Hey Brian
Congrats on your PCI compliance. We also completed our PCI compliance in 2017 
and are fully certified. I know what a tall order it is to achieve full 
certification. There definitely are some parallels with GDPRThe real challenge 
here seems to be giving the customer 100% control of her/his personal data and 
knowing where you have it. Right now we have over a half dozen systems that 
could contain personal information that may fall under GDPR regulations. While 
we are working towards a single customer database, that’s a few years out. GDRP 
is really going to push us to develop some bridging  practices to be compliant 
through this period - being able to send customers all the data we have on them 
as well as allow them to request deletion of all their personal data in each of 
these systems. That’s going to be a challenge. We’re just getting started so 
please share what you have learned and the strategy you are taking.

Best,
Scott

Scott Sayre | Chief Information Officer | Corning Museum of Glass

Scott Sayre | Chief Information Officer |Corning Museum of Glass | One Museum 
Way | Corning, NY 14830 | www.cmog.org
Office: (607) 438-5298 |Cell: (612) 423-9691 | Twitter: @zbartrout | Skype: 
@zbarscott
________________________________
From: mcn-l <mcn-l-boun...@mcn.edu> on behalf of Brian Whaley 
<bwha...@kimbellmuseum.org>
Sent: Thursday, February 8, 2018 12:21:23 AM
To: mcn-l@mcn.edu
Subject: [MCN-L] GDPR Compliance

Hello all,



The IT department at the Kimbell has been working on this for about 9 months, 
and we are about to do some in-depth discovery in our organization to identify 
the locations of the data, and then remediate any areas of need. As some have 
already pointed out, if you capture any EU citizen data, then it falls under 
the umbrella of GDPR. We are also PCI compliant (I manage our entire PCI 
footprint), so this is not uncharted territory for the museum and staff.

Below is the email I sent to get everyone up to date and ready to discuss the 
requirement and the deadline.

“The deadline for compliance with the General Data Protection Regulation (GDPR) 
is quickly approaching (May 25th, 2018). Unlike PCI compliance, which is a 
contractual agreement, GDPR is a comprehensive law that requires US 
organizations to properly secure any and all information collected from 
European Union (EU) citizens. Specifically, it dictates how organizations 
handle personally identifiable information (PII). The purpose is to ensure that 
they have greater control over their personal information –  the right to 
actively consent to every use of personal data, the right to limit that use, 
the right to be forgotten, the right to have their data portable, and the right 
to seek damages should they suffer from misuse and/or breach of their data. And 
since it includes extraterritoriality, we are legally required to adhere to the 
regulation.

We need to review our physical and digital systems to determine if we are 
storing any data belonging to customers living in the European Union. If we 
are, then we will need to meet GDPR, and be able to show compliance on demand, 
either through an audit or a request from an EU citizen.”

Hope this helps!

Brian Whaley
Head of IT and AV
Kimbell Art Museum
3333 Camp Bowie Boulevard
Fort Worth, TX 76107-2792
bwha...@kimbellmuseum.org<mailto:bwha...@kimbellmuseum.org>
t.  817.332.8451 ext 357
f.  817.877.1264
www.kimbellart.org<http://www.kimbellart.org>

_______________________________________________
You are currently subscribed to mcn-l, the listserv of the Museum Computer 
Network (http://www.mcn.edu)

To post to this list, send messages to: mcn-l@mcn.edu

To unsubscribe or change mcn-l delivery options visit:
http://mcn.edu/mailman/listinfo/mcn-l

The MCN-L archives can be found at:
http://www.mail-archive.com/mcn-l@mcn.edu/
_______________________________________________
You are currently subscribed to mcn-l, the listserv of the Museum Computer 
Network (http://www.mcn.edu)

To post to this list, send messages to: mcn-l@mcn.edu

To unsubscribe or change mcn-l delivery options visit:
http://mcn.edu/mailman/listinfo/mcn-l

The MCN-L archives can be found at:
http://www.mail-archive.com/mcn-l@mcn.edu/

Reply via email to