[KI-LC] GDPR and Kantara approach question

Mark OCG m.lizar at openconsentgroup.com
Wed Mar 1 10:24:51 CST 2017


Hi  All, 

I am also still unclear of what a toolkit is?   Does a toolkit mean an assessment/survey ?  I.e - evaluate your IdM  product in terms of GDPR ?  (like Sal suggests?) 

This might be a good health check practice for Kantara to do regardless.  

Allan & John also bring up some excellent points !   Especially ; 

> it seems to me that as people start to grapple with the GDPR in terms of real world prospects  &  problems (to your point about specific work products) or prospect new work group ideas will emerge or existing work groups will need to factor this into their roadmaps. Otherwise we might hare madly off in all directions.

there are a lot of GDPR issues that may effect identity systems and work group outputs. 
I had one identity provider share the fear that data portability will include their verified identity, which is core to the service and would essentially kill their business. 
the policy around GDPR and IdM - is potentially a massive engagement point for the Kantara + Privacy community.   (means money for Kantara in memberships + elevated reputation internationally) 

There are more than a few holes/problems in the GDPR - many of which could use a formal response from Kantara  to international orgs and regulators.  Kantara can be the IdM industry champion and help shape what things in the GDPR actually mean in practice. 

Much of what the GDPR means in terms of operational impact, especially for IDM and personal data control,  is yet to be determined, clarified, or developed.      I really like the example of a Rorschach test - because much of this at this point is psychological.   As a result I would caution against doing any GDPR specific work for public consumption.

In this regard, I still think the P3WG - is what the appropriate forum and approach for Kantara in terms of any new (GDPR specific) work or discussion.  Such a WG should have a charter that involves assessing what would be valuable or not, and making policy recommendations to the like of ITAC and OECD et.   

A GDPR toolkit in my opinion should be internal facing - and not an appropriate output for the community. 

In terms of packaging work - again how WG outputs related to the GDPR seems to be a great way to start to helping Kantara present a public view on the value of the work in this context.  But this seems like an activity that should be happening regardless of the GDPR topic. 

Mark 

PS - In terms of restarting the P3WG - I have chatted with ex regulators who would get involved in this WG. 



