Meeting minutes
ODRL-CG and DPVCG at TPAC
See event details and agenda - https://
harsh, beatriz, georg, paul, victor will be present from DPVCG
Others are welcome to join, please let us (harsh, victor) know if possible so we can keep track of participation
Next Meeting
we will be holding the next meeting on SEP-21 13:00 WEST / 14:00 CEST as most regular members are away at conference or on vacation next week
DPV v1 planning
The original schedule for DPV v1 estimated the release around September. That plan is no longer viable as there are several items pending, mostly related to documentation.
The group discussed today what does "v1" should mean - where based on convention the first version implies some notion of stability in terms of non-changes and completeness
For this, we consider whether 1) are any core concepts missing 2) any pertinent issues that must be resolved 3) have developed resources been applied and are useful
The discussion yieded the following - we have identified the core concepts and none seem to be missing.
The missing sections refer to concepts that can be added as research is completed. These refer to exercising of rights, data breach records, standards, complaint procedures.
There is a lack of documentation, but the underlying concepts are deemed to be (fairly) complete.
Therefore the specification can be put on a "release candidate" track (suggested by Julian) to invite specific comments with a view towards publishing as v1
We keep the tentative date for this as OCT-15 to invite comments, after which we will resolve them and publish a v1.
In the meantime, we put a freeze on making major changes (large additions avoided, minor corrections are okay).
Volunteers for assisting with the documentation are needed and are invited to select what best suits their capabilities and interests
For documentation, harsh is updating the primer - https://
Similar changes are to be made to the specification i.e. adding textual descriptions to each section for introducing the concepts and structures.
A list of use-cases is proposed to be created and added to show completeness of considerations that went into creating the DPV concepts. harsh has a proposal to automate this by creating a page for listing them - https://
Similarly, examples can be listed as proposed here - https://
A list of things that volunteers can help with is available here - https://
In addition to these, DPVCG has also planned to provide guides (explanation on DPV's concepts) for risk management, DPIA, ROPA, and consent - that provide an overview on what concepts within DPV are needed for each application
In addition, and at a later date, some 'tutorials' that explain in a step-by-step manner how to implement DPV within some use-case would also provide helpful for adoption.
Volunteers who want to implement specific things, e.g. write a section on technical measures - should let the group know of their interest so as to co-ordinate work. They are free to write and share it in whatever format they prefer (e.g. plain text, .docx, Google Docs).
Rights
DPV has the notion of Right and DataSubjectRight, with GDPR specific ones in DPV-GDPR. The group has previously discussed that these should be expanded to provide practical concepts necessary for exercising the rights and representing the process and their responses.
Taking the example of GDPR's SAR and Data Portability (and other rights) the group agrees that it would be better to have DPV provide a basic notion of rights exercise (e.g. property `hasRightsExercise`), with the additional concepts (which are detailed and several) to be provided in the rights extension.
DPV-GDPR then implements this extension for the specific requirements of its rights, i.e. SAR and Data Portability and others.