question I have is whether an identity federation
>>> qualifies as 'profiling' under the GDPR. If so are all the participants in
>>> a federation controllers per GDPR with obligations to individuals? Might to
>>> something for OTTO to look at...or not.
>>>
>>> JW
>>>
>>>
>>>
>>> John Wunderlich, BA, MBA
>>>
>>> IAPP Fellow of Information Privacy
>>> CISA, CIPM, CIPP/C, PbD Ambassador
>>> @PrivacyCDN <https://twitter.com/PrivacyCDN> & Privacist
>>>
>>> On 1 March 2017 at 04:04, Allan Foster <allan.foster at forgerock.com>
>>> wrote:
>>>
>>>> So in theory,  I am kinda agnostic about the WG.  however,  this brings
>>>> up an interesting chicken and egg issue.
>>>>
>>>> Surely we should be looking at specific work products that we should
>>>> work on,  and then try and find them a home?  I have a gut feeling that
>>>> much of GDPR is going to find homes in several of our workgroups.  For
>>>> example  privacy,  and consent receipts already are being addressed....
>>>> Federation Interop might actually have some valid input as well...
>>>>
>>>>
>>>> I suggest we work on what work items we want to do,  and THEN find them
>>>> a home?
>>>>
>>>> Allan
>>>>
>>>>
>>>> On 2/28/17 4:30 PM, Colin Wallis wrote:
>>>>
>>>> Good discussion.
>>>>
>>>> I like the cadence (Jeeez I'm starting to hate that term) of toolkits
>>>> because UMA has used that approach successfully, and leveraging successful
>>>> things typically results in more success.
>>>>
>>>> I would have thought a time-bound DG is appropriate, else you risk
>>>> breaking your own rules Mr Hughes..:-).
>>>>
>>>> Cheers
>>>>
>>>> On Tue, Feb 28, 2017 at 11:53 PM, Andrew Hughes <
>>>> andrewhughes3000 at gmail.com> wrote:
>>>>
>>>>> OK - that would be interesting
>>>>>
>>>>> I'm also wondering if any of our members are doing work related to
>>>>> GDPR and could use some Kantara tools to help - sample text, some of the
>>>>> lists and categories coming soon from consent receipt, hmmmm...
>>>>>
>>>>> On Tue, Feb 28, 2017 at 3:49 PM Salvatore D'Agostino <
>>>>> sal at idmachines.com> wrote:
>>>>>
>>>>>> So how about a contribution from each of the DGs, WGs on a single
>>>>>> aspect of their effort for sharing in a toolkit.  I we need to have the
>>>>>> groups contribute and be directly involved or you cross wires.  Challenge
>>>>>> is bandwidth per usual.
>>>>>>
>>>>>>
>>>>>>
>>>>>> So for IRM it might be a GDPR use case as a way to exercise a
>>>>>> relationship manager effort in the next phase of work.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* lc-bounces at kantarainitiative.org [mailto:
>>>>>> lc-bounces at kantarainitiative.org] *On Behalf Of *Andrew Hughes
>>>>>> *Sent:* Tuesday, February 28, 2017 6:15 PM
>>>>>> *To:* Mark OCG <m.lizar at openconsentgroup.com>
>>>>>> *Cc:* Julian Ranger <julian at digi.me>; Robin Wilton <wilton at isoc.org>;
>>>>>> Kantara Leadership Council < <lc at kantarainitiative.org>
>>>>>> lc at kantarainitiative.org>
>>>>>> *Subject:* Re: [KI-LC] GDPR and Kantara approach question
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi mark - yes it is vague - I'm looking for opinions.
>>>>>>
>>>>>> The only thing behind this is that I was wondering if there
>>>>>> could/should be a "Kantara GDPR Toolkit"
>>>>>>
>>>>>> Because I keep hearing that there is great demand for assistance and
>>>>>> I'm wondering it Kantara can do something useful for the community.
>>>>>>
>>>>>> Andrew.
