Risk and Impact Assessment

concepts in Data Privacy Vocabulary (DPV)

Final Community Group Report

This version:
https://www.w3.org/community/reports/dpvcg/CG-FINAL-dpv-20240128/
Latest published version:
https://w3id.org/dpv/dpv/modules/risk
Latest editor's draft:
https://dev.dpvcg.org/dpv/modules/risk
Editor:
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Feedback:
GitHub w3c/dpv (pull requests, new issue, open issues)
This Release
https://w3id.org/dpv/2.0
Previous Release
https://w3id.org/dpv/1.0
Key Publications
Data Privacy Vocabulary (DPV) -- Version 2 (2024)

Abstract

This document provides additional details and examples for risk and impact assessment concepts used in the Data Privacy Vocabulary [DPV], and is a companion to the [DPV] specification.

Status of This Document

This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Final Specification Agreement (FSA) other conditions apply. Learn more about W3C Community and Business Groups.

Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.

GitHub Issues are preferred for discussion of this specification.

Data Privacy Vocabulary (DPV) Specification: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH], and [AI]. Specific [LEGAL] extensions are also provided which model jurisdiction specific regulations and concepts - see the complete list of extensions. To support understanding and applications of [DPV], various guides and resources [GUIDES] are provided, including a [PRIMER]. A Search Index of all concepts from DPV and extensions is available.

[DPV] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [DPVCG], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.

The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.

2. Introduction

Figure 1

For risk and impact assessment, DPV's provides a 'lightweight risk ontology' based on commonly utilised concepts of Risk, RiskMitigationMeasure, Consequence, and Impact along with risk assessment concepts of RiskLevel, Severity, and Likelihood. Through these concepts, information about what risks and impacts exist as well as their qualitative and quantitative assessment (severity, level) can be sufficiently expressed.

For a more comprehensive representation of risk assessment, mitigation, and management concepts, the Risk Assessment and Management concepts for DPV extension should be used which is based on relevant standards such as the ISO/IEC 31000 series. The [RISK] extension also provides taxonomies for these concepts which permits representation of information such as different types of consequences and impacts or concepts representing levels, severities, and likelihoods. It also provides representations of risk matrices, modelling incident and associated statuses, and categorises of 'controls' for a clearer application of measures.

3. Risk

Risk within the DPV is concerned with 'probable negative effects', and is indicated by using hasRisk. A risk event is a probable event that may lead to negative consequences and impacts (hence it is a 'risk'). It is important to note that a risk is a hypothetical event i.e. it is a probability that something may occur. The concept risk:Incident in [RISK] extension represents incidents which have occured and provides the necessary concepts to connect them to risks for what had been previously assessed as well as to indicate what are the further risks associated with an incident.

Likelihood, associated using hasLikelihood, represents the likelihood or probability or chance of something (risk in this case) taking place. The [RISK] extension defines concepts to indicate likelihoods with various scales e.g. as a set of 3 concepts representing high likelihood, moderate likelihood, and low likelihood.

Severity, associated using hasSeverity, represents the severity or 'extremeness' or 'intensity' of something (risk in this case). The [RISK] extension defines concepts to indicate severities with various scales e.g. as a set of 5 concepts representing very high severity, high severity, moderate severity, low severity, and very low severity. SensitivityLevel represents the 'sensitivity' of some context (e.g. personal data) as a measure of how severe risks associated with it are (e.g. to indicate how sensitive the personal data is). It is associated using the relation hasSensitivityLevel.

RiskLevel, associated using hasRiskLevel, represents the combination of severity and likelihood in the form of 'risk level' that provides a cohesive qualitative assessment of risk. The [RISK] extension defines concepts to indicate risk levels with various scales e.g. as a set of 3 concepts representing high risk, moderate risk, and low risk.

4. Risk Mitigation Measure

RiskMitigationMeasure is a measure taken to mitigate the risk. Here the use of the word 'mitigate' follows from its use in legal documents and includes avoiding, reducing, replacing, removing, transforming, sharing, and other operations related to risk treatment. In normative risk related guides and standards, mitigation is only one operation within risk treatment processes.