> On 1 Mar 2017, at 14:36, John Wunderlich <john at wunderlich.ca <mailto:john at wunderlich.ca>> wrote:
> 
> Thanks Allan, for voicing what was in the back of my mind as well. The GDPR - since it's not implemented yet - serves as kind of a Rorshach test. You take away from it what you bring to it. It's a big piece of legislation with many potential impacts. But it seems to me that as people start to grapple with the GDPR in terms of real world prospects  &  problems (to your point about specific work products) or prospect new work group ideas will emerge or existing work groups will need to factor this into their roadmaps. Otherwise we might hare madly off in all directions.
> 
> For example, one question I have is whether an identity federation qualifies as 'profiling' under the GDPR. If so are all the participants in a federation controllers per GDPR with obligations to individuals? Might to something for OTTO to look at...or not. 
> 
> JW
> 
> 
> 
> John Wunderlich, BA, MBA
> 
> IAPP Fellow of Information Privacy
> CISA, CIPM, CIPP/C, PbD Ambassador
> @PrivacyCDN <https://twitter.com/PrivacyCDN> & Privacist
> 
> On 1 March 2017 at 04:04, Allan Foster <allan.foster at forgerock.com <mailto:allan.foster at forgerock.com>> wrote:
> So in theory,  I am kinda agnostic about the WG.  however,  this brings up an interesting chicken and egg issue.
> 
> Surely we should be looking at specific work products that we should work on,  and then try and find them a home?  I have a gut feeling that much of GDPR is going to find homes in several of our workgroups.  For example  privacy,  and consent receipts already are being addressed....  Federation Interop might actually have some valid input as well...
> 
> 
> I suggest we work on what work items we want to do,  and THEN find them a home?
> 
> Allan
> 
> 
> On 2/28/17 4:30 PM, Colin Wallis wrote:
>> Good discussion.
>> 
>> I like the cadence (Jeeez I'm starting to hate that term) of toolkits because UMA has used that approach successfully, and leveraging successful things typically results in more success.
>> 
>> I would have thought a time-bound DG is appropriate, else you risk breaking your own rules Mr Hughes..:-).
>> 
>> Cheers
>> 
>> On Tue, Feb 28, 2017 at 11:53 PM, Andrew Hughes <andrewhughes3000 at gmail.com <mailto:andrewhughes3000 at gmail.com>> wrote:
>> OK - that would be interesting 
>> 
>> I'm also wondering if any of our members are doing work related to GDPR and could use some Kantara tools to help - sample text, some of the lists and categories coming soon from consent receipt, hmmmm...
>> 
>> On Tue, Feb 28, 2017 at 3:49 PM Salvatore D'Agostino <sal at idmachines.com <mailto:sal at idmachines.com>> wrote:
>> So how about a contribution from each of the DGs, WGs on a single aspect of their effort for sharing in a toolkit.  I we need to have the groups contribute and be directly involved or you cross wires.  Challenge is bandwidth per usual.
>> 
>>  
>> So for IRM it might be a GDPR use case as a way to exercise a relationship manager effort in the next phase of work. 
>> 
>>  
>> From: lc-bounces at kantarainitiative.org <mailto:lc-bounces at kantarainitiative.org> [mailto:lc-bounces at kantarainitiative.org <mailto:lc-bounces at kantarainitiative.org>] On Behalf Of Andrew Hughes
>> Sent: Tuesday, February 28, 2017 6:15 PM
>> To: Mark OCG <m.lizar at openconsentgroup.com <mailto:m.lizar at openconsentgroup.com>>
>> Cc: Julian Ranger <julian at digi.me <mailto:julian at digi.me>>; Robin Wilton <wilton at isoc.org <mailto:wilton at isoc.org>>; Kantara Leadership Council < <mailto:lc at kantarainitiative.org>lc at kantarainitiative.org <mailto:lc at kantarainitiative.org>>
>> Subject: Re: [KI-LC] GDPR and Kantara approach question
>> 
>>  
>> Hi mark - yes it is vague - I'm looking for opinions. 
>> 
>> The only thing behind this is that I was wondering if there could/should be a "Kantara GDPR Toolkit"
>> 
>> Because I keep hearing that there is great demand for assistance and I'm wondering it Kantara can do something useful for the community. 
>> 
>> Andrew.
>> 
>> On Tue, Feb 28, 2017 at 2:56 PM Mark OCG < <mailto:m.lizar at openconsentgroup.com>m.lizar at openconsentgroup.com <mailto:m.lizar at openconsentgroup.com>> wrote:
>> 
>> Hi Andrew, 
>> 
>>  
>> This is all bit vague. Not clear from what perspective Kantara should be inclined to ‘do something’ for the GDPR. 
>> 
>>  
>> As you may or may not be aware Data Protection and Data Control mitigate each other in terms of risk and liability.  GDPR is fundamentally about data protection. Standards address risk and liability in different ways. 
>> 
>>  
>> It is conceivable that Kantara could have a program that spans this space - but not sure if a GDPR centric approach would achieve such a result.   Perhaps evaluating how Kantara efforts relate to GDPR might be fruitful?  A little survey perhaps? 
>> 
>>  
>> Is there a deeper insight/motivation missing from this email ? 
>> 
>>  
>> Mark Lizar
>> 
>> CEO Open Consent Group
>> 
>>  
>>  
>> On 28 Feb 2017, at 21:53, Andrew Hughes < <mailto:andrewhughes3000 at gmail.com>andrewhughes3000 at gmail.com <mailto:andrewhughes3000 at gmail.com>> wrote:
>> 
>>  
>> I'm not sure if we need a DG or not - there are some very specific things about GDPR (and lots of analysis everywhere)
>> 
>> I'm also hoping that this will bring new faces to the table. 
>> 
>> On Tue, Feb 28, 2017 at 1:52 PM Ken Dagg < <mailto:kendaggtbs at gmail.com>kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com>> wrote:
