Meeting minutes
Fixes to Processing concepts
Removed concept ~MatchingCombining~ from Processing Context module, and added ~Match~ as a processing operation. ~Combine~ already exists as a processing operation. This provides consistency in processing operations, and distinction from context (e.g. automated decision making can be involved in any processing operation, whereas match/combine are types of processing operations). This is relevant for A.35 DPIA as specified by A29WP guidelines.
- Added concept ~Generate~ as a processing operation to distinguish when data is generated or created without deriving it from existing data or collecting it from another source. E.g. an identifier created and assigned to an individual is generated data, as it is not any of: collect, derive, etc. ~Generate~ is a subclass of ~Obtain~.
Added concept ~Infer~ to correspond with data categories ~InferredPersonalData~
and provide distinction from Derive as in obtain from existing data, and infer
as in obtain without any correlation or existence from existing data.
Accountability and related concepts
Session chaired by paul and georg
Discussion on ICO Accountability Framework https://
paul: Recent paper investigating accountability with ROPA data. Title: "Support for Enhanced GDPR Accountability with the Common Semantic Model for ROPA (CSM-ROPA)" https://
ICO accountability framework is a collection of questions, some of which are related to GDPR clauses, and others related to management activities. DPV could be used for some of these.
jan: email (https://
harsh: It isn't advisable to directly use someone else's data, for legal and accountability reasons. Instead, the data would be integrated or copied into the organisation's ROPA. E.g. Controller takes Processor's implemented technical measures.
paul: Accountability concepts that have been met needs to be specified - automatically populating this information would be of value
georg: Julian proposed the property `isRequiredFor` to specify a concept is required for some accountability concept
harsh: I would suggest doing it the other way around, specifying an accountability concept is linked to a concept and specify what is the association e.g. is necessary to be carried out, to be declared, exists, etc. This is because the property `isRequiredFor` doesn't indicate what the requirement is, and whether its conditional or has obligations. This restricts the usefulness of that linking.
Discussion on what this work means for DPVCG.
harsh: We could identify concepts e.g. PolicyForDataProtectionTraining as an OrganisationalMeasure, but there will also be a gap in how the organisation implements that concept e.g. are these policies readily available.
georg: We could indicate what concepts are needed for another concept, such as concepts for policy in ICO Accountability Tracker, which would be of use to help organisations complete the framework.
Next Meeting
We will meet again next week WED APR-27 14:00 CEST
Topics for discussion will be proposed Technology concepts, association of ISO and other standards to DPV concepts, and anything else that ends up on the mailing list.