Hello, This note provides a brief summary of work undertaken to ensure systems and policies the IETF community relies upon to conform to the requirements of the European Union's General Data Protection Regulation (GDPR), which is scheduled to begin taking effect on 25 May 2018. The work has been overseen by the IAOC and guided by input from legal counsel. We expect no significant changes in how most of the day-to-day work of the IETF community is conducted. The items reviewed for GDPR compliance have been the IETF Datatracker, the IETF meeting registration system, IETF meeting records, IETF email lists and archives, ARO for Area Directors, IANA Domains, and IETF vendor contracts. Necessary updates--largely in how data is handled rather than user interfaces--have been made to each of these. Additional work may be undertaken to ensure due consideration for personal data protection issues, even if it is not needed for immediate GDPR compliance. The IAOC have updated policies and processes related to data protection. For example, the recently published privacy statement has been modified slightly on advise of counsel; it's available at https://www.ietf.org/privacy-statement/. Similarly, an Information Security Incident Response Plan is being reviewed and will be presented to the IAOC for adoption. The plan must also be in compliance with ISOC and not conflict with their established policies. This work provides additional assurance that data shared in the course of IETF work will be handled appropriately. Please feel free to share any comments or questions to iad@ietf.org. Sincerely, Portia Wenze-Danley IETF Administrative Director (IAD) Internet Engineering Task Force (IETF)