Risks can have multiple mitigation measures, which are indicated by using isMitigatedByMeasure relation. A mitigation measure may address multiple risks, which are indicated by using mitigatesRisk. The RISK extension provides a more granular taxonomy of risk mitigation measures, including risk controls which enable expressing aspects of the intended effect of a measure on risk (or other events) - e.g. to remove the source or to alter the consequence.

Risk remaining after 'mitigation' or 'treatment' is represented by ResidualRisk, which is a subcategory of Risk and uses the same relations to express likelihood, severity, level, and further mitigations. It is associated by using hasResidualRisk and isResidualRiskOf relations.

5. Consequence & Impact

The concepts Consequence and Impact in DPV are provided with a specific modelling of consequences and impacts. The DPV concept for consequence represents the consequence of an event (e.g. risk or incident), and impact is a specific type of consequence which as significance to an entity. DPV considers effects on technical systems (e.g. service disruption) and minor effects on entities (e.g. delayed process) as consequences from major effects focused on entities (e.g. harms) as impacts. Based on this, we recommend using consequences and impacts in the following manner:

  1. Consequence to indicate the immediate effect of an event where it is not significant to an entity - this can be disruption of the system or service, or loss of data, or other such events. Most technical events would fall under consequence.
  2. To indicate what the consequence has affected, the relation hasConsequenceOn is provided. The effect of consequence can be material or non-material, and can be on a system, agent, or legal entity.
  3. Impact to represent consequences which have a significant effect on one or more dpv:Entity. Impacts are associated by using hasImpactOn relation, and the impact is always on an entity. The significance of impact is associated with how it affects the entity e.g. financial loss, physical or mental harm, or impact on rights.
  4. The entity being affected by the impact is indicated by using hasImpactOn.

The consequences and impacts can reuse the risk assessment properties to describe likelihood and severity. Consequences and impacts can also be chained together e.g. to describe a consequence (service diruption) leads to another consequence (wasted time) which leads to an impact (financial loss). Consequences and impacts can be hypothetical (i.e. risks) or actual (i.e. incidents).

Consequences and impacts can be positive (e.g. benefit) or negative (e.g. harm). The relations associating them with entities or systems should be interpreted accordingly. For example, if the impact is a harm - which is negative, then the impacted entity should be understood as being the one that is harmed. If instead the impact is compensation - which is positive, then the impacted entity should be understood as being the one that is compensated.

The [RISK] extension provides a taxonomy of consequences and impacts which covers commonly utilised terms such as harm, data breach, equipment failure, financial loss, and malware attack. It also provides a taxonomy of positive consequences and impacts which are not 'risks', such as benefits, renumerations, and compensation.

6. Risk and Impact Assessments

To support assessments associated with risks and impacts, DPV provides the following concepts:

  1. RiskAssessment regarding risk assessments.
  2. SecurityAssessment regarding assessment of security, and CybersecurityAssessment as assessment of cybersecurity.
  3. ImpactAssessment to impact assessments, with PIA representing Privacy Impact Assessments (PIA) and DataTransferImpactAssessment for assessment of impacts in data transfer.
  4. RightsImpactAssessment as a specific impact assessment that involves assessing impact on rights, with DPIA representing Data Protection Impact Assessment (DPIA) and FRIA representing Fundamental Rights Impact Assessment (FRIA).
  5. DataBreachImpactAssessment represents assessment of data breaches and is defined as a rights impact assessment as at least privacy (for personal data) or commercial rights (for non-personal data) will need to be assessed in a data breach.

The relations hasRiskAssessment and hasImpactAssessment enable associating a risk and impact assessment with a process, service, or other contexts. There can be multiple assessments associated with the same context, e.g. for covering different topics or representing assessments at different stages or temporal periods. Assessments can indicate their 'subjects' and other metadata by using a relevant vocabulary such as DCMI Metadata Terms (DCT). Assessments can also record dates associated with their use to audit a system or process, and the relevant status to record the outcome of that process e.g. to indicate approval.

