Meeting minutes
Repository: w3c/dpv
minutes - https://
Multi-lingual translations - no updates (georg)
Data Breach extension
review of data breach document
see email: https://
see document: https://
ghurlbot, get #64
<ghurlbot> Issue 64 Provide concepts for Data Breach (coolharsh55)
harsh: concepts from the previous emails and the guidance document have been collated into a spreadsheet as requested in the last meeting - https://
DONE: Create spreadsheet with Data Breach concepts
georg: There are comments on the data breach document (shared Google Doc), and in addition there are also incident notifications mentioned in the NIS2 and DORA regulations
harsh: I have included the changes from the Google Doc into the guidance document. For NIS2 and DORA, we should treat them as a separate proposal since data breach notifications are a distinct regulatory action. The goal would be to create a similar structure that all incident notifications are interoperable, with regulation specific variations as needed. I am working on the NIS2 concepts based on georg's provided analysis.
pending actions that are carried over
ACTION: Include EDPB examples in the Data Breach document
ACTION: Investigate NIS2 notification concepts for use with Data Breach notifications
ACTION: Finish sections 7 to 9 of data breaches document for review
Impact of changes from DGA
harsh: ghurlbot, get #62
<ghurlbot> Issue 89 Add DGA/eIDAas entities (coolharsh55)
harsh: ghurlbot, get #99
<ghurlbot> Proposal to change DPV scope to include Non-Personal Data (coolharsh55)
harsh: Email sent around by harsh regarding changes of concepts and impact on DPV. First question is whether the non-personal data concepts should be considered in scope. Second question is how they should be added. There are 4 options for addition, along with their impact on the existing structure and concepts in DPV. See https://
… Option 1 is to change the core concepts, e.g. Purpose, to refer to both personal and non-personal data. This will mean a MAJOR change to DPV. We take input from community whether to use a new namespace, e.g. dpv/v2. Option 2 is creating a new extension for non-personal data. No impact on existing use of DPV, but large duplication of concepts in new extension. Option 3 is to discard the proposal. Option 4 is the same as option 1, except we create a new vocabulary and discontinue dpv. This gives license to make major changes, but has the drawback that people will have to find it and opt in.
… My preference is for option 1, with making changes to existing vocabulary if possible, otherwise having a new namespace if needed based on feedback
georg: sent email reply - yes to Q1, NO for vocabulary for non-personal data, for Q2 prefer option 1 but would like to discuss option 4.
beatriz: sent email reply - yes to Q1, NO for non-personal data taxonomy, for Q2 option 1.
harsh: okay, so we keep inviting feedback and making a record of changes. This is an important and major proposal - so giving people time to find the questions, think about impact, and discuss it here is important. Right now people might be on vacation due to summer. So we will keep a rolling discussion on this until August or September and then try to find a resolution so that the v2 vocabulary might be released by year end.
ACTION: Invite feedback and discussion on the impact of proposed changes from DGA modelling
Next Meeting
The next meeting will be in 1 week on JUL-13 at 14:00 WEST / 15:00 CEST.
Topics for discussion will include (1) Data Breach extension - review spreadsheet and document - harsh, georg, paul; (2) DGA concepts - beatriz, georg; (3) Risk Management concepts - delaram; (4) Impact of proposed changes from DGA modelling.