<scribe> Scribe: harsh
<scribe> ScribeNick: harsh
We will be resolving the proposed terms in continuation of the NOV-4 workshop
Q: Whose Rights? Controllers, Processors, Data Subject?
Discussion: we have a top-level class called 'Rights' and sub-class it as 'DataSubjectRights' and add the GDPR rights to this
This is specific to a law, and the common use of 'term' differs from this definition. Therefore, it would be better to have a separate profile (e.g. dpv-ccpa) and define the term 'sell' in it, along with equivalence relations to DPV processing categories.
Discussing: ThirdCountry
How to specify that a Processing is taking place in a third country, or that a recipient is in third country
There is a Location class in PersonalData, does it makes sense to have ThirdCountry as a subset of that?
There is also the class Country in PersonalData
How will defining third country as sub-classes of these impact / have consequences?
TBD
Risk is a high-level concept, that can be associated with different things/concepts
We have RiskManagementProcedure as an organisational measure
Risk as a top-level concept, with generic property to enable associating it with any concept
Discussing: RiskMitigationMeasure
Associate RiskMitigationMeasure with Risk using property mitigatesRisk
Is Data Breach a type of Risk? (yes, but more complex)
Data Breach also is referred to a process
Data Breach is given high importance in organisational processes, governance, and documents
Data breach as a category of Risk
Make note of how to specify a Data Breach (or Risk) has taken place
This can be done by creating an instance of the risk or breach and considering that as the risk having consequences
Consultations as an OrganisationalMeasure and Consultation with DPA as a specific sub-class
ROPA is related to compliance and compliance related processes and documents
We need to discuss how to specify these in DPV, and then define ROPA under those
DPIA is a type of impact assessment, so there should be a top-level class called Impact Assessment, with DPIA a sub-class of it
This is a type of contract, so needs more discussion
DPV currently does not specify categories of Legal Basis, maybe in next version we can have generic categories of legal basis and define this as a contract within it
This will allow specifying legal basis for transferring data from Controller to Processor
Complicated because are safeguards same as technical and organisational measures
TBD
25 NOV 13:00 Dublin, 14:00 CET
This is scribe.perl Revision of Date Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/DPIA/DPA/ Default Present: harsh, PaulRyan, GeorgKrogg, BeatrizEsteves Present: harsh PaulRyan GeorgKrogg BeatrizEsteves Found Scribe: harsh Inferring ScribeNick: harsh Found ScribeNick: harsh WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]