- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Thu, 17 Mar 2022 17:40:50 +0000
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Hello. As discussed in previous meeting [1] in the context of specifying benefits and beneficiary, following is my proposal. Please indicate your opinions on this by replying to this email. We will discuss the comments received in next meeting. Consequence is a general concept referring to the outcome or effect of some action or operation. E.g. Success, Failure, Event. Impact is a specific type of consequence with a stronger notion of influence, change, or effect on something. E.g. Benefit, Detriment, Harm Example: Personal Data breach is an event, whose consequence is data being leaked, which then has an impact on data subjects in terms of potential identity theft, scams, and so on. In Risk Management, this distinction has the benefit of being able to specify how the consequence and impacts are addressed with controls before and after they occur. For example, strong access controls and security measures prevent data leaks (pre-consequence). Encryption and data obfuscation/separation prevents readily using that data (post-consequence). Alerting users about data leaks prevents harms (pre-impact). Creating dedicated contact points to reverse/minimise harms (post-impact). From this, the pattern to use is: concepts: Consequence (existing in DPV), Impact properties: hasConsequence (inverse: isConsequenceFrom), hasImpact (inverse: isImpactFrom), hasEffectOn Example: ex:PersonalDataBreach a prov:Activity, dpv:Risk ; # some event dpv:hasConsequence ex:DataLeak ; dpv:isMitigatedByMeasure ex:AccessControlMethod ; dpv:hasEffectOn ex:Users . ex:DataLeak a dpv:Consequence, dpv:Risk ; dpv:isConsequenceFrom ex:PersonalDataBreach ; dpv:isMitigatedByMeasure ex:AccessControlMethod ; dpv:hasImpact ex:PotentialIdentityTheft, ex:PotentialScams . ex:PotentialIdentityTheft a dpv:Impact, dpv:Risk ; dpv:isImpactFrom ex:DataLeak ; dpv:hasEffectOn ex:Users ; dpv:isMitigatedByMeasure ex:DataBreachNotifications, dpv:EncryptionInRest . ex:PotentialScams a dpv:Impact, dpv:Risk ; dpv:isImpactFrom ex:DataLeak ; dpv:hasEffectOn ex:Users ; dpv:isMitigatedByMeasure ex:DataBreachNotifications, dpv:EncryptionInRest . [1] https://www.w3.org/community/dpvcg/wiki/MinutesOfMeeting_20220316 P.S. More 'advanced' risk management concepts such as likelihoods, risk scores, risk records, etc. are invited as an extension / separate vocabulary. Consequence and Impact are relevant to several DPV concepts e.g. impact assessments, and legitimate interest assessments - which is why they are proposed for inclusion in main DPV. Regards, -- --- Harshvardhan J. Pandit, Ph.D Research Fellow ADAPT Centre, Trinity College Dublin https://harshp.com/
Received on Thursday, 17 March 2022 17:41:10 UTC