>>>>>>
>>>>>> On Tue, Feb 28, 2017 at 2:56 PM Mark OCG <
>>>>>> <m.lizar at openconsentgroup.com>m.lizar at openconsentgroup.com> wrote:
>>>>>>
>>>>>> Hi Andrew,
>>>>>>
>>>>>>
>>>>>>
>>>>>> This is all bit vague. Not clear from what perspective Kantara should
>>>>>> be inclined to ‘do something’ for the GDPR.
>>>>>>
>>>>>>
>>>>>>
>>>>>> As you may or may not be aware Data Protection and Data Control
>>>>>> mitigate each other in terms of risk and liability.  GDPR is fundamentally
>>>>>> about data protection. Standards address risk and liability in different
>>>>>> ways.
>>>>>>
>>>>>>
>>>>>>
>>>>>> It is conceivable that Kantara could have a program that spans this
>>>>>> space - but not sure if a GDPR centric approach would achieve such a
>>>>>> result.   Perhaps evaluating how Kantara efforts relate to GDPR might be
>>>>>> fruitful?  A little survey perhaps?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Is there a deeper insight/motivation missing from this email ?
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Mark Lizar*
>>>>>>
>>>>>> CEO Open Consent Group
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 28 Feb 2017, at 21:53, Andrew Hughes <
>>>>>> <andrewhughes3000 at gmail.com>andrewhughes3000 at gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'm not sure if we need a DG or not - there are some very specific
>>>>>> things about GDPR (and lots of analysis everywhere)
>>>>>>
>>>>>> I'm also hoping that this will bring new faces to the table.
>>>>>>
>>>>>> On Tue, Feb 28, 2017 at 1:52 PM Ken Dagg < <kendaggtbs at gmail.com>
>>>>>> kendaggtbs at gmail.com> wrote:
>>>>>>
>>>>>> As much as I don't want to spread Kantara's thin participative
>>>>>> resources thinner I think that your suggestion of a new WG makes sense. A
>>>>>> new WG would enable a keen focus on GDPR without the distraction of what
>>>>>> the other WG's are attempting to achieve. Does it make sense to start with
>>>>>> a DG to identify what things need to be done and in what order or is that
>>>>>> the first task of the WG?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Ken
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Feb 28, 2017 at 4:14 PM Andrew Hughes <
>>>>>> <andrewhughes3000 at gmail.com>andrewhughes3000 at gmail.com> wrote:
>>>>>>
>>>>>> Hi LC and (some) Board of Directors...
>>>>>>
>>>>>>
>>>>>>
>>>>>> I've been wrestling with how Kantara would best serve the community
>>>>>> with respect to GDPR.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Many of the WGs have work products and knowledge that is relevant to
>>>>>> GDPR topics. But whenever I try to think about what it would mean to ask
>>>>>> for GDPR-specific work inside any particular WG I hit mental roadblocks.
>>>>>>
>>>>>>
>>>>>>
>>>>>> So, how does this different approach sound to you all:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Start a WG whose goal is to build a 'Kantara GDPR Toolkit' comprised
>>>>>> of guidance, profiles of selected standards, pointers to useful analysis
>>>>>> reports (inside and outside of Kantara), and other technical or
>>>>>> recommendation stuff.
>>>>>>
>>>>>>
>>>>>>
>>>>>> It would help ease the tension between addressing the near term
>>>>>> demands to 'do something' for GDPR and help to harness the bits and pieces
>>>>>> of work inside and near Kantara. It would possibly avoid distracting the
>>>>>> WGs from their main work products that are for the longer term.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Looking for opinions and alternative views on this please
>>>>>>
>>>>>>
>>>>>>
>>>>>> andrew.
