12:57:58 <RRSAgent> RRSAgent has joined #dpvcg
12:57:58 <RRSAgent> logging to https://www.w3.org/2022/03/23-dpvcg-irc
12:58:12 <harsh> ScribeNick: harsh
12:58:15 <harsh> Meeting: DPVCG Meeting Call
12:58:19 <harsh> Chair: harsh
12:58:29 <harsh> Date: 23 MAR 2022
12:58:40 <harsh> Agenda: https://lists.w3.org/Archives/Public/public-dpvcg/2022Mar/0007.html
12:58:55 <harsh> Previous Meeting Minutes -> https://www.w3.org/community/dpvcg/wiki/MinutesOfMeeting_20220316
13:03:09 <harsh> Present: harsh, fajar, julian, georg
13:03:12 <harsh> Regrets: paul
13:04:48 <harsh> Topic: Proposed concepts
13:05:29 <harsh> hasResponsibleEntity to indicate which entity is responsible for something e.g. controller in joint-controllers, or department in organisation
13:06:47 <harsh> Concept accepted `hasResponsibleEntity` under Entities module
13:07:22 <harsh> Present+: beatriz
13:08:11 <harsh> Concept `InternationalOrganisation` as defined in GDPR A.4-26
13:09:02 <harsh> Also define elsewhere (outside-EU) e.g. https://en.wikipedia.org/wiki/International_organization
13:09:51 <harsh> Concept accepted `InternationalOrganisation` as type of Organisation in Entities module
13:10:00 <harsh> Topic: Consequences and Impacts
13:12:08 <harsh> Prior discussion recorded in previous minutes
13:12:12 <harsh> Also see email https://lists.w3.org/Archives/Public/public-dpvcg/2022Mar/0006.html
13:28:38 <harsh> Discussion on conceptual differences between _consequence_ and _impact_
13:41:21 <harsh> Consequence and Impact are relevant for PIA, DPIA, ROPA, Transfer impact assessment, Tech/Org measure effectiveness, Privacy Notice, Risk assessment
13:44:32 <rigo> rigo has joined #dpvcg
14:25:36 <harsh> Discussion conclusions and summaries recorded as below.
14:25:52 <harsh> Consequence is a general concept, represents outcome of something (e.g. event, process, action)
14:26:18 <harsh> Impact is a specific type of consequence (so subset or subcategory of Consequence) that has a stronger notion used to identify consequence to some entity or thing.
14:27:08 <harsh> For example, Consequence when used can have 'weak' impact that is not explicitly acknowledged as such e.g. slower processing, inability to log in.
14:27:34 <harsh> Impact, as a stronger concept of consequence, is used to explicitly identify effects on entity e.g. to a person using a service
14:27:42 <harsh> We need clear descriptions and examples that state this.
14:28:06 <harsh> Where to use what concept depends on the context e.g. impact assessments (by name) talk about impacts, risk assessments talk about both impact and consequence
14:28:47 <harsh> An entity (e.g. data controller or individual) may distinguish between consequence and impact as well e.g. impact on me vs consequence on others or vice-versa
14:29:19 <harsh> GDPR mentions both consequence (e.g. A.13) and impacts (e.g. A.35) - however in both cases the implication could be on negative consequences and impacts
14:30:04 <harsh> At the same time, there are also positive concepts e.g. benefit of a service
14:30:55 <harsh> To conclude - concept `Impact` as a category of `Consequence`, with property `hasImpact` linking it to a concept causing the impact, and property `hasImpactOn` linking it to what is impacted.
14:31:42 <harsh> The property `hasConsequenceOn` is put on hold as proposed until we have clarity in terms of how it is differentiated from `hasImpactOn`, and what consequences have effect that are not impacts (not philosophically, but in the sense that they are not documented as such)
14:34:36 <harsh> `Impact` has further categories `Benefit`, and `Detriment` with further categories `Harm` (needs discussion on how it relates to Damage)
14:34:54 <harsh> Topic: Path for DPV v1
14:35:44 <harsh> Relevant sets of concepts deemed necessary for v1 - DPIA, data breach, risk, ROPA, consent, privacy policy/notice (contents), relation of ISO/IEC standards to tech/org measures
14:36:13 <harsh> In this, privacy notice concepts are in DPV except the notion of app, service, product, etc. - which should be provided by the tech extension
14:36:29 <harsh> DPIA concepts will be proposed by Harsh, Rana, Georg in April
14:36:45 <harsh> Data Breach concepts include breach types (e.g. hacking), notifications, records, etc. - proposals welcome
14:37:14 <harsh> Risk concepts - e.g. likelihood, qualitative risk levels, etc. - Harsh will propose based on existing work e.g. https://github.com/coolharsh55/riskonto
14:37:47 <harsh> ROPA - all concepts present, some additionally proposed by Harsh, Paul, Rob in April
14:38:30 <harsh> Consent - proposal by Harsh in April based on state in ISO/IEC 27560 (to avoid conflict/mismatch). See https://doi.org/10.5281/zenodo.5076603 for prior proposal.
14:38:45 <harsh> For rest, proposals welcome
14:38:49 <harsh> Topic: Next Meeting
14:40:25 <harsh> We will meet next WED MAR-30 14:00 CEST (note daylight saving changes)
14:40:39 <harsh> Discussion to include comments on consenquence & impact (if any)
14:40:56 <harsh> Other concepts include tech extension (data storage, apps, services, etc.) and data subject categories
14:40:59 <harsh> zakim, bye
14:40:59 <Zakim> leaving.  As of this point the attendees have been harsh, fajar, julian, georg, :, beatriz
14:40:59 <Zakim> Zakim has left #dpvcg
14:41:04 <harsh> rrsagent, publish minutes v2
14:41:04 <RRSAgent> I have made the request to generate https://www.w3.org/2022/03/23-dpvcg-minutes.html harsh
14:41:08 <harsh> rrsagent, set logs world-visible
15:00:29 <harsh> rrsagent, bye
15:00:29 <RRSAgent> I see no action items