The Data Privacy Vocabularies and Controls Community Group published two vocabularies to describe personal data and the ways it can be processed. The vocabularies are meant to be used in software that automates verifications against the European General Data Protection Regulation (GDPR).
The group describes the vocabularies as ‘version 0.1’, because it is likely that, on further review, there are both too many and too few terms in them. That’s why the group asks for feedback.
The documents asked for comments to be sent before the 15th of September 2019, but that doesn’t mean that comments won’t be accepted anymore. It just means comments may not get into the next version, but into a later one.
Data Privacy Vocabulary
The first of the two vocabularies is called ‘Data Privacy Vocabulary v0.1’. It provides terms (classes and properties) to annotate and categorize instances of legally compliant personal data handling according to the EU General Data Protection Regulation. The terms it defines fall into a number of groups:
- Classes of personal data, such as address, family relations, credit rating, hair color, job, religion and much more.
- Purposes of data processing, such as identity verification, personalizing user interfaces, academic research, delivery of goods, product recommendations, etc.
- Categories of data processing, such as acquiring the data, erasing, copying, sharing, anonymising and combining.
- Technical and organisational measures required by the GDPR and other regulations to protect data, including anonymisation, guidelines, contracts, staff training and encryption.
- Properties of consent, such as the consent notice, the expiry time and the method by which consent was obtained.
- Roles, such as Data Subject, Data Controller, Recipient, Third Party and Child (a special kind of Data Subject).
GDPR Legal Basis Vocabulary
The second vocabulary is called ‘DPVCG GDPR Legal Basis Vocabulary’. It defines terms for the legal bases for personal data processing defined in the GDPR, i.e., all the circumstances under which data processing is allowed.
The group identified 17 classes of legal bases in the GDPR, including explicit consent, a legal obligation, the public interest, preventive medicine and the fact that a data subject already made the data public.