IRC log of dpvcg on 2022-03-23
Timestamps are in UTC.
- 12:57:58 [RRSAgent]
- RRSAgent has joined #dpvcg
- 12:57:58 [RRSAgent]
- logging to https://www.w3.org/2022/03/23-dpvcg-irc
- 12:58:12 [harsh]
- ScribeNick: harsh
- 12:58:15 [harsh]
- Meeting: DPVCG Meeting Call
- 12:58:19 [harsh]
- Chair: harsh
- 12:58:29 [harsh]
- Date: 23 MAR 2022
- 12:58:40 [harsh]
- Agenda: https://lists.w3.org/Archives/Public/public-dpvcg/2022Mar/0007.html
- 12:58:55 [harsh]
- Previous Meeting Minutes -> https://www.w3.org/community/dpvcg/wiki/MinutesOfMeeting_20220316
- 13:03:09 [harsh]
- Present: harsh, fajar, julian, georg
- 13:03:12 [harsh]
- Regrets: paul
- 13:04:48 [harsh]
- Topic: Proposed concepts
- 13:05:29 [harsh]
- hasResponsibleEntity to indicate which entity is responsible for something e.g. controller in joint-controllers, or department in organisation
- 13:06:47 [harsh]
- Concept accepted `hasResponsibleEntity` under Entities module
- 13:07:22 [harsh]
- Present+: beatriz
- 13:08:11 [harsh]
- Concept `InternationalOrganisation` as defined in GDPR A.4-26
- 13:09:02 [harsh]
- Also define elsewhere (outside-EU) e.g. https://en.wikipedia.org/wiki/International_organization
- 13:09:51 [harsh]
- Concept accepted `InternationalOrganisation` as type of Organisation in Entities module
- 13:10:00 [harsh]
- Topic: Consequences and Impacts
- 13:12:08 [harsh]
- Prior discussion recorded in previous minutes
- 13:12:12 [harsh]
- Also see email https://lists.w3.org/Archives/Public/public-dpvcg/2022Mar/0006.html
- 13:28:38 [harsh]
- Discussion on conceptual differences between _consequence_ and _impact_
- 13:41:21 [harsh]
- Consequence and Impact are relevant for PIA, DPIA, ROPA, Transfer impact assessment, Tech/Org measure effectiveness, Privacy Notice, Risk assessment
- 13:44:32 [rigo]
- rigo has joined #dpvcg
- 14:25:36 [harsh]
- Discussion conclusions and summaries recorded as below.
- 14:25:52 [harsh]
- Consequence is a general concept, represents outcome of something (e.g. event, process, action)
- 14:26:18 [harsh]
- Impact is a specific type of consequence (so subset or subcategory of Consequence) that has a stronger notion used to identify consequence to some entity or thing.
- 14:27:08 [harsh]
- For example, Consequence when used can have 'weak' impact that is not explicitly acknowledged as such e.g. slower processing, inability to log in.
- 14:27:34 [harsh]
- Impact, as a stronger concept of consequence, is used to explicitly identify effects on entity e.g. to a person using a service
- 14:27:42 [harsh]
- We need clear descriptions and examples that state this.
- 14:28:06 [harsh]
- Where to use what concept depends on the context e.g. impact assessments (by name) talk about impacts, risk assessments talk about both impact and consequence
- 14:28:47 [harsh]
- An entity (e.g. data controller or individual) may distinguish between consequence and impact as well e.g. impact on me vs consequence on others or vice-versa
- 14:29:19 [harsh]
- GDPR mentions both consequence (e.g. A.13) and impacts (e.g. A.35) - however in both cases the implication could be on negative consequences and impacts
- 14:30:04 [harsh]
- At the same time, there are also positive concepts e.g. benefit of a service
- 14:30:55 [harsh]
- To conclude - concept `Impact` as a category of `Consequence`, with property `hasImpact` linking it to a concept causing the impact, and property `hasImpactOn` linking it to what is impacted.
- 14:31:42 [harsh]
- The property `hasConsequenceOn` is put on hold as proposed until we have clarity in terms of how it is differentiated from `hasImpactOn`, and what consequences have effect that are not impacts (not philosophically, but in the sense that they are not documented as such)
- 14:34:36 [harsh]
- `Impact` has further categories `Benefit`, and `Detriment` with further categories `Harm` (needs discussion on how it relates to Damage)
- 14:34:54 [harsh]
- Topic: Path for DPV v1
- 14:35:44 [harsh]
- Relevant sets of concepts deemed necessary for v1 - DPIA, data breach, risk, ROPA, consent, privacy policy/notice (contents), relation of ISO/IEC standards to tech/org measures
- 14:36:13 [harsh]
- In this, privacy notice concepts are in DPV except the notion of app, service, product, etc. - which should be provided by the tech extension
- 14:36:29 [harsh]
- DPIA concepts will be proposed by Harsh, Rana, Georg in April
- 14:36:45 [harsh]
- Data Breach concepts include breach types (e.g. hacking), notifications, records, etc. - proposals welcome
- 14:37:14 [harsh]
- Risk concepts - e.g. likelihood, qualitative risk levels, etc. - Harsh will propose based on existing work e.g. https://github.com/coolharsh55/riskonto
- 14:37:47 [harsh]
- ROPA - all concepts present, some additionally proposed by Harsh, Paul, Rob in April
- 14:38:30 [harsh]
- Consent - proposal by Harsh in April based on state in ISO/IEC 27560 (to avoid conflict/mismatch). See https://doi.org/10.5281/zenodo.5076603 for prior proposal.
- 14:38:45 [harsh]
- For rest, proposals welcome
- 14:38:49 [harsh]
- Topic: Next Meeting
- 14:40:25 [harsh]
- We will meet next WED MAR-30 14:00 CEST (note daylight saving changes)
- 14:40:39 [harsh]
- Discussion to include comments on consenquence & impact (if any)
- 14:40:56 [harsh]
- Other concepts include tech extension (data storage, apps, services, etc.) and data subject categories
- 14:40:59 [harsh]
- zakim, bye
- 14:40:59 [Zakim]
- leaving. As of this point the attendees have been harsh, fajar, julian, georg, :, beatriz
- 14:40:59 [Zakim]
- Zakim has left #dpvcg
- 14:41:04 [harsh]
- rrsagent, publish minutes v2
- 14:41:04 [RRSAgent]
- I have made the request to generate https://www.w3.org/2022/03/23-dpvcg-minutes.html harsh
- 14:41:08 [harsh]
- rrsagent, set logs world-visible
- 15:00:29 [harsh]
- rrsagent, bye
- 15:00:29 [RRSAgent]
- I see no action items