Note: Risk and Impact assessments required by laws

7. Vocabulary Index

7.1 Classes

7.1.1 Consequence

Term Consequence Prefix dpv
Label Consequence
IRI https://w3id.org/dpv#Consequence
Type rdfs:Class, skos:Concept
Subject of relation dpv:hasConsequenceOn
Object of relation dpv:hasConsequence
Definition The consequence(s) possible or arising from specified context
Examples dex:E0027 :: Indicating risks, consequences, and impacts
dex:E0068 :: Using DPV and RISK extension to represent risks
dex:E0071 :: Using risk controls to express how tech/org measures address the risk
Date Created 2022-01-26
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.1.2 Consequence as Side-Effect

Term ConsequenceAsSideEffect Prefix dpv
Label Consequence as Side-Effect
IRI https://w3id.org/dpv#ConsequenceAsSideEffect
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Consequence
Object of relation dpv:hasConsequence
Definition The consequence(s) possible or arising as a side-effect of specified context
Date Created 2022-03-30
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.3 Consequence of Failure

Term ConsequenceOfFailure Prefix dpv
Label Consequence of Failure
IRI https://w3id.org/dpv#ConsequenceOfFailure
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Consequence
Object of relation dpv:hasConsequence
Definition The consequence(s) possible or arising from failure of specified context
Date Created 2022-03-23
Contributors Harshvardhan J. Pandit, Georg P. Krog
See More: section RISK in DPV

7.1.4 Consequence of Success

Term ConsequenceOfSuccess Prefix dpv
Label Consequence of Success
IRI https://w3id.org/dpv#ConsequenceOfSuccess
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Consequence
Object of relation dpv:hasConsequence
Definition The consequence(s) possible or arising from success of specified context
Date Created 2022-03-23
Contributors Harshvardhan J. Pandit, Georg P. Krog
See More: section RISK in DPV

7.1.5 Cybersecurity Assessment

Term CybersecurityAssessment Prefix dpv
Label Cybersecurity Assessment
IRI https://w3id.org/dpv#CybersecurityAssessment
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:SecurityAssessmentdpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Assessment of cybersecurity capabilities in terms of vulnerabilities and effectiveness of controls
Source ENISA 5G Cybersecurity Standards
Date Created 2022-08-17
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.6 Data Breach Impact Assessment (DBIA)

Term DataBreachImpactAssessment Prefix dpv
Label Data Breach Impact Assessment (DBIA)
IRI https://w3id.org/dpv#DataBreachImpactAssessment
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RightsImpactAssessmentdpv:ImpactAssessmentdpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasImpactAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Impact Assessment concerning the consequences and impacts of a data breach
Usage Note Data Breach assessments can require additional non-security related assessments such as GDPR Art.34 Rights Impact Assessment
Date Created 2024-04-15
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.7 Data Transfer Impact Assessment

Term DataTransferImpactAssessment Prefix dpv
Label Data Transfer Impact Assessment
IRI https://w3id.org/dpv#DataTransferImpactAssessment
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:ImpactAssessmentdpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasImpactAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Impact Assessment for conducting data transfers
Date Created 2021-09-08
Contributors Georg P. Krog, Harshvardhan J. Pandit, Paul Ryan
See More: section RISK in DPV

7.1.8 Data Protection Impact Assessment (DPIA)

Term DPIA Prefix dpv
Label Data Protection Impact Assessment (DPIA)
IRI https://w3id.org/dpv#DPIA
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RightsImpactAssessmentdpv:ImpactAssessmentdpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasImpactAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Impact assessment determining the potential and actual impact of processing activities on individuals or groups of individuals and taking into account the impacts of activities on their rights and freedoms
Usage Note Specific requirements and procedures for DPIA are defined in GDPR Art.35
Examples dex:E0056 :: Specifying the audit status associated with a DPIA
Source
Date Created 2020-11-04
Date Modified 2024-04-14
Contributors Georg P. Krog, Harshvardhan J. Pandit, Paul Ryan
See More: section RISK in DEX

7.1.9 Fundamental Rights Impact Assessment (FRIA)

Term FRIA Prefix dpv
Label Fundamental Rights Impact Assessment (FRIA)
IRI https://w3id.org/dpv#FRIA
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RightsImpactAssessmentdpv:ImpactAssessmentdpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasImpactAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Impact assessment which assesses the potential and actual impact on fundamental rights occuring due to processing activities
Usage Note The fundamental rights and freedoms may be those defined in law or other norms, and may be bound to a jurisdiction - for example see EU Charter of Fundamental Rights
Source
Date Created 2024-04-14
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.10 Impact

