Would anyone be willing to share best practices about how their organization deals with ensuring Cookie Compliance, specifically to GDPR rules? Where should this sort of compliance review sit in an organization? The particular issue we have is who should review new web deployments that use cookies and to make the decisions on whether Cookies are Strictly Necessary or Functionality Cookies. For example is a Cookie required for a Live Chat to work Functionality or Strictly Necessary? Our Security team does not consider taking on these compliance reviews as their domain, as Cookie Compliance is not an internal security matter and the Data Protection team has a limited interest as the GDPR rules around Cookies apply in case of any Cookie being used by a website, whether or not it contains personal data. 

Security & GRCRegulatory Compliance
3.1k views3 Comments
Sort By:
Oldest
Head of Cyber Security in Manufacturinga year ago
I would say, DPO and Security team both shall be involved and work hand in hand.

Most of the time the legals and or DPO don't have the technical acumen to understand when data is floating to third party services. 

Lets take the example you brought up with the LiveChat being on a different provider.  In that case with a high probability you would need to receive explicit consent due to the fact that its not relevant for the website/service to work, it would ease engagement but that's it.
Chief Technology Officer in Mediaa year ago
The responsibility for cookie compliance often falls under legal or compliance teams, ensuring alignment with GDPR rules. A cross-functional committee involving legal, IT, marketing, and web development teams can collaboratively assess new web deployments. Defining clear guidelines and holding regular meetings can help categorize cookies effectively, addressing challenges such as determining if a cookie is Strictly Necessary or Functionality.
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
IT Manager in IT Servicesa year ago
Cookie Compliance is a multi-faceted task that requires inputs from DPO as well as Security teams continuously. Establishing a dedicated privacy or compliance team and following best practices for documentation, assessment, and collaboration can help to ensure GDPR cookie compliance.

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Applications & PlatformsCloudData & Analytics+15 more
Head of Enterprise Architecture MERCK Group in Healthcare and Biotecha year ago
Strategy & Architecture
Read More Comments
39k views5 Upvotes34 Comments

What is your primary deciding factor in adopting enterprise search?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results
5.7k views3 Upvotes1 Comment

What cybersecurity topics do you think are critical for CIOs to be more involved in, even in orgs that have a CISO?

Relationship ManagementSecurity & GRCSecurity Strategy & Roadmap+1 more
Director of IT in Healthcare and Biotech9 days ago
Cybersecurity governance and risk management (setting up monitoring of emerging threats), data protection and privacy compliance (standardize on data protection across all channels), incident response and recovery planning ...read more
Read More Comments
1.3k views3 Comments

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

Security & GRCNetworkThreat & Vulnerability Management+2 more

No Increase16%

1-5% increase47%

6-25% increase24%

26-50% increase6%

51-75% increase1%

76%+1%

Other2%

View Results
1.7k views1 Upvote

We are using MDM and MAM with Intune to protect our Office 365 data on employee mobile devices. We also have end-users who are contractors and have existing MDM/MAM controls on their device from their primary employer.  They cannot add our corporate INTUNE controls to the same device according to the Microsoft error messages. The same issue applies to NEDs who work for multiple corporates. Has anyone else found a solution for this?

Management ToolsSecurity & GRCStrategy & Architecture+1 more
Director of Information Security9 days ago
We haven't found a "good" solution short of issuing a separate managed device; the user has to choose whose policies to apply to their device. On Android you can technically create separate user profiles to get around this ...read more
Read More Comments
364 views3 Comments