The DPVCG has published final reports consisting of three vocabularies, a Primer, and a usage guide:
- Data Privacy Vocabulary (DPV) – and its serialisations in RDFS+SKOS and OWL2
- DPV-GDPR: GDPR Extension for DPV – and its serialisations in RDFS+SKOS and OWL2
- DPV-PD: Extended Personal Data categories for DPV – and its serialisations in RDFS+SKOS and OWL2
- Primer for DPV
- Guide for using DPV in OWL2
These are complemented by ongoing efforts to in draft form:
- Risk Extension providing concepts for risk assessment, risk management, and impacts
- Legal Extension (DPV-Legal) providing concepts for expressing locations as jurisdictions, laws, authorities, and trade memberships
- Rights Extension providing concepts for representing rights and rights exercise
- Technology Extension (DPV-Tech) providing concepts for expressing technologies used in implementations
The vocabularies and documents are available at GitHub under w3c/dpv – which also enables providing feedback and raising issues.
What are the DPV vocabularies?
the Data Privacy Vocabulary (DPV) Specification, which provides a vocabulary and ontology for expressing information related to processing of personal data, entities involved and their roles, details of technologies utilised, relation to laws and legal justifications permitting its use, and other relevant concepts based on privacy and data protection. While it uses the EU’s General Data Protection Regulation (GDPR) as a guiding source for the creation and interpretation of concepts, the ambition and scope of DPV is to provide a broad globally useful vocabulary that can be extended to jurisdiction or domain specific applications. People, organisations, laws, and use-cases have different perspectives and interpretations of concepts and requirements which cannot be modelled into a single coherent universal vocabulary. The aim of DPV is to act as a core framework of ‘common concepts’ that can be extended to represent specific laws, domains, or applications. This lets any two entities agree that a term, for example,
PersonalData, refers to the same semantic concept, even though they might interpret or model it differently within their own use-cases.
The motivation of DPV is to provide a ‘data model’ or a ‘taxonomy’ of concepts that act as a vocabulary for the interoperable representation and exchange of information about personal data and its processing. For this, the DPV specification represents an abstract model of concepts and relationships that can be implemented and applied using technologies appropriate to the use-case’s requirements.
The following is an illustrative, but non-exhaustive list of applications possible with the DPV:
- Document annotation – identifying and annotating concepts within documents such as privacy policies, legal compliance documentation, web pages;
- Representing Policies – expressing policies for how personal data should be ‘handled’, policies for describing an use-cases’ use of personal data;
- Representing Rules – creating and utilising rules for expressing requirements, constraints, or obligations regarding the necessity or optionality on the use of personal data, and for checking conformance with obligations such as for legal compliance.
What does v1 mean?
The DPVCG was created as an outcome of the SPECIAL H2020 project, which organised the W3C Workshop on Data Privacy Controls and Vocabularies in Vienna in 2017, and initiated the DPVCG on 25th May 2018 – the date of the enforcement of GDPR. Since then, the DPVCG has worked to fulfil its aims and objectives, and produced numerous vocabularies in draft form. In the 5 years of its operation, the community has worked on building a large corpus of terms and arranging them into useful vocabularies and specifications that are accompanied with documentations and descriptions. In this time, the specifications have undergone both major and minor changes with the intention to polish and refine the work. With the v1 release, the DPVCG wishes to indicate that its outputs should be considered relatively stable and are ready for use and wider adoption.
It should be noted that a v1 release does not indicate completeness, as there are several topics not currently covered in DPV (e.g. Data Transfers, Data Breaches) and there are important extensions that are currently being worked on. Similarly, a v1 release should also not be assumed to be completely stable – as there will be errors and changes based on future developments. Instead, the v1 indicates that what the DPVCG does not foresee major changes or challenges to the outputs in its current form.
While the DPV, DPV-GDPR, and DPV-PD outputs have been published as v1, they are by no means considered complete. Work will continue on refining these. Specifically, the group is considering the following (non-exhaustive) list of topics:
- Data Transfers – providing the necessary concepts to represent data transfer documentations and assessments
- Data Breach – providing the necessary concepts to document data breach preparation plans and recording instances of a data breach along with its response activities (e.g. notifications and impacts)
- Privacy Notices – providing the necessary concepts to represent notices in machine-readable form using DPV concepts in line with established standards
- Finalising Risk Extension – providing the necessary concepts to represent risk assessment and risk management information in line with established standards, and providing taxonomies for detrimental impacts and benefits
- Finalising Legal Extension – aligning DPV’s outputs with existing standards for representing locations and jurisdictional arrangements (such as EUROVOC), and providing taxonomies of laws and authorities related to data protection and privacy
- Finalising Technology Extension – providing the necessary concepts to describe how various technologies (e.g. databases, servers, algorithms) are used in an implementation, and providing taxonomies for Information Technology
- Finalising Rights Extension – providing concepts that describe rights, exercise of rights, impact to rights, and assist in discovering and associating implementations with fundamental rights
- Guidance documentations, such as those describing Consent Records, DPIAs, ROPAs, and other practical necessities where DPV can be used to automate and improve workflows
The DPVCG chose GDPR as a focal point to influence the development of DPV and aligned vocabularies based on its then influence in changing how laws regard personal data processing and its impacts. Since that time, there have been several important developments across the globe, both as laws as well as standards and guidelines, that are aligned with GDPR’s ethos in terms of requirements and compliance considerations. At the same time, the EU has embarked on an ambitious regime of producing a regulatory framework consisting of several wide reaching laws related to Data. The DPVCG is interested in extending its vocabularies and efforts to also address these developments. It welcomes contributions that add concepts or extend existing vocabularies for jurisdiction specific norms (for example, creating DPV-CCPA for California’s CCPA similar to DPV-GDPR). The existing members have expressed an interest in considering the following for immediate consideration:
Contributing and Geting Involved
Participating with the DPVCG is open and free to all who are interested. For more information and joining, see https://www.w3.org/community/dpvcg/. While contribution is welcome from everyone regardless of membership status, such as via the mailing list or GitHub, decision making is restricted to membership forums.
Community & Acknowledgements
The DPVCG is a community group based on voluntary contributions. As such, the outputs produced bear thanks to the efforts of the community and its members, as well as to several external contributors, all of whom have engaged with the group, offered their expertise, taken on work, and delivered to enable this milestone. We thank each and all of them. We also thank the various funding sources which have directly enabled work on the DPVCG as well as indirectly helped by funding the members and contributors.