Term Impact Prefix dpv
Label Impact
IRI https://w3id.org/dpv#Impact
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Consequence
Subject of relation dpv:hasImpactOn
Object of relation dpv:hasConsequence, dpv:hasImpact
Definition The impact(s) possible or arising as a consequence from specified context
Usage Note Impact is a stronger notion of consequence in terms of influence, change, or effect on something e.g. for impact assessments
Examples dex:E0027 :: Indicating risks, consequences, and impacts
dex:E0068 :: Using DPV and RISK extension to represent risks
dex:E0069 :: Using DPV and RISK extension to represent incidents
Date Created 2022-03-23
Contributors Harshvardhan J. Pandit, Julian Flake, Georg P. Krog, Fajar Ekaputra, Beatriz Esteves
See More: section RISK in DEX

7.1.11 Impact Assessment

Term ImpactAssessment Prefix dpv
Label Impact Assessment
IRI https://w3id.org/dpv#ImpactAssessment
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasImpactAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Calculating or determining the likelihood of impact of an existing or proposed process, which can involve risks or detriments.
Date Created 2020-11-04
Contributors Georg P. Krog, Harshvardhan J. Pandit, Paul Ryan
See More: section RISK in DPV

7.1.12 Likelihood

Term Likelihood Prefix dpv
Label Likelihood
IRI https://w3id.org/dpv#Likelihood
Type rdfs:Class, skos:Concept
Object of relation dpv:hasLikelihood
Definition The likelihood or probability or chance of something taking place or occuring
Usage Note Likelihood can be expressed in a subjective manner, such as 'Unlikely', or in a quantitative manner such as "Twice in a Day" (frequency per period). The suggestion is to use quantitative values, or to associate them with subjective terms used so as to enable accurate interpretations and interoperability. See the concepts related to Frequency and Duration for possible uses as a combination to express Likelihood.
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2022-07-22
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.1.13 Privacy Impact Assessment (PIA)

Term PIA Prefix dpv
Label Privacy Impact Assessment (PIA)
IRI https://w3id.org/dpv#PIA
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:ImpactAssessmentdpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasImpactAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Impact assessment regarding privacy risks
Date Created 2020-11-04
Contributors Georg P. Krog, Harshvardhan J. Pandit, Paul Ryan
See More: section RISK in DPV

7.1.14 Residual Risk

Term ResidualRisk Prefix dpv
Label Residual Risk
IRI https://w3id.org/dpv#ResidualRisk
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Risk
Subject of relation dpv:isResidualRiskOf
Object of relation dpv:hasResidualRisk, dpv:hasRisk, dpv:isResidualRiskOf, dpv:mitigatesRisk
Definition Risk remaining after treatment or mitigation
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2024-06-16
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.1.15 Rights Impact Assessment

Term RightsImpactAssessment Prefix dpv
Label Rights Impact Assessment
IRI https://w3id.org/dpv#RightsImpactAssessment
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:ImpactAssessmentdpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasImpactAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Impact assessment which involves determining the impact on rights and freedoms
Usage Note The rights and freedoms may be those defined in law or other norms, and may be bound to a jurisdiction
Date Created 2024-04-14
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.16 Risk

Term Risk Prefix dpv
Label Risk
IRI https://w3id.org/dpv#Risk
Type rdfs:Class, skos:Concept
Subject of relation dpv:hasResidualRisk, dpv:hasRiskLevel, dpv:isMitigatedByMeasure
Object of relation dpv:hasRisk, dpv:isResidualRiskOf, dpv:mitigatesRisk
Definition A risk or possibility or uncertainty of negative effects, impacts, or consequences
Usage Note Risks can be associated with one or more different concepts such as purpose, processing, personal data, technical or organisational measure
Examples dex:E0027 :: Indicating risks, consequences, and impacts
dex:E0068 :: Using DPV and RISK extension to represent risks
dex:E0071 :: Using risk controls to express how tech/org measures address the risk
Date Created 2020-11-18
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.1.17 Risk Assessment

Term RiskAssessment Prefix dpv
Label Risk Assessment
IRI https://w3id.org/dpv#RiskAssessment
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Assessment involving identification, analysis, and evaluation of risk
Date Created 2024-04-14
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.18 Risk Level

