[KI-LC] GDPR and Kantara approach question

Eve Maler eve at xmlgrrl.com
Wed Mar 1 13:31:39 CST 2017


In the case of UMA Legal the toolkits are targeted at a very specific
audience (see here
<http://kantarainitiative.org/confluence/display/uma/UMA+Legal>). And to
Julian's point, I think we need to be cognizant of audiences in general. My RSA
talk
<https://www.rsaconference.com/events/us17/agenda/sessions/6826-designing-a-new-consent-strategy-for-digital>
("Designing a New Consent Strategy for Digital Transformation") was about
exactly this (JohnW was there and will vouch :-) ): Risk teams are driving
the GDPR discussion for obvious reasons, but business teams need to care
because they need to build trusted digital relationships with people.

I gave very specific advice and next steps -- per audience, mind you -- in
order to avoid user trust tragedies. If you want to check it out, here's
the slides
<https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/3916/IDY-R03-Designing-a-New-Consent-Strategy-for-Digital-Transformation.pdf>
and video <https://youtu.be/lMS53C9LZlY> (44min).

We may very well offer tools for IT teams, DPOs, policymakers, and so on.
E.g., the UMA group has an old paper <http://tinyurl.com/umapbd> on
"Privacy by Design Implications of UMA" that I've been meaning to update.
That might be a good one for targeting the the latter two groups
specifically.

Maybe we all just need to brainstorm along these lines, for starters.



*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Wed, Mar 1, 2017 at 8:24 AM, Mark OCG <m.lizar at openconsentgroup.com>
wrote:

