[KI-LC] Fwd: GDPR and Kantara approach question

Andrew Hughes andrewhughes3000 at gmail.com
Wed Mar 1 09:57:32 CST 2017


Forwarding Julian Rangers comment to the LC list

---------- Forwarded message ----------
From: Julian Ranger <Julian at jranger.com>
Date: Wed, Mar 1, 2017 at 7:43 AM
Subject: RE: [KI-LC] GDPR and Kantara approach question
To: Andrew Hughes <andrewhughes3000 at gmail.com>, mary hodder <
hodder at gmail.com>
Cc: John Wunderlich <john at wunderlich.ca>, Robin Wilton <wilton at isoc.org>,
Kantara Leadership Council <lc at kantarainitiative.org>


So as a bit of a GDPR ‘expert’ I should weigh in.  The biggest issue is
whether companies are looking at GDPR negatively as a compliance exercise
ro positively as an opportunity to do new business in a better way.  I of
course encourage the latter, but most, well at least most of those with
money and time to do anything, are in the former camp.  If you are in the
former camp then no matter how hard one shouts they don’t hear the “it can
be better” camp.  As an illustration I have just completed a panel
yesterday in Barcelona at Mobile World Congress where I gave the latter
message, and this afternoon in Luxembourg at a FinTech conference with same
message – yes, I got positive feedback, but real action – not in the back
of the GDPR argument (but yes on the back of better engagement argument).



Added to the issue of getting heard is that every big consultancy (PwC, et
al) and every big legal firm have acres of print and marketing about how
they can help with GDPR compliance checks and implementation.  No matter
what Kantara produces, would it be heard?



There are four areas of GDPR that are most germane: Data Portability;
Explicit & Informed Consent; Privacy by Design; Right to Forget/Erasure.
Now Consent Receipt clearly plays into Consent piece, some of the plans
such as standard ontologies play to the hidden sub-text which gets talked
about of Interoperability; UMA plays a part, but only a part, in Data
Portability but this is moving more to APIs with Article 29 Direction an
dthat is what any new focus will be on in short term.



My recommendation would be to create (or hijack to avoid too much new work)
a good primer on GDPR and the show how standards in general, and the ethos
represented by Kantara of individual owned identity and personal data, can
play to the main points and then do two things: 1.  Press releases et al
which will raise Kantara visibility; give the information to Kantara
members to promote.  But don’t expect a rush to our door, more a general
raising of awareness that standards in this new world are being built and
Kantara is the natural home.  Worth some effort, but not to the same level
as a whole new standard, and it will support existing Kantara outreach,
membership recruitment but I don’t think it will suddenly bring a whole new
group of people/busiensses to the table – there are far too many GDPR
distractions out there already.



Jules



*From:* Andrew Hughes [mailto:andrewhughes3000 at gmail.com]
*Sent:* 01 March 2017 16:22
*To:* mary hodder <hodder at gmail.com>
*Cc:* John Wunderlich <john at wunderlich.ca>; Robin Wilton <wilton at isoc.org>;
Kantara Leadership Council <lc at kantarainitiative.org>; Julian Ranger <
julian at digi.me>

*Subject:* Re: [KI-LC] GDPR and Kantara approach question



Hmmm.... I sense a need for a Kantara Global Innovation Centre Portal :-)



You are spot-on Mary - packaging collectively-created works into a
consumable package is essential if we want to reach a wider audience.



As to what mix of Kantara staff and WG volunteers is needed to do this - we
can figure it out.



I'm really sensitive to avoiding adding yet another thing to WG
contributors' workload - which is a reason I'm thinking of this as a
separate activity instead of in-WG.


*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*

o  +1 650.209.7542 <(650)%20209-7542>
m +1 250.888.9474 <(250)%20888-9474>
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *



On Wed, Mar 1, 2017 at 7:17 AM, mary hodder <hodder at gmail.com> wrote:

Interesting discussion.



Another way to look at this is that Kantara makes things in WGs but once
those things are made, they need a "productizing" phase group, in this case
for the GDPR.



A toolkit is part of it.. it's also about explaining how, what for, why,
whom and when to use things, and to test them through the user's
perspective of implementation and then both adjust them (based upon
learnings from the productization process) and market them in the right
places and with early adopters.



It makes a lot of sense to me that we would have a group that takes all the
WGs stuff .. and frames it, tests it, makes it accessible and focuses on
solving a user's problem (I know the work groups do this now for a certain
percentage of this, but it's the final piece of showing the end user of our
work), putting things together from different WGs to solve a problem the
end user has.



