DPV future

From Data Privacy Vocabularies and Controls Community Group

This document records notes on possible or potential updates, contributions, and changes to the DPV (or other aligned vocabularies and extensions). It is useful as a guide for continued development of vocabularies within DPVCG, and for identifying areas of interest for potential contributors. This document can be freely edited by members of the DPVCG.

Consider this document as listing the requirements for DPV v1 - a complete and stable version

To add an idea or action to the list, you can:

  • send an email to the mailing list at public-dpvcg@w3.org
  • contact the chairs
  • edit the document directly if you are a member of DPVCG

Common Use concepts

The term 'common use' here refers to what is analogous to 'common sense' in common English, i.e. things that are generic and widely known or commonly found. Examples are concepts such as 'privacy policy', 'terms and conditions', 'notice', 'app(lication)' as in smartphones, 'service', and so on. Whether these concepts are already defined within DPV, and if yes, then how to indicate the difference in labels? If these are not represented in DPV, should they be included, and if yes, then under which taxonomy?

Use of ISO/IEC and other common standards

DPV has tech/org measures, but no notion of how they are implemented in practice. Alongside the technologies used (separate topic), real-world also uses ISO/IEC standards to indicate use of some tech/org measure. An exercise demonstrate how this should be used with DPV needs to be provided. For example, using ISO/IEC XYZ standard is relevant to ABC tech/org measures. These concepts would go in a separate extension (so it can grow on its own, and because its not directly part of main DPV)

Update: There has been agreement on providing this data. We welcome volunteers and contributions to add various standards to DPV. See https://lists.w3.org/Archives/Public/public-dpvcg/2022Jul/0004.html for the proposal and https://harshp.com/dev/dpv/standards-iso for details on how to extract data.

Data Breach

Similar to ROPA and DPIA, a Data Breach is an important documentation process. DPV should therefore provide concepts relevant for Data Breaches (e.g. record, notification) as an extension.

Privacy Notices

Currently, DPV mentions Privacy Notice as an org measure. Similar to ROPA, it is a vital part of transparency and compliance documentation. Therefore, DPV should ensure i) all relevant concepts are present in DPV; ii) demonstrate how privacy notices can be represented in or generated from DPV.

Use-cases and Examples

A list of use-cases and examples that showcase how DPV can be used for those is essential for understanding where the gaps and weaknesses in DPV are situated. It is also essential for adopters wanting to use DPV. Given the large problem-space, there can be any number of abstract or specific use-cases. Therefore it is important to ensure there is a list of 'core' use-cases that the DPV is 'developed with', and then extended to meet other use-cases as they arise. Recording this should be made a priority.

Examples would include all forms of serialisations 'supported' or where we see different 'styles' of representing the same information. This could also be where external vocabularies are used, for example using PROV-O for provenance concepts, or ODRL for policies.

Update: There is a dedicated space for use-cases at https://w3id.org/dpv/use-cases and for examples at https://w3id.org/dpv/examples. We welcome volunteers and contributions for these.