This document lists the various guides created by the DPVCG and the community providing guidance for the adoption and use of DPV in terms of its concepts and serialisations, or regarding the application of DPV for specific applications or domains.
The DPVCG invites contributions regarding additional guides as well as updates to existing guides.
The DPVCG is currently updating the specifications to v2. This document is a draft and may change as part of this process.
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing page for further information.
[[[DPV]]]: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [[PD]], Locations [[LOC]], Risk Management [[RISK]], Technology [[TECH]], and [[AI]]. Specific [[LEGAL]] extensions are also provided which model jurisdiction specific regulations and concepts . To support understanding and applications of [[DPV]], various guides and resources [[GUIDES]] are provided, including a [[PRIMER]].
[[DPV]] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [[DPVCG]], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.
The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article preprint Data Privacy Vocabulary (DPV) - Version 2 describes the changes made in DPV v2.
The Data Privacy Vocabulary [[DPV]] enables expressing machine-readable metadata about the use and processing of personal data based on legislative requirements such as the General Data Protection Regulation [[GDPR]]. The [[[PRIMER]]] [[PRIMER]] introduces the fundamental structuring and use of concepts in DPV. It is intended to be a starting point for those wishing to use the DPV and an orientation for people from all disciplines. [[PRIMER-concise]] is a shorter version (2 pages) of the primer intended for a quick introduction.
The [[[GUIDE-SKOS]]] [[GUIDE-SKOS]] provides guidance for the use of DPV as an RDFS ontology and a SKOS Taxonomy - which is its default serialisation. This guide is intended for applications where DPV is being used as a 'knowledge graph' along with some lightweight reasoning and validation processes. This guide is not suitable for applications which require the full expressivity or power of OWL2 based modelling and semantic reasoning - for which the OWL2 guide should be referred to.
The [[[GUIDE-OWL2]]] [[GUIDE-OWL2]] provides guidance for the use of DPV as an OWL2 ontology, and explains how DPV can be easily encoded in a low-complexity profile of OWL2 called OWL2-PL to perform efficient semantic reasoning.
The [[[GUIDE-MISCFORMAT]]] [[GUIDE-MISCFORMAT]] is a guide that will provide guidance for the use of DPV for use-cases that do not involve semantic web standards (e.g. RDF or OWL). It will explain how DPV can be utilised in a commonly utilised machine-readable form such as CSV or JSON.
The [[[GUIDE-ODRL]]] [[GUIDE-ODRL]] is a guide that will provide guidance for the use of DPV concepts with [[[ODRL-MODEL]]] and [[[ODRL-VOCAB]]]. ODRL is a W3C standard for machine-readable representations of policies and agreements. The aim of the guide will be to demonstrate the compatibility and alignment of DPV concepts with those from ODRL, and to guide adopters in using DPV concepts within ODRL and vice-versa. This will enable using DPV to represent policies and agreements as defined by the ODRL standard.
For those interested in this, please refer to publications authored by DPVCG members which have explored this work:
[[[ISO-27560]]] provides guidance for the creation and maintainence of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. The [[[GUIDE-Consent-27560]]] [[GUIDE-Consent-27560]] provides implementation of machine-readable consent records and receipts as defined in [[ISO-27560]] by using the Data Privacy Vocabulary (DPV). Additionally, it also provides guidance on using [[ISO-27560]] for meeting [[GDPR]] requirements regarding consent.
For more information on the development process and further use of consent records and receipts implemented using DPV, see the 2024 article preprint Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA authored by Harshvardhan J. Pandit, Jan Lindquist, and Georg P. Krog.
The [[[ISO-29184]]] provides a standard for privacy notices in terms of the information to be provided as well as its use to inform the data subject about processing of personal data. The DPVCG is currently working on a guide - [[[GUIDE-Notice-29184]]] [[GUIDE-Notice-29184]] to implement machine-readable notices using the [[DPV]]. The scope of this guide would be to create machine-readable notices that can provide the information as required for implementing [[ISO-29184]]. Additionally, the guide will also describe using [[ISO-29184]] for meeting [[GDPR]] requirements regarding privacy notices. It is intended to be a companion to the guide on consent records and receipts [[GUIDE-Consent-27560]]. The scope as of now does not include providing tools or libraries for the creation of graphical interfaces or other means to visually represent this information.