So the first problem set we could address is how to deal with the GDPR with
our tools, and communicate the solutions to end users (folks who need to
implement solutions for GDPR).



Later the group could add more "product areas" as Allan mentioned: privacy
issues generally, US FIPPS and Privacy Shield issues (if that continues to
exist in light of Trump's recent executive order that negated it), etc. We
could chooses the end user cases to solve and then communicate and factor
the "products" to address those needs.



mary





On Wed, Mar 1, 2017 at 6:42 AM, Andrew Hughes <andrewhughes3000 at gmail.com>
wrote:

This is why I'm testing this team on what, if anything, Kantara needs to do
to help our members and the community address GDPR.



We know there's a new industry forming up around it - and if we wait until
implementation time it will be too late & our work products will go
unnoticed. So my feeling is that now is the time to get organized about
what Kantara can offer.



andrew.


*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*

o  +1 650.209.7542 <(650)%20209-7542>
m +1 250.888.9474 <(250)%20888-9474>
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *



On Wed, Mar 1, 2017 at 6:36 AM, John Wunderlich <john at wunderlich.ca> wrote:

Thanks Allan, for voicing what was in the back of my mind as well. The GDPR
- since it's not implemented yet - serves as kind of a Rorshach test. You
take away from it what you bring to it. It's a big piece of legislation
with many potential impacts. But it seems to me that as people start to
grapple with the GDPR in terms of real world prospects  &  problems (to
your point about specific work products) or prospect new work group ideas
will emerge or existing work groups will need to factor this into their
roadmaps. Otherwise we might hare madly off in all directions.



For example, one question I have is whether an identity federation
qualifies as 'profiling' under the GDPR. If so are all the participants in
a federation controllers per GDPR with obligations to individuals? Might to
something for OTTO to look at...or not.



JW





John Wunderlich, BA, MBA

IAPP Fellow of Information Privacy
CISA, CIPM, CIPP/C, PbD Ambassador
@PrivacyCDN <https://twitter.com/PrivacyCDN> & Privacist



On 1 March 2017 at 04:04, Allan Foster <allan.foster at forgerock.com> wrote:

So in theory,  I am kinda agnostic about the WG.  however,  this brings up
an interesting chicken and egg issue.

Surely we should be looking at specific work products that we should work
on,  and then try and find them a home?  I have a gut feeling that much of
GDPR is going to find homes in several of our workgroups.  For example
privacy,  and consent receipts already are being addressed....  Federation
Interop might actually have some valid input as well...



I suggest we work on what work items we want to do,  and THEN find them a
home?

Allan



On 2/28/17 4:30 PM, Colin Wallis wrote:

Good discussion.



I like the cadence (Jeeez I'm starting to hate that term) of toolkits
because UMA has used that approach successfully, and leveraging successful
things typically results in more success.



I would have thought a time-bound DG is appropriate, else you risk breaking
your own rules Mr Hughes..:-).



Cheers



On Tue, Feb 28, 2017 at 11:53 PM, Andrew Hughes <andrewhughes3000 at gmail.com>
wrote:

OK - that would be interesting

I'm also wondering if any of our members are doing work related to GDPR and
could use some Kantara tools to help - sample text, some of the lists and
categories coming soon from consent receipt, hmmmm...



On Tue, Feb 28, 2017 at 3:49 PM Salvatore D'Agostino <sal at idmachines.com>
wrote:

So how about a contribution from each of the DGs, WGs on a single aspect of
their effort for sharing in a toolkit.  I we need to have the groups
contribute and be directly involved or you cross wires.  Challenge is
bandwidth per usual.



So for IRM it might be a GDPR use case as a way to exercise a relationship
manager effort in the next phase of work.



*From:* lc-bounces at kantarainitiative.org [mailto:lc-bounces@
kantarainitiative.org] *On Behalf Of *Andrew Hughes
*Sent:* Tuesday, February 28, 2017 6:15 PM
*To:* Mark OCG <m.lizar at openconsentgroup.com>
*Cc:* Julian Ranger <julian at digi.me>; Robin Wilton <wilton at isoc.org>;
Kantara Leadership Council <lc at kantarainitiative.org>
*Subject:* Re: [KI-LC] GDPR and Kantara approach question



Hi mark - yes it is vague - I'm looking for opinions.

