[802SEC] IEEE 802 - General Data Protection Regulation update
Dear EC Members,
Please see the below input from Jonathan Goldberg regarding the General Data Protection Regulation questions/comments we had during the 03OCT EC teleconference. I'll schedule a few minutes during the opening EC to continue discussion along with a larger block of time, say 30 minutes or so, during the Thursday plenary 802/SA task force meeting.
------ Forwarded Message ------
Sent: 10/25/2017 4:22:37 PM
Subject: IEEE 802 - GDPR Responses
This email is sent from the 802 Executive Committee email reflector. This list is maintained by Listserv.
Please see the responses to the GDPR questions/comments raised at the 3 October 2017 802 EC teleconference:
- What happens if we (IEEE sponsors, WG, Task Groups, etc.) are not in compliance with the EU policy?
- Response: IEEE, including all its volunteers when acting on behalf of IEEE, are required to be in compliance with the EU GDPR. IEEE will have to respond to any claims of non-compliance as the entity responsible for the volunteer activities duly authorized by it. Noncompliance with GDPR may subject IEEE to penalties under the regulations, including but not limited to substantial fines.
- What happens when US and EU policy are in conflict?
- Response: IEEE and its volunteers are expected to comply with all applicable laws, and so if there are conflicts, IEEE Legal and Compliance should be notified.
- Ensure IEEE is aware of the magnitude of the, mostly public, data collected over 30 years of 802 activities
- Response: IEEE is aware of the data collected by IEEE 802. If the data does not have a legal or legitimate purpose, a determination will need to be made about retention of what exists and collection going forward.
- Requesting GDPR Task Force timeline on guidelines and requirements for compliance and what impact there will be on volunteers. Can there be collaboration on policy development between
- Response: IEEE is required to be compliant by 25 May 2018. As you can imagine, the scope of analysis and process/policy changes is significant. The Task Force will be working over the months until 25 May to address all the issues of which it is aware. Socialization of proposed process or policy changes will be part of the communication plan. Additionally, implementation details will be discussed with IEEE 802 as well.
- This is an EU policy but what is/will the IEEE policy be?
- Response: The GDPR is a data privacy regulation applicable to IEEE. Just as any other data privacy regulations or laws, IEEE's policy must comply with the regulations and laws.
- Note that myProject Ballot data is used by WGs as well, should be one of the biggest pieces of data that the GDPR Task Force is made aware of
- Response: Yes, this is a primary focus.
- IEEE hierarchy of documents may have changes that affect 802 policies, consistent response to all sponsoring committees should be in the plan
- Response: Communication to Sponsors is part of the communication plan.
- No new or updated policy should get in the way of participation and individual membership. The concern is that since "organizational membership" is the norm in Europe that the IEEE would be subjected to new rules that were effectively biased against the normal practices associated with operating an SDO under the "individual participation" method.
- Response: Note that GDPR is applicable to the privacy of individuals' personal data, but does not affect individual membership and participation. Although the GDPR is an EU regulation, similar data privacy regulations are being implemented by other countries (e.g., Canada and Japan). Note however that, if the collection of the data is for a legitimate purpose, there is a carveout. As you know, there are very legitimate purposes for permitting individual participation in IEEE.
- Is there a plan for company/affiliation of participants to be in compliance as well? Or will only be at the individual level?
- Response: As you know, there are legitimate purposes for obtaining employer/affiliation information in the standards development process. The requirement for declaration of affiliation is not expected to change.
Please feel free to share these responses with the EC.
Regards,Jonathan GoldbergManager, Operational Program ManagementIEEE Standards Association
p: +1 732 562 6088
c: +1 732 570 0116
f: +1 732 562 1571
IEEE - Fostering technological innovation and excellence for the benefit of humanity.