>> 
>> As much as I don't want to spread Kantara's thin participative resources thinner I think that your suggestion of a new WG makes sense. A new WG would enable a keen focus on GDPR without the distraction of what the other WG's are attempting to achieve. Does it make sense to start with a DG to identify what things need to be done and in what order or is that the first task of the WG?
>> 
>>  
>> Ken
>> 
>>  
>>  
>> On Tue, Feb 28, 2017 at 4:14 PM Andrew Hughes < <mailto:andrewhughes3000 at gmail.com>andrewhughes3000 at gmail.com <mailto:andrewhughes3000 at gmail.com>> wrote:
>> 
>> Hi LC and (some) Board of Directors...
>> 
>>  
>> I've been wrestling with how Kantara would best serve the community with respect to GDPR.
>> 
>>  
>> Many of the WGs have work products and knowledge that is relevant to GDPR topics. But whenever I try to think about what it would mean to ask for GDPR-specific work inside any particular WG I hit mental roadblocks.
>> 
>>  
>> So, how does this different approach sound to you all:
>> 
>>  
>> Start a WG whose goal is to build a 'Kantara GDPR Toolkit' comprised of guidance, profiles of selected standards, pointers to useful analysis reports (inside and outside of Kantara), and other technical or recommendation stuff.
>> 
>>  
>> It would help ease the tension between addressing the near term demands to 'do something' for GDPR and help to harness the bits and pieces of work inside and near Kantara. It would possibly avoid distracting the WGs from their main work products that are for the longer term.
>> 
>>  
>> Looking for opinions and alternative views on this please
>> 
>>  
>> andrew.
>> 
>> _______________________________________________
>> LC mailing list
>>  <mailto:LC at kantarainitiative.org>LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
>>  <http://kantarainitiative.org/mailman/listinfo/lc>http://kantarainitiative.org/ <http://kantarainitiative.org/>mailman/listinfo/lc
>> 
>> -- 
>> 
>> Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 <tel:%28613%29%20825-2091>kendaggtbs at gmail.com <mailto:kendaggtbs at gmail.com>
>> -- 
>> 
>> Andrew Hughes CISM CISSP 
>> Independent Consultant
>> In Turn Information Management Consulting
>> 
>> o  +1 650.209.7542 <tel:%28650%29%20209-7542>
>> m +1 250.888.9474 <tel:%28250%29%20888-9474>
>> 1249 Palmer Road,
>> Victoria, BC V8P 2H8
>> AndrewHughes3000 at gmail.com <mailto:AndrewHughes3000 at gmail.com> 
>> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <http://ca.linkedin.com/pub/andrew-hughes/a/58/682/>
>> Identity Management | IT Governance | Information Security 
>> 
>> _______________________________________________
>> LC mailing list
>> LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
>> http://kantarainitiative.org/mailman/listinfo/lc <http://kantarainitiative.org/mailman/listinfo/lc>
>>  
>> --
>> 
>> Andrew Hughes CISM CISSP 
>> Independent Consultant
>> In Turn Information Management Consulting
>> 
>> o  +1 650.209.7542 <tel:%28650%29%20209-7542>
>> m +1 250.888.9474 <tel:%28250%29%20888-9474>
>> 1249 Palmer Road,
>> Victoria, BC V8P 2H8
>>  <mailto:AndrewHughes3000 at gmail.com>AndrewHughes3000 at gmail.com <mailto:AndrewHughes3000 at gmail.com> 
>> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <http://ca.linkedin.com/pub/andrew-hughes/a/58/682/>
>> Identity Management | IT Governance | Information Security 
>> 
>> -- 
>> Andrew Hughes CISM CISSP 
>> Independent Consultant
>> In Turn Information Management Consulting
>> 
>> o  +1 650.209.7542 <tel:%28650%29%20209-7542>
>> m +1 250.888.9474 <tel:%28250%29%20888-9474>
>> 1249 Palmer Road,
>> Victoria, BC V8P 2H8
>> AndrewHughes3000 at gmail.com <> 
>> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <>
>> Identity Management | IT Governance | Information Security 
>> 
>> 
>> _______________________________________________
>> LC mailing list
>> LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
>> http://kantarainitiative.org/mailman/listinfo/lc <http://kantarainitiative.org/mailman/listinfo/lc>
>> 
>> 
>> 
>> 
>> -- 
>> Executive Director
>> Kantara Initiative Inc. <https://kantarainitiative.org/>
>> Cell: +44 (0)7490 266 778 <tel:+44%207490%20266778>
>> 
>> 
>> 
>> _______________________________________________
>> LC mailing list
>> LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
>> http://kantarainitiative.org/mailman/listinfo/lc <http://kantarainitiative.org/mailman/listinfo/lc>
> 
> -- 
> Simplify Email: Email Charter <http://emailcharter.org/> 
> 
> 	Allan  Foster - Forge Rock 
> Vice President Global Partner Enablement
> Location: Vancouver, WA, US
> p: +1.360.229.7102 <tel:(360)%20229-7102>
> email:  <mailto:allan.foster at forgerock.com>allan.foster at forgerock.com <mailto:allan.foster at forgerock.com>
> www: www.forgerock.com <http://www.forgerock.com/>
> www: www.forgerock.org <http://www.forgerock.org/>
> blogs: blogs.forgerock.com/GuruAllan <http://blogs.forgerock.com/GuruAllan>
> 
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
> http://kantarainitiative.org/mailman/listinfo/lc <http://kantarainitiative.org/mailman/listinfo/lc>
> 
> 
> 
> 
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org <mailto:LC at kantarainitiative.org>
> http://kantarainitiative.org/mailman/listinfo/lc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20170301/1041bf5c/attachment-0001.html>


More information about the LC mailing list