Meeting minutes
Proposed concepts
hasResponsibleEntity to indicate which entity is responsible for something e.g. controller in joint-controllers, or department in organisation
Concept accepted `hasResponsibleEntity` under Entities module
Concept `InternationalOrganisation` as defined in GDPR A.4-26
Also define elsewhere (outside-EU) e.g. https://
Concept accepted `InternationalOrganisation` as type of Organisation in Entities module
Consequences and Impacts
Prior discussion recorded in previous minutes
Also see email https://
Discussion on conceptual differences between _consequence_ and _impact_
Consequence and Impact are relevant for PIA, DPIA, ROPA, Transfer impact assessment, Tech/Org measure effectiveness, Privacy Notice, Risk assessment
Discussion conclusions and summaries recorded as below.
Consequence is a general concept, represents outcome of something (e.g. event, process, action)
Impact is a specific type of consequence (so subset or subcategory of Consequence) that has a stronger notion used to identify consequence to some entity or thing.
For example, Consequence when used can have 'weak' impact that is not explicitly acknowledged as such e.g. slower processing, inability to log in.
Impact, as a stronger concept of consequence, is used to explicitly identify effects on entity e.g. to a person using a service
We need clear descriptions and examples that state this.
Where to use what concept depends on the context e.g. impact assessments (by name) talk about impacts, risk assessments talk about both impact and consequence
An entity (e.g. data controller or individual) may distinguish between consequence and impact as well e.g. impact on me vs consequence on others or vice-versa
GDPR mentions both consequence (e.g. A.13) and impacts (e.g. A.35) - however in both cases the implication could be on negative consequences and impacts
At the same time, there are also positive concepts e.g. benefit of a service
To conclude - concept `Impact` as a category of `Consequence`, with property `hasImpact` linking it to a concept causing the impact, and property `hasImpactOn` linking it to what is impacted.
The property `hasConsequenceOn` is put on hold as proposed until we have clarity in terms of how it is differentiated from `hasImpactOn`, and what consequences have effect that are not impacts (not philosophically, but in the sense that they are not documented as such)
`Impact` has further categories `Benefit`, and `Detriment` with further categories `Harm` (needs discussion on how it relates to Damage)
Path for DPV v1
Relevant sets of concepts deemed necessary for v1 - DPIA, data breach, risk, ROPA, consent, privacy policy/notice (contents), relation of ISO/IEC standards to tech/org measures
In this, privacy notice concepts are in DPV except the notion of app, service, product, etc. - which should be provided by the tech extension
DPIA concepts will be proposed by Harsh, Rana, Georg in April
Data Breach concepts include breach types (e.g. hacking), notifications, records, etc. - proposals welcome
Risk concepts - e.g. likelihood, qualitative risk levels, etc. - Harsh will propose based on existing work e.g. https://
ROPA - all concepts present, some additionally proposed by Harsh, Paul, Rob in April
Consent - proposal by Harsh in April based on state in ISO/IEC 27560 (to avoid conflict/mismatch). See https://
For rest, proposals welcome
Next Meeting
We will meet next WED MAR-30 14:00 CEST (note daylight saving changes)
Discussion to include comments on consenquence & impact (if any)
Other concepts include tech extension (data storage, apps, services, etc.) and data subject categories