W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2020

Re: Representation of GDPR rights

From: Zach Edwards <zach@victorymedium.com>
Date: Thu, 30 Apr 2020 08:49:03 -0700
Message-ID: <CANyBzoYxGxu9gi24jQHBpsY_HAszsjJf6sULirGj7CPPFfUTgQ@mail.gmail.com>
To: besteves@delicias.dia.fi.upm.es
Cc: "Harshvardhan J. Pandit" <me@harshp.com>, public-dpvcg@w3.org
howdy ya'll,

I'd love to join any groups working on this and I'll try to keep an eye on
the discussions. I've been working ona. "privacy schema" that uses language
from GDPR/CCPA/CPRA and a few other frameworks in the U.S. (HIPAA/COPPA,
etc) and then describes the "States of Data" (Inbound, at rest, outbound)
and how an organization may need to append metadata to that data in various
states of transmission to properly identify the source/consent/transfers
for revocations/deletion efforts.

Privacy schema draft @ (feel free to clone / take anything, no credit
needed) :
https://docs.google.com/spreadsheets/d/1jrmUpLq88M_lq6iM2-0Tsm1-XSqU-9q-ChcNxSwJ31Y/edit?usp=sharing

Thanks for everyone's work on this topic!

Sincerely,
Zach

On Thu, Apr 30, 2020 at 8:41 AM <besteves@delicias.dia.fi.upm.es> wrote:

> Great, didn't know, but if we already have it on the wiki we should
> definitly use it.
>
> Thanks, I'll have a look.
>
> Best,
>  Beatriz
>
>
> Harshvardhan J. Pandit – Thu, 30. April 2020 16:36
> > Hi Beatriz,
> > IMHO We should have this on the Wiki in its current state given that it
> > is accessible to everyone and is editable for members.
> > We already have a Wiki page detailing some existing terms -
> > www.w3.org/community/dpvcg/wiki/Rights
> >
> > If you think there is a lot of (structured) data to record, we can move
> > over the spreadsheets.
> >
> > Best,
> > Harsh
> >
> > On 30/04/2020 16:26, besteves@delicias.dia.fi.upm.es wrote:
> > > Thank you for your comments!
> > >
> > > To start, I'll create a Google Sheets with the rights and we can go
> from
> > there.
> > > I'll try to have it for the next call.
> > > Then latyer we can add it to the wiki once it is more mature.
> > >
> > > Thanks,
> > > Beatriz
> > >
> > >
> > > Info @ OC – Thu, 30. April 2020 15:59
> > >> Quick Inline Comments ,
> > >>
> > >>
> > >>> On 30 Apr 2020, at 09:52, Harshvardhan J. Pandit <me@harshp.com>
> wrote:
> > >>>
> > >>> Rights are definitely of interest and within scope of the work we are
> > >> looking (IMHO).
> > >>
> > >> +1
> > >>>
> > >>> On 30/04/2020 13:19, besteves@delicias.dia.fi.upm.es wrote:
> > >>>> For starters, should we discuss which is the best way to do it?
> > >>>> Two options could be:
> > >>>> 1) add a new module (such as the purpose, processing, ... modules)
> to the
> > >> vocabulary
> > >>> My intuitive reaction was to have "Rights" as a top-level concept and
> > >> associated with a Personal Data Handling instance.
> > >>> However, this would not be the right way to go forward as 'rights'
> are not
> > >> necessarily associated with personal data handling/processing. For
> example,
> > >> Right to withdraw consent (GDPR) is associated with legal basis of
> consent.
> > >>>
> > >>> So I would propose that as the first exercise we use the Wiki to
> list down
> > >> the rights and the relevant concepts currently in DPV regarding those
> > (where
> > >> possible).
> > >>> Hopefully after this we would have some indication of where to model
> them
> > as
> > >> a concept.
> > >>
> > >> +2 - Rights are relative to the legal authority to process and in
> this way
> > are
> > >> applied to the context. The operational use of rights, (in my opinion
> is
> > >> achieved with Notice) Notice requirements are quite clear in the GDPR.
> > >>
> > >> For example a data subject has the right to object, a right to
> restrict
> > >> processing, a right to revoke consent, and right to Notice and privacy
> > >> information. - these vary according to legal justification, which is
> > (suppose
> > >> to be) required to be apart of a Notice .
> > >>>
> > >>> Conversely, another interpretation of 'rights' is as a policy - which
> > means
> > >> it would go beyond the scope of DPV (currently).
> > >>> In this case, we should aim to provide the terms required to express
> this
> > >> policy - which *is* the goal of DPVCG.
> > >>
> > >> I would suggest that - it would be first rights - then policy, (in
> terms of
> > >> order of governance operations.)
> > >>
> > >>>
> > >>>> 2) create a separate vocabulary (such as the one created for the
> legal
> > >> basis)
> > >>> Rights are tied to jurisdictional laws/legislations - much in the
> same way
> > >> as legal basis.
> > >>> So this makes sense. But instead of a separate vocabulary - we can
> add
> > them
> > >> to DPV-GDPR.
> > >>>
> > >>> However, do we create a separate module/extension for every
> jurisdiction?
> > >> (IMO yes)
> > >>>
> > >>> P.S. Minutes of meeting for yesterday are at
> > >> www.w3.org/2020/04/29-dpvcg-minutes.html
> > >>
> > >> Thank You !
> > >>> I had trouble remembering how to use Zakim, RRSAgent.
> > >>>
> > >>> Regards,
> > >>>
> > >>> --
> > >>> ---
> > >>> Harshvardhan Pandit
> > >>> PhD Researcher
> > >>> ADAPT Centre
> > >>> Trinity College Dublin
> > >>>
> > >>>
> >
> > --
> > ---
> > Harshvardhan Pandit
> > PhD Researcher
> > ADAPT Centre
> > Trinity College Dublin
>
>

-- 
--
Zach Edwards
zach@victorymedium.com
512-417-3095
skype: thezedwards
Received on Thursday, 30 April 2020 15:53:37 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:58 UTC