The [[GDPR]] Article 30 requires keeping records of processing activities (ROPA) involving personal data, where the information to be maintained in such records includes purpose, personal data categories, technical and organisational measures utilised, and others. The DPVCG is currently working on a guide - [[[GUIDE-GDPR-ROPA]]] [[GUIDE-GDPR-ROPA]] to implement machine-readable ROPAs using the [[DPV]]. The scope of this guide would be to create machine-readable notices that can provide the information as required for implementing ROPA according to [[GDPR]] requirements. The scope as of now does not include providing tools or libraries for the creation of ROPA or interfaces or other means to work with this information.
For those interested in the work, please refer to the specification: [[[DPCat]]], and its associated article (2022) authored by DPVCG members Paul Ryan, Rob Brennan, and Harshvardhan J. Pandit.
The [[GDPR]] Article 35 requires a "Data Protection Impact Assessment" (DPIA) assessing the impact of processing activities involving personal data on the data subject's rights and freedoms. This requires maintaining information about whether such a DPIA is required, and if yes, then how it was conducted and what were its findings, and based on which whether processing activities were justified or were halted or not conducted. The DPVCG is currently working on a guide - [[[GUIDE-GDPR-DPIA]]] [[GUIDE-GDPR-DPIA]] to implement machine-readable DPIA using the [[DPV]]. The scope of this guide would be to create machine-readable DPIAs that can provide the information as required for implementing DPIA according to [[GDPR]] requirements. The scope as of now does not include providing tools or libraries for the creation of DPIA or interfaces or other means to work with this information.
For those interested in the work, please refer to the 2022 article A Semantic Specification for Data Protection Impact Assessments (DPIA) authored by DPVCG member Harshvardhan J. Pandit.
The [[GDPR]] Article 33 and 34 requires keeping records associated with suspicion or occurence of a data breach and its impacts, including any communications to the data subjects or authorities regarding it. The DPVCG is currently working on a guide - [[[GUIDE-GDPR-DataBreach]]] [[GUIDE-GDPR-DataBreach]] to implement machine-readable Data Breach records and notifications using the [[DPV]]. The scope of this guide would be to create machine-readable records and notices that can provide the information as required for implementing data breach assessments and notifications according to [[GDPR]] requirements. The scope as of now does not include providing tools or libraries for the creation of data breach assessment or notification tools or interfaces or other means to work with this information.
For those interested in the work, please refer to the 2023 article Towards a Semantic Specification for GDPR Data Breach Reporting authored by DPVCG members Harshvardhan J. Pandit, Paul Ryan, Georg P. Krog, and Rob Brennan.
Regulations such as the [[GDPR]], amongst others across the globe, provide specific rights (to data subjects) through which they can avail of information regarding the processing of their personal data, object to it, or obtain a copy of their given personal data. The DPVCG is currently working on a guide - [[[GUIDE-Rights]]] [[GUIDE-Rights]] to implement machine-readable rights excercise records using the [[DPV]]. The scope of this guide would be to create machine-readable records that can provide the information as required for demonstrating rights exercise, its fulfilment or non-fulfilment, and the communications involved according to [[GDPR]] requirements. The scope as of now does not include providing tools or libraries for exercise or management of rights, or interfaces or other means to work with this information.
For those interested in the work, please refer to the specification Rights Exercising with DPV being developed by DPVCG members Beatriz Esteves, Harshvardhan J. Pandit, Georg P. Krog, and Paul Ryan.
See Use-Cases and Requirements page for use-cases and requirements that guided the development of DPV.
See Examples page for examples demonstrating use of DPV concepts.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.