[802SEC] IEEE 802 - General Data Protection Regulation update

Thread Links	Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Paul,

Please see the responses to the GDPR questions/comments raised at the 3 October 2017 802 EC teleconference:

What happens if we (IEEE sponsors, WG, Task Groups, etc.) are not in compliance with the EU policy?

Response: IEEE, including all its volunteers when acting on behalf of IEEE, are required to be in compliance with the EU GDPR. IEEE will have to respond to any claims of non-compliance as the entity responsible for the volunteer activities duly authorized by it. Noncompliance with GDPR may subject IEEE to penalties under the regulations, including but not limited to substantial fines.

Response: IEEE and its volunteers are expected to comply with all applicable laws, and so if there are conflicts, IEEE Legal and Compliance should be notified.

Ensure IEEE is aware of the magnitude of the, mostly public, data collected over 30 years of 802 activities

Response: IEEE is aware of the data collected by IEEE 802. If the data does not have a legal or legitimate purpose, a determination will need to be made about retention of what exists and collection going forward.

Requesting GDPR Task Force timeline on guidelines and requirements for compliance and what impact there will be on volunteers. Can there be collaboration on policy development between

Response: IEEE is required to be compliant by 25 May 2018. As you can imagine, the scope of analysis and process/policy changes is significant. The Task Force will be working over the months until 25 May to address all the issues of which it is aware. Socialization of proposed process or policy changes will be part of the communication plan. Additionally, implementation details will be discussed with IEEE 802 as well.

Response: The GDPR is a data privacy regulation applicable to IEEE. Just as any other data privacy regulations or laws, IEEE's policy must comply with the regulations and laws.

Note that myProject Ballot data is used by WGs as well, should be one of the biggest pieces of data that the GDPR Task Force is made aware of

IEEE hierarchy of documents may have changes that affect 802 policies, consistent response to all sponsoring committees should be in the plan

No new or updated policy should get in the way of participation and individual membership. The concern is that since "organizational membership" is the norm in Europe that the IEEE would be subjected to new rules that were effectively biased against the normal practices associated with operating an SDO under the "individual participation" method.

Response: Note that GDPR is applicable to the privacy of individuals' personal data, but does not affect individual membership and participation. Although the GDPR is an EU regulation, similar data privacy regulations are being implemented by other countries (e.g., Canada and Japan). Note however that, if the collection of the data is for a legitimate purpose, there is a carveout. As you know, there are very legitimate purposes for permitting individual participation in IEEE.

Is there a plan for company/affiliation of participants to be in compliance as well? Or will only be at the individual level?

Response: As you know, there are legitimate purposes for obtaining employer/affiliation information in the standards development process. The requirement for declaration of affiliation is not expected to change.

Please feel free to share these responses with the EC.

Regards,

Jonathan Goldberg
Manager, Operational Program Management
IEEE Standards Association

p: +1 732 562 6088

c: +1 732 570 0116

f: +1 732 562 1571

IEEE - Fostering technological innovation and excellence for the benefit of humanity.