> Hi  All,
>
> I am also still unclear of what a toolkit is?   Does a toolkit mean an
> assessment/survey ?  I.e - evaluate your IdM  product in terms of GDPR ?
>  (like Sal suggests?)
>
> This might be a good health check practice for Kantara to do regardless.
>
> Allan & John also bring up some excellent points !   Especially ;
>
> it seems to me that as people start to grapple with the GDPR in terms of
> real world prospects  &  problems (to your point about specific work
> products) or prospect new work group ideas will emerge or existing work
> groups will need to factor this into their roadmaps. Otherwise we might
> hare madly off in all directions.
>
>
>
>    1. there are a lot of GDPR issues that may effect identity systems and
>    work group outputs.
>    2. I had one identity provider share the fear that data portability
>    will include their verified identity, which is core to the service and
>    would essentially kill their business.
>    3. the policy around GDPR and IdM - is potentially a massive
>    engagement point for the Kantara + Privacy community.   (means money for
>    Kantara in memberships + elevated reputation internationally)
>
>
> There are more than a few holes/problems in the GDPR - many of which could
> use a formal response from Kantara  to international orgs and regulators.
> Kantara can be the IdM industry champion and help shape what things in the
> GDPR actually mean in practice.
>
> Much of what the GDPR means in terms of operational impact, especially for
> IDM and personal data control,  is yet to be determined, clarified, or
> developed.      I really like the example of a Rorschach test - because
> much of this at this point is psychological.   As a result I would caution
> against doing any GDPR specific work for public consumption.
>
> In this regard, I still think the P3WG - is what the appropriate forum and
> approach for Kantara in terms of any new (GDPR specific) work or
> discussion.  Such a WG should have a charter that involves assessing what
> would be valuable or not, and making policy recommendations to the like of
> ITAC and OECD et.
>
> A GDPR toolkit in my opinion should be internal facing - and not an
> appropriate output for the community.
>
> In terms of packaging work - again how WG outputs related to the GDPR
> seems to be a great way to start to helping Kantara present a public view
> on the value of the work in this context.  But this seems like an activity
> that should be happening regardless of the GDPR topic.
>
> Mark
>
> PS - In terms of restarting the P3WG - I have chatted with ex regulators
> who would get involved in this WG.
>
>
>
> On 1 Mar 2017, at 14:36, John Wunderlich <john at wunderlich.ca> wrote:
>
> Thanks Allan, for voicing what was in the back of my mind as well. The
> GDPR - since it's not implemented yet - serves as kind of a Rorshach test.
> You take away from it what you bring to it. It's a big piece of legislation
> with many potential impacts. But it seems to me that as people start to
> grapple with the GDPR in terms of real world prospects  &  problems (to
> your point about specific work products) or prospect new work group ideas
> will emerge or existing work groups will need to factor this into their
> roadmaps. Otherwise we might hare madly off in all directions.
>
> For example, one question I have is whether an identity federation
> qualifies as 'profiling' under the GDPR. If so are all the participants in
> a federation controllers per GDPR with obligations to individuals? Might to
> something for OTTO to look at...or not.
>
> JW
>
>
>
> John Wunderlich, BA, MBA
>
> IAPP Fellow of Information Privacy
> CISA, CIPM, CIPP/C, PbD Ambassador
> @PrivacyCDN <https://twitter.com/PrivacyCDN> & Privacist
>
> On 1 March 2017 at 04:04, Allan Foster <allan.foster at forgerock.com> wrote:
>
>> So in theory,  I am kinda agnostic about the WG.  however,  this brings
>> up an interesting chicken and egg issue.
>>
>> Surely we should be looking at specific work products that we should work
>> on,  and then try and find them a home?  I have a gut feeling that much of
>> GDPR is going to find homes in several of our workgroups.  For example
>> privacy,  and consent receipts already are being addressed....  Federation
>> Interop might actually have some valid input as well...
>>
>>
>> I suggest we work on what work items we want to do,  and THEN find them a
>> home?
>>
>> Allan
>>
>>
>> On 2/28/17 4:30 PM, Colin Wallis wrote:
>>
>> Good discussion.
>>
>> I like the cadence (Jeeez I'm starting to hate that term) of toolkits
>> because UMA has used that approach successfully, and leveraging successful
>> things typically results in more success.
>>
>> I would have thought a time-bound DG is appropriate, else you risk
>> breaking your own rules Mr Hughes..:-).
>>
>> Cheers
>>
>> On Tue, Feb 28, 2017 at 11:53 PM, Andrew Hughes <
>> andrewhughes3000 at gmail.com> wrote:
>>
>>> OK - that would be interesting
>>>
>>> I'm also wondering if any of our members are doing work related to GDPR
>>> and could use some Kantara tools to help - sample text, some of the lists
>>> and categories coming soon from consent receipt, hmmmm...
>>>
>>> On Tue, Feb 28, 2017 at 3:49 PM Salvatore D'Agostino <sal at idmachines.com>
>>> wrote:
>>>
>>>> So how about a contribution from each of the DGs, WGs on a single
>>>> aspect of their effort for sharing in a toolkit.  I we need to have the
>>>> groups contribute and be directly involved or you cross wires.  Challenge
>>>> is bandwidth per usual.
>>>>
>>>>
>>>> So for IRM it might be a GDPR use case as a way to exercise a
>>>> relationship manager effort in the next phase of work.
>>>>
>>>>
>>>> *From:* lc-bounces at kantarainitiative.org [mailto:lc-bounces at kantarainit
>>>> iative.org] *On Behalf Of *Andrew Hughes
>>>> *Sent:* Tuesday, February 28, 2017 6:15 PM
>>>> *To:* Mark OCG <m.lizar at openconsentgroup.com>
>>>> *Cc:* Julian Ranger <julian at digi.me>; Robin Wilton <wilton at isoc.org>;
>>>> Kantara Leadership Council < <lc at kantarainitiative.org>
>>>> lc at kantarainitiative.org>
>>>> *Subject:* Re: [KI-LC] GDPR and Kantara approach question
>>>>
>>>>
>>>> Hi mark - yes it is vague - I'm looking for opinions.
>>>>
>>>> The only thing behind this is that I was wondering if there
>>>> could/should be a "Kantara GDPR Toolkit"
>>>>
>>>> Because I keep hearing that there is great demand for assistance and