Term RiskLevel Prefix dpv
Label Risk Level
IRI https://w3id.org/dpv#RiskLevel
Type rdfs:Class, skos:Concept
Object of relation dpv:hasRiskLevel
Definition The magnitude of a risk expressed as an indication to aid in its management
Usage Note Risk Levels can be defined as a combination of different characteristics. For example, ISO 31073:2022 defines it as a combination of consequences and their likelihood. Another example would be the Risk Matrix where Risk Level is defined as a combination of Likelihood and Severity associated with the Risk.
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
dex:E0071 :: Using risk controls to express how tech/org measures address the risk
Date Created 2022-07-20
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.1.19 Risk Mitigation Measure

Term RiskMitigationMeasure Prefix dpv
Label Risk Mitigation Measure
IRI https://w3id.org/dpv#RiskMitigationMeasure
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:TechnicalOrganisationalMeasure
Subject of relation dpv:mitigatesRisk
Object of relation dpv:hasTechnicalOrganisationalMeasure, dpv:isMitigatedByMeasure
Definition Measures intended to mitigate, minimise, or prevent risk.
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2020-11-04
Contributors Georg P. Krog, Harshvardhan J. Pandit, Paul Ryan
See More: section RISK in DEX

7.1.20 Security Assessment

Term SecurityAssessment Prefix dpv
Label Security Assessment
IRI https://w3id.org/dpv#SecurityAssessment
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RiskAssessmentdpv:Assessmentdpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasAssessment, dpv:hasOrganisationalMeasure, dpv:hasRiskAssessment, dpv:hasTechnicalOrganisationalMeasure
Definition Assessment of security intended to identity gaps, vulnerabilities, risks, and effectiveness of controls
Source ENISA 5G Cybersecurity Standards
Date Created 2022-08-17
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.21 Sensitivity Level

Term SensitivityLevel Prefix dpv
Label Sensitivity Level
IRI https://w3id.org/dpv#SensitivityLevel
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Severity
Object of relation dpv:hasSensitivityLevel, dpv:hasSeverity
Definition Sensitivity' reflects the risk of impact if not secured or utilised with appropriate measures and controls e.g. for sensitive data
Usage Note ISO/IEC TS 38505-3:2021 defines 'data sensitivity' as the potential harm of unauthorised disclosure. DPV's use of the concept goes beyond disclosure as it refers to the level of safeguards or controls the data requires as a reflection of its 'sensitive' nature. To indicate quantified levels of sensitivity, e.g. "high sensitivity", instances of severity can be directly used or specialised
Date Created 2023-08-24
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.1.22 Severity

Term Severity Prefix dpv
Label Severity
IRI https://w3id.org/dpv#Severity
Type rdfs:Class, skos:Concept
Object of relation dpv:hasSeverity
Definition The magnitude of being unwanted or having negative effects such as harmful impacts
Usage Note Severity can be associated with Risk, or its Consequences and Impacts
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2022-07-21
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.2 Properties

7.2.1 has consequence

Term hasConsequence Prefix dpv
Label has consequence
IRI https://w3id.org/dpv#hasConsequence
Type rdf:Property, skos:Concept
Range includes dpv:Consequence
Definition Indicates consequence(s) possible or arising from specified concept
Usage Note Removed plural suffix for consistency
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
dex:E0071 :: Using risk controls to express how tech/org measures address the risk
Date Created 2020-11-04
Date Modified 2021-09-21
Contributors Harshvardhan J. Pandit, Julian Flake, Georg P. Krog, Fajar Ekaputra, Beatriz Esteves
See More: section RISK in DEX

7.2.2 has consequence on

Term hasConsequenceOn Prefix dpv
Label has consequence on
IRI https://w3id.org/dpv#hasConsequenceOn
Type rdf:Property, skos:Concept
Domain includes dpv:Consequence
Definition Indicates the thing (e.g. plan, process, or entity) affected by a consequence
Date Created 2022-11-24
Contributors Harshvardhan J. Pandit, Georg P. Krog
See More: section RISK in DPV

7.2.3 has impact

Term hasImpact Prefix dpv
Label has impact
IRI https://w3id.org/dpv#hasImpact
Type rdf:Property, skos:Concept
Broader/Parent types dpv:hasConsequence
Sub-property of dpv:hasConsequence
Range includes dpv:Impact
Definition Indicates impact(s) possible or arising as consequences from specified concept
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
dex:E0069 :: Using DPV and RISK extension to represent incidents
Date Created 2022-05-18
Contributors Harshvardhan J. Pandit, Julian Flake, Georg P. Krog, Fajar Ekaputra, Beatriz Esteves
See More: section RISK in DEX