>>>>>>
>>>>>> _______________________________________________
>>>>>> LC mailing list
>>>>>> <LC at kantarainitiative.org>LC at kantarainitiative.org
>>>>>> <http://kantarainitiative.org/mailman/listinfo/lc>
>>>>>> http://kantarainitiative.org/mailman/listinfo/lc
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Kenneth Dagg Independent Consultant Identification and Authentication
>>>>>> 613-825-2091 <%28613%29%20825-2091>kendaggtbs at gmail.com
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Andrew Hughes *CISM CISSP
>>>>>> Independent Consultant
>>>>>> *In Turn Information Management Consulting*
>>>>>>
>>>>>> o  +1 650.209.7542 <%28650%29%20209-7542>
>>>>>> m +1 250.888.9474 <%28250%29%20888-9474>
>>>>>> 1249 Palmer Road,
>>>>>> Victoria, BC V8P 2H8
>>>>>> AndrewHughes3000 at gmail.com
>>>>>> ca.linkedin.com/pub/andrew-hughes/a/58/682/
>>>>>> *Identity Management | IT Governance | Information Security *
>>>>>>
>>>>>> _______________________________________________
>>>>>> LC mailing list
>>>>>> LC at kantarainitiative.org
>>>>>> http://kantarainitiative.org/mailman/listinfo/lc
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *Andrew Hughes *CISM CISSP
>>>>>> Independent Consultant
>>>>>> *In Turn Information Management Consulting*
>>>>>>
>>>>>> o  +1 650.209.7542 <%28650%29%20209-7542>
>>>>>> m +1 250.888.9474 <%28250%29%20888-9474>
>>>>>> 1249 Palmer Road,
>>>>>> Victoria, BC V8P 2H8
>>>>>> <AndrewHughes3000 at gmail.com>AndrewHughes3000 at gmail.com
>>>>>> ca.linkedin.com/pub/andrew-hughes/a/58/682/
>>>>>> *Identity Management | IT Governance | Information Security *
>>>>>>
>>>>> --
>>>>>
>>>>> *Andrew Hughes *CISM CISSP
>>>>> Independent Consultant
>>>>> *In Turn Information Management Consulting*
>>>>>
>>>>> o  +1 650.209.7542 <%28650%29%20209-7542>
>>>>> m +1 250.888.9474 <%28250%29%20888-9474>
>>>>> 1249 Palmer Road,
>>>>> Victoria, BC V8P 2H8
>>>>> AndrewHughes3000 at gmail.com
>>>>> ca.linkedin.com/pub/andrew-hughes/a/58/682/
>>>>> *Identity Management | IT Governance | Information Security *
>>>>>
>>>>> _______________________________________________
>>>>> LC mailing list
>>>>> LC at kantarainitiative.org
>>>>> http://kantarainitiative.org/mailman/listinfo/lc
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Executive Director
>>>> Kantara Initiative Inc. <https://kantarainitiative.org/>
>>>> Cell: +44 (0)7490 266 778 <+44%207490%20266778>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> LC mailing listLC at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/lc
>>>>
>>>>
>>>> --
>>>> Simplify Email: Email Charter <http://emailcharter.org/>
>>>>
>>>> [image: ForgeRock Logo] *Allan  Foster - Forge Rock *
>>>> *Vice President Global Partner Enablement*
>>>> *Location:* Vancouver, WA, US
>>>> *p:* +1.360.229.7102 <(360)%20229-7102>
>>>> *email:* <allan.foster at forgerock.com>allan.foster at forgerock.com
>>>> *www:* www.forgerock.com
>>>> *www:* www.forgerock.org
>>>> *blogs:* blogs.forgerock.com/GuruAllan
>>>>
>>>> _______________________________________________
>>>> LC mailing list
>>>> LC at kantarainitiative.org
>>>> http://kantarainitiative.org/mailman/listinfo/lc
>>>>
>>>>
>>>
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>> the sender immediately by e-mail if you have received this e-mail by
>>> mistake and delete this e-mail from your system. If you are not the
>>> intended recipient you are notified that disclosing, copying, distributing
>>> or taking any action in reliance on the contents of this information is
>>> strictly prohibited.
>>>
>>
>>
>> _______________________________________________
>> LC mailing list
>> LC at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/lc
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20170301/875cd94c/attachment-0001.html>


More information about the LC mailing list