The only thing behind this is that I was wondering if there could/should be
a "Kantara GDPR Toolkit"

Because I keep hearing that there is great demand for assistance and I'm
wondering it Kantara can do something useful for the community.

Andrew.

On Tue, Feb 28, 2017 at 2:56 PM Mark OCG <m.lizar at openconsentgroup.com>
wrote:

Hi Andrew,



This is all bit vague. Not clear from what perspective Kantara should be
inclined to ‘do something’ for the GDPR.



As you may or may not be aware Data Protection and Data Control mitigate
each other in terms of risk and liability.  GDPR is fundamentally about
data protection. Standards address risk and liability in different ways.



It is conceivable that Kantara could have a program that spans this space -
but not sure if a GDPR centric approach would achieve such a result.
Perhaps evaluating how Kantara efforts relate to GDPR might be fruitful?  A
little survey perhaps?



Is there a deeper insight/motivation missing from this email ?



*Mark Lizar*

CEO Open Consent Group





On 28 Feb 2017, at 21:53, Andrew Hughes <andrewhughes3000 at gmail.com> wrote:



I'm not sure if we need a DG or not - there are some very specific things
about GDPR (and lots of analysis everywhere)

I'm also hoping that this will bring new faces to the table.

On Tue, Feb 28, 2017 at 1:52 PM Ken Dagg <kendaggtbs at gmail.com> wrote:

As much as I don't want to spread Kantara's thin participative resources
thinner I think that your suggestion of a new WG makes sense. A new WG
would enable a keen focus on GDPR without the distraction of what the other
WG's are attempting to achieve. Does it make sense to start with a DG to
identify what things need to be done and in what order or is that the first
task of the WG?



Ken





On Tue, Feb 28, 2017 at 4:14 PM Andrew Hughes <andrewhughes3000 at gmail.com>
wrote:

Hi LC and (some) Board of Directors...



I've been wrestling with how Kantara would best serve the community with
respect to GDPR.



Many of the WGs have work products and knowledge that is relevant to GDPR
topics. But whenever I try to think about what it would mean to ask for
GDPR-specific work inside any particular WG I hit mental roadblocks.



So, how does this different approach sound to you all:



Start a WG whose goal is to build a 'Kantara GDPR Toolkit' comprised of
guidance, profiles of selected standards, pointers to useful analysis
reports (inside and outside of Kantara), and other technical or
recommendation stuff.



It would help ease the tension between addressing the near term demands to
'do something' for GDPR and help to harness the bits and pieces of work
inside and near Kantara. It would possibly avoid distracting the WGs from
their main work products that are for the longer term.



Looking for opinions and alternative views on this please



andrew.

_______________________________________________
LC mailing list
LC at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/lc

-- 

Kenneth Dagg Independent Consultant Identification and Authentication
613-825-2091 <%28613%29%20825-2091>kendaggtbs at gmail.com

-- 

*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*

o  +1 650.209.7542 <%28650%29%20209-7542>
m +1 250.888.9474 <%28250%29%20888-9474>
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *

_______________________________________________
LC mailing list
LC at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/lc



-- 

*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*

o  +1 650.209.7542 <%28650%29%20209-7542>
m +1 250.888.9474 <%28250%29%20888-9474>
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *

-- 

*Andrew Hughes *CISM CISSP
Independent Consultant
*In Turn Information Management Consulting*

o  +1 650.209.7542 <%28650%29%20209-7542>
m +1 250.888.9474 <%28250%29%20888-9474>
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000 at gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
*Identity Management | IT Governance | Information Security *


_______________________________________________
LC mailing list
LC at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/lc





-- 

Executive Director

Kantara Initiative Inc. <https://kantarainitiative.org/>

Cell: +44 (0)7490 266 778 <+44%207490%20266778>





_______________________________________________

LC mailing list

LC at kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/lc



-- 

Simplify Email: Email Charter <http://emailcharter.org/>

[image: ForgeRock Logo]

*Allan  Foster - Forge Rock *
*Vice President Global Partner Enablement*
*Location:* Vancouver, WA, US
*p:* +1.360.229.7102 <(360)%20229-7102>

*email:* allan.foster at forgerock.com
*www:* www.forgerock.com
*www:* www.forgerock.org
*blogs:* blogs.forgerock.com/GuruAllan


_______________________________________________
LC mailing list
LC at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/lc







This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.




_______________________________________________
LC mailing list
LC at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/lc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20170301/96bfd6cf/attachment-0001.html>


More information about the LC mailing list