Re: ISSUE-235 (Auditability requirement for security)

Walter, I don’t think anyone objects to the idea of auditability in theory, but I think there are questions about what that means in the specification.  If a DPA has the legal authority to require certain evidence or documentation from a data controller, then it does so — this standard cannot grant or deprive any consumer protection authority of those rights.  What do you want this standard to require — that companies prepare some sort of documentation in advance of a request?  That they architect their systems in ways that can be comprehended by a regulator?  I think there was agreement that a general requirement of “auditability” was confusing and certainly not testable, but if you have a more concrete suggestion in mind, I think people would be open-minded.

On Oct 22, 2014, at 5:38 AM, Walter van Holst <> wrote:

> On Tue, October 21, 2014 23:22, Justin Brookman wrote:
>> No one spoke up for maintaining this language either on the list or on
>> last week’s call; if anyone wants to make a pitch for maintaining this
>> or other auditability language, please do so; otherwise, we’ll adopt
>> Jack’s proposal to remove the sentence.
> Catching up with the WG.
> And yes, I feel that it strongly contributes to the compliance
> standard's credibility if any access and use of data retained under
> permitted uses is auditable. I would be fine by restricting its
> auditability to data protection and/or consumer rights regulators or
> similar governmental entities.
> If you commit to limiting your use of certain personal data for
> certain circumscribed purposes, you create a burden of proof for
> yourself that you have indeed done so. Audit requirements can only be
> helpful in that regard.
> Regards,
> Walter

Received on Wednesday, 22 October 2014 15:16:40 UTC