7.2.4 has impact assessment

Term hasImpactAssessment Prefix dpv
Label has impact assessment
IRI https://w3id.org/dpv#hasImpactAssessment
Type rdf:Property, skos:Concept
Broader/Parent types dpv:hasAssessmentdpv:hasOrganisationalMeasuredpv:hasTechnicalOrganisationalMeasure
Sub-property of dpv:hasAssessment
Range includes dpv:ImpactAssessment
Definition Indicates an impact assessment associated with the specific context
Date Created 2024-04-14
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.2.5 has impact on

Term hasImpactOn Prefix dpv
Label has impact on
IRI https://w3id.org/dpv#hasImpactOn
Type rdf:Property, skos:Concept
Broader/Parent types dpv:hasConsequenceOn
Sub-property of dpv:hasConsequenceOn
Domain includes dpv:Impact
Definition Indicates the thing (e.g. plan, process, or entity) affected by an impact
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2022-05-18
Contributors Harshvardhan J. Pandit, Julian Flake, Georg P. Krog, Fajar Ekaputra, Beatriz Esteves
See More: section RISK in DEX

7.2.6 has likelihood

Term hasLikelihood Prefix dpv
Label has likelihood
IRI https://w3id.org/dpv#hasLikelihood
Type rdf:Property, skos:Concept
Range includes dpv:Likelihood
Definition Indicates the likelihood associated with a concept
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2022-07-20
Contributors Harshvardhan J. Pandit, Georg P. Krog, Paul Ryan, Julian Flake
See More: section RISK in DEX

7.2.7 has residual risk

Term hasResidualRisk Prefix dpv
Label has residual risk
IRI https://w3id.org/dpv#hasResidualRisk
Type rdf:Property, skos:Concept
Domain includes dpv:Risk
Range includes dpv:ResidualRisk
Definition Indicates the associated risk is the remaining or residual risk from applying mitigation measures or treatments to this risk
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2022-07-20
Contributors Harshvardhan J. Pandit, Georg P. Krog, Paul Ryan, Julian Flake
See More: section RISK in DEX

7.2.8 has risk

Term hasRisk Prefix dpv
Label has risk
IRI https://w3id.org/dpv#hasRisk
Type rdf:Property, skos:Concept
Range includes dpv:Risk
Definition Indicates applicability of Risk for this concept
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2020-11-18
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.2.9 has risk assessment

Term hasRiskAssessment Prefix dpv
Label has risk assessment
IRI https://w3id.org/dpv#hasRiskAssessment
Type rdf:Property, skos:Concept
Broader/Parent types dpv:hasAssessmentdpv:hasOrganisationalMeasuredpv:hasTechnicalOrganisationalMeasure
Sub-property of dpv:hasAssessment
Range includes dpv:RiskAssessment
Definition Indicates an associated risk assessment
Date Created 2024-04-14
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.2.10 has risk level

Term hasRiskLevel Prefix dpv
Label has risk level
IRI https://w3id.org/dpv#hasRiskLevel
Type rdf:Property, skos:Concept
Domain includes dpv:Risk
Range includes dpv:RiskLevel
Definition Indicates the associated risk level associated with a risk
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
dex:E0071 :: Using risk controls to express how tech/org measures address the risk
Date Created 2022-07-20
Contributors Harshvardhan J. Pandit, Georg P. Krog, Paul Ryan, Julian Flake
See More: section RISK in DEX

7.2.11 has sensitivity level

Term hasSensitivityLevel Prefix dpv
Label has sensitivity level
IRI https://w3id.org/dpv#hasSensitivityLevel
Type rdf:Property, skos:Concept
Range includes dpv:SensitivityLevel
Definition Indicates the associated level of sensitivity
Date Created 2023-08-24
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.2.12 has severity

Term hasSeverity Prefix dpv
Label has severity
IRI https://w3id.org/dpv#hasSeverity
Type rdf:Property, skos:Concept
Range includes dpv:Severity
Definition Indicates the severity associated with a concept
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2022-07-20
Contributors Harshvardhan J. Pandit, Georg P. Krog, Paul Ryan, Julian Flake
See More: section RISK in DEX