>>>> I'm wondering it Kantara can do something useful for the community.
>>>>
>>>> Andrew.
>>>>
>>>> On Tue, Feb 28, 2017 at 2:56 PM Mark OCG <
>>>> <m.lizar at openconsentgroup.com>m.lizar at openconsentgroup.com> wrote:
>>>>
>>>> Hi Andrew,
>>>>
>>>>
>>>> This is all bit vague. Not clear from what perspective Kantara should
>>>> be inclined to ‘do something’ for the GDPR.
>>>>
>>>>
>>>> As you may or may not be aware Data Protection and Data Control
>>>> mitigate each other in terms of risk and liability.  GDPR is fundamentally
>>>> about data protection. Standards address risk and liability in different
>>>> ways.
>>>>
>>>>
>>>> It is conceivable that Kantara could have a program that spans this
>>>> space - but not sure if a GDPR centric approach would achieve such a
>>>> result.   Perhaps evaluating how Kantara efforts relate to GDPR might be
>>>> fruitful?  A little survey perhaps?
>>>>
>>>>
>>>> Is there a deeper insight/motivation missing from this email ?
>>>>
>>>>
>>>> *Mark Lizar*
>>>>
>>>> CEO Open Consent Group
>>>>
>>>>
>>>>
>>>> On 28 Feb 2017, at 21:53, Andrew Hughes < <andrewhughes3000 at gmail.com>
>>>> andrewhughes3000 at gmail.com> wrote:
>>>>
>>>>
>>>> I'm not sure if we need a DG or not - there are some very specific
>>>> things about GDPR (and lots of analysis everywhere)
>>>>
>>>> I'm also hoping that this will bring new faces to the table.
>>>>
>>>> On Tue, Feb 28, 2017 at 1:52 PM Ken Dagg < <kendaggtbs at gmail.com>
>>>> kendaggtbs at gmail.com> wrote:
>>>>
>>>> As much as I don't want to spread Kantara's thin participative
>>>> resources thinner I think that your suggestion of a new WG makes sense. A
>>>> new WG would enable a keen focus on GDPR without the distraction of what
>>>> the other WG's are attempting to achieve. Does it make sense to start with
>>>> a DG to identify what things need to be done and in what order or is that
>>>> the first task of the WG?
>>>>
>>>>
>>>> Ken
>>>>
>>>>
>>>>
>>>> On Tue, Feb 28, 2017 at 4:14 PM Andrew Hughes <
>>>> <andrewhughes3000 at gmail.com>andrewhughes3000 at gmail.com> wrote:
>>>>
>>>> Hi LC and (some) Board of Directors...
>>>>
>>>>
>>>> I've been wrestling with how Kantara would best serve the community
>>>> with respect to GDPR.
>>>>
>>>>
>>>> Many of the WGs have work products and knowledge that is relevant to
>>>> GDPR topics. But whenever I try to think about what it would mean to ask
>>>> for GDPR-specific work inside any particular WG I hit mental roadblocks.
>>>>
>>>>
>>>> So, how does this different approach sound to you all:
>>>>
>>>>
>>>> Start a WG whose goal is to build a 'Kantara GDPR Toolkit' comprised of
>>>> guidance, profiles of selected standards, pointers to useful analysis
>>>> reports (inside and outside of Kantara), and other technical or
>>>> recommendation stuff.
>>>>
>>>>
>>>> It would help ease the tension between addressing the near term demands
>>>> to 'do something' for GDPR and help to harness the bits and pieces of work
>>>> inside and near Kantara. It would possibly avoid distracting the WGs from
>>>> their main work products that are for the longer term.
>>>>
>>>>
>>>> Looking for opinions and alternative views on this please
>>>>
>>>>
>>>> andrew.
>>>>
>>>> _______________________________________________
>>>> LC mailing list
>>>> <LC at kantarainitiative.org>LC at kantarainitiative.org
>>>> <http://kantarainitiative.org/mailman/listinfo/lc>
>>>> http://kantarainitiative.org/mailman/listinfo/lc
>>>>
>>>> --
>>>>
>>>> Kenneth Dagg Independent Consultant Identification and Authentication
>>>> 613-825-2091 <%28613%29%20825-2091>kendaggtbs at gmail.com
>>>>
>>>> --
>>>>
>>>> *Andrew Hughes *CISM CISSP
>>>> Independent Consultant
>>>> *In Turn Information Management Consulting*
>>>>
>>>> o  +1 650.209.7542 <%28650%29%20209-7542>
>>>> m +1 250.888.9474 <%28250%29%20888-9474>
>>>> 1249 Palmer Road,
>>>> Victoria, BC V8P 2H8
>>>> AndrewHughes3000 at gmail.com
>>>> ca.linkedin.com/pub/andrew-hughes/a/58/682/
>>>> *Identity Management | IT Governance | Information Security *
>>>>
>>>> _______________________________________________
>>>> LC mailing list
>>>> LC at kantarainitiative.org
>>>> http://kantarainitiative.org/mailman/listinfo/lc
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Andrew Hughes *CISM CISSP
>>>> Independent Consultant
>>>> *In Turn Information Management Consulting*
>>>>
>>>> o  +1 650.209.7542 <%28650%29%20209-7542>
>>>> m +1 250.888.9474 <%28250%29%20888-9474>
>>>> 1249 Palmer Road,
>>>> Victoria, BC V8P 2H8
>>>> <AndrewHughes3000 at gmail.com>AndrewHughes3000 at gmail.com
>>>> ca.linkedin.com/pub/andrew-hughes/a/58/682/
>>>> *Identity Management | IT Governance | Information Security *
>>>>
>>> --
>>>
>>> *Andrew Hughes *CISM CISSP
>>> Independent Consultant
>>> *In Turn Information Management Consulting*
>>>
>>> o  +1 650.209.7542 <%28650%29%20209-7542>
>>> m +1 250.888.9474 <%28250%29%20888-9474>
>>> 1249 Palmer Road,
>>> Victoria, BC V8P 2H8
>>> AndrewHughes3000 at gmail.com
>>> ca.linkedin.com/pub/andrew-hughes/a/58/682/
>>> *Identity Management | IT Governance | Information Security *
>>>
>>> _______________________________________________
>>> LC mailing list
>>> LC at kantarainitiative.org
>>> http://kantarainitiative.org/mailman/listinfo/lc
>>>
>>>
>>
>>
>> --
>> Executive Director
>> Kantara Initiative Inc. <https://kantarainitiative.org/>
>> Cell: +44 (0)7490 266 778 <+44%207490%20266778>
>>
>>
>>
>> _______________________________________________
>> LC mailing listLC at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/lc
>>
>>
>> --
>> Simplify Email: Email Charter <http://emailcharter.org/>
>>
>> [image: ForgeRock Logo] *Allan  Foster - Forge Rock *
>> *Vice President Global Partner Enablement*
>> *Location:* Vancouver, WA, US
>> *p:* +1.360.229.7102 <(360)%20229-7102>
>> *email:* <allan.foster at forgerock.com>allan.foster at forgerock.com
>> *www:* www.forgerock.com
>> *www:* www.forgerock.org
>> *blogs:* blogs.forgerock.com/GuruAllan
>>
>> _______________________________________________
>> LC mailing list
>> LC at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/lc
>>
>>
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/lc
>
>
>
> _______________________________________________
> LC mailing list
> LC at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/lc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20170301/452f7185/attachment-0001.html>


More information about the LC mailing list