Meeting minutes
Data Breach
georg: Meeting with VC Hungarian DPA who said data breach requirements vary across EU DPAs. Problem for Orgs is that they are required to report to multiple/all DPAs which means there are separate requirements for each reporting. The work required here is to first list what GDPR requires, then see what each DPA requires additionally, and then after this we have the building blocks to create a Data Breach vocabulary.
harsh: Paul followed this approach for ROPA, and myself for DPIA so this seems like a repeated pattern we would have to do with all processes.
jan: When consenting, it is clear who is the authority (DPA). One idea would be to identify the location or region of the individual and identify the relevant local authorities to present in notice or to be notified.
georg: In this case, the reporting is supposed to go to all DPAs. So this is not from the individual, but from the Org directly to DPAs.
harsh: I've been mulling on whethere there is a possibility to use ActivityPub to normalise the communications protocols, and build stuff like ROPA and Data Breach upon it. Would be an interesting research application.
georg: We can submit something to EDPB on the harmonisation of information requirements.
jan: Similar chance for privacy notices information to be 'standardised' or provided in common form?
harsh: No, that is difficult because the DPAs and GDPR consider a notice to be contextual and per use-case. So a single notice format is difficult to achieve. There has been some movement to adopt 29184 in CEN/CENELEC as an EU standard - so we may have an authoritative source on information within a GDPR notice as well.
Relevant GitHub issue - https://
Risk Management
Proposal to add more risk management concepts under the Risk extension as per ISO 31000 series
Relevant GitHub issue - https://
DPV-LEGAL
As we noted in the earlier meeting, we want to focus on laws and authorities and provide guidance on use of external location vocabularies.
Relevant GitHub issue - https://
Justifications
We have agreed to create a Justifications extension to provide all kinds of reasons for why something happened or could not happen
Relevant GitHub issue - https://
DPV-TECH
georg: Need to specify the 'tech' used e.g. form's security method, or how the email was sent
paul: when using a supplier it requires due diligence, etc.
harsh: Lets collect use-cases for DPV-Tech so we have a focus
tek: SDM for ToMS - https://
Adding More Regulations
harsh: we also need to plan around upcoming regulations this year i.e. DGA, DSA, DMA, and the proposed ones i.e. Data Act, AI Act, ePrivacy Regulation, Health Data Space Regulation
georg: which of these would be consider first?
harsh: preference is on currently enforced (i.e. GDPR), then accepted (i.e. DGA, DSA, DMA), then proposed (i.e. rest) - we also want to avail of guidelines, case law, known use-cases and implementations etc.
jan: working on eIDAS - which would also be relevant to the group; am writing an article on this
jan: (discussion on standards) what needs to be standardised, what is missing or what are the gaps in ISO/CEN and if the group can be useful there
Next Meeting
We will meet again in 1 week, on WED 11th Jan at 14:00 CET.