7.2.13 is mitigated by measure

Term isMitigatedByMeasure Prefix dpv
Label is mitigated by measure
IRI https://w3id.org/dpv#isMitigatedByMeasure
Type rdf:Property, skos:Concept
Broader/Parent types dpv:hasTechnicalOrganisationalMeasure
Sub-property of dpv:hasTechnicalOrganisationalMeasure
Domain includes dpv:Risk
Range includes dpv:RiskMitigationMeasure
Definition Indicate a risk is mitigated by specified measure
Examples dex:E0068 :: Using DPV and RISK extension to represent risks
Date Created 2022-02-09
Contributors Harshvardhan J. Pandit
See More: section RISK in DEX

7.2.14 is residual risk of

Term isResidualRiskOf Prefix dpv
Label is residual risk of
IRI https://w3id.org/dpv#isResidualRiskOf
Type rdf:Property, skos:Concept
Domain includes dpv:ResidualRisk
Range includes dpv:Risk
Definition Indicates this risk is the remaining or residual risk from applying mitigation measures or treatments to specified risk
Date Created 2022-07-20
Contributors Harshvardhan J. Pandit, Georg P. Krog, Paul Ryan, Julian Flake
See More: section RISK in DPV

7.2.15 mitigates risk

Term mitigatesRisk Prefix dpv
Label mitigates risk
IRI https://w3id.org/dpv#mitigatesRisk
Type rdf:Property, skos:Concept
Domain includes dpv:RiskMitigationMeasure
Range includes dpv:Risk
Definition Indicates risks mitigated by this concept
Date Created 2020-11-04
Contributors Harshvardhan J. Pandit
See More: section RISK in DPV

7.3 External

DPV uses the following terms from [RDF] and [RDFS] with their defined meanings:

The following external concepts are re-used within DPV:

8. Contributors

The following people have contributed to this vocabulary. The names are ordered alphabetically. The affiliations are informative do not represent formal endorsements. Affiliations may be outdated. The list is generated automatically from the contributors listed for defined concepts.

Funding Acknowledgements

Funding Sponsors

The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.

Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.

The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).

Funding Acknowledgements for Contributors

The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.

A. References

A.1 Informative references

[AI]
AI Technology concepts for DPV. URL: https://w3id.org/dpv/ai
[AIAct]
Artificial Intelligence Act (AI Act). URL: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0138_EN.html
[DCT]
DCMI Metadata Terms (DCT). URL: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/
[DPV]
Data Privacy Vocabulary (DPV) Specification. URL: https://w3id.org/dpv
[DPVCG]
W3C Data Privacy Vocabularies and Controls Community Group (DPVCG). URL: https://www.w3.org/community/dpvcg/
[EU-AIAct]
EU AI Act concepts for DPV. URL: https://w3id.org/dpv/legal/eu/aiact
[EU-GDPR]
EU GDPR concepts for DPV. URL: https://w3id.org/dpv/legal/eu/gdpr
[EU-NIS2]
EU NIS2 concepts for DPV. URL: https://w3id.org/dpv/legal/eu/nis2
[GUIDES]
Guides for DPV. URL: https://w3id.org/dpv/guides
Legal Jurisdiction-relevant concepts for DPV. URL: https://w3id.org/dpv/legal
[LOC]
Location and Geo-Political Membership concepts for DPV. URL: https://w3id.org/dpv/loc
[NIS2]
Network Information Security Directive (NIS2). URL: http://data.europa.eu/eli/dir/2022/2555/2022-12-27
[PD]
Personal Data categories for DPV. URL: https://w3id.org/dpv/pd
[PRIMER]
Primer for Data Privacy Vocabulary. URL: https://w3id.org/dpv/primer
[RDF]
RDF 1.1 Concepts and Abstract Syntax. URL: https://www.w3.org/TR/rdf11-concepts/
[RDFS]
RDF Schema 1.1. URL: https://www.w3.org/TR/rdf-schema/
[RISK]
Risk Assessment and Management concepts for DPV. URL: https://w3id.org/dpv/risk
[TECH]
Technology concepts for DPV. URL: https://w3id.org/dpv/tech