Hey Brian Congrats on your PCI compliance. We also completed our PCI compliance in 2017 and are fully certified. I know what a tall order it is to achieve full certification. There definitely are some parallels with GDPRThe real challenge here seems to be giving the customer 100% control of her/his personal data and knowing where you have it. Right now we have over a half dozen systems that could contain personal information that may fall under GDPR regulations. While we are working towards a single customer database, that’s a few years out. GDRP is really going to push us to develop some bridging practices to be compliant through this period - being able to send customers all the data we have on them as well as allow them to request deletion of all their personal data in each of these systems. That’s going to be a challenge. We’re just getting started so please share what you have learned and the strategy you are taking.
Best, Scott Scott Sayre | Chief Information Officer | Corning Museum of Glass Scott Sayre | Chief Information Officer |Corning Museum of Glass | One Museum Way | Corning, NY 14830 | www.cmog.org Office: (607) 438-5298 |Cell: (612) 423-9691 | Twitter: @zbartrout | Skype: @zbarscott ________________________________ From: mcn-l <[email protected]> on behalf of Brian Whaley <[email protected]> Sent: Thursday, February 8, 2018 12:21:23 AM To: [email protected] Subject: [MCN-L] GDPR Compliance Hello all, The IT department at the Kimbell has been working on this for about 9 months, and we are about to do some in-depth discovery in our organization to identify the locations of the data, and then remediate any areas of need. As some have already pointed out, if you capture any EU citizen data, then it falls under the umbrella of GDPR. We are also PCI compliant (I manage our entire PCI footprint), so this is not uncharted territory for the museum and staff. Below is the email I sent to get everyone up to date and ready to discuss the requirement and the deadline. “The deadline for compliance with the General Data Protection Regulation (GDPR) is quickly approaching (May 25th, 2018). Unlike PCI compliance, which is a contractual agreement, GDPR is a comprehensive law that requires US organizations to properly secure any and all information collected from European Union (EU) citizens. Specifically, it dictates how organizations handle personally identifiable information (PII). The purpose is to ensure that they have greater control over their personal information – the right to actively consent to every use of personal data, the right to limit that use, the right to be forgotten, the right to have their data portable, and the right to seek damages should they suffer from misuse and/or breach of their data. And since it includes extraterritoriality, we are legally required to adhere to the regulation. We need to review our physical and digital systems to determine if we are storing any data belonging to customers living in the European Union. If we are, then we will need to meet GDPR, and be able to show compliance on demand, either through an audit or a request from an EU citizen.” Hope this helps! Brian Whaley Head of IT and AV Kimbell Art Museum 3333 Camp Bowie Boulevard Fort Worth, TX 76107-2792 [email protected]<mailto:[email protected]> t. 817.332.8451 ext 357 f. 817.877.1264 www.kimbellart.org<http://www.kimbellart.org> _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) To post to this list, send messages to: [email protected] To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l The MCN-L archives can be found at: http://www.mail-archive.com/[email protected]/ _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) To post to this list, send messages to: [email protected] To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l The MCN-L archives can be found at: http://www.mail-archive.com/[email protected]/
