Guide for using DPV for GDPR's DPIA

Work in Progress

Draft Community Group Report

Latest published version:
https://w3id.org/dpv/guides/gdpr-dpia
Latest editor's draft:
https://dev.dpvcg.org/guides/gdpr-dpia
Editor:
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Feedback:
GitHub w3c/dpv (pull requests, new issue, open issues)
Key Publications
Data Privacy Vocabulary (DPV) -- Version 2.0 (2024)
A Semantic Specification for Data Protection Impact Assessments (DPIA) (2022)

Abstract

This document will provide a guide for using DPV for GDPR's DPIA. Currently, it is a work in progress.

Issue 66: Provide a Guide on use of DPV for DPIA guideWIPdocseu-gdpr

The EU-GDPR Article 35 requires a "Data Protection Impact Assessment" (DPIA) assessing the impact of processing activities involving personal data on the data subject's rights and freedoms. This requires maintaining information about whether such a DPIA is required, and if yes, then how it was conducted and what were its findings, and based on which whether processing activities were justified or were halted or not conducted. This GUIDE-GDPR-DPIA will provide guidance to implement machine-readable DPIA using the DPV.

The scope of this guide would be to create machine-readable DPIAs that can provide the information as required for implementing DPIA according to GDPR requirements. The scope as of now does not include providing tools or libraries for the creation of DPIA or interfaces or other means to work with this information. This will be based on the peer-reviewed article A Semantic Specification for Data Protection Impact Assessments (DPIA) and will incorporate work being developed in #183

DPV Specifications: The [DPV] is the core specification within the DPV family, with the following extensions: Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH] and [AI], [JUSTIFICATIONS], [SECTOR] specific extensions, and [LEGAL] extensions modelling specific jurisdictions and regulations. A [PRIMER] introduces the concepts and modelling of DPV specifications, and [GUIDES] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.

To cite and understand the structure of DPV, the article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards (open access version here). The earlier article "Creating A Vocabulary for Data Privacy" (2019) describes how the DPV was developed (open access versions here, here, and here).

Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.

Status of This Document

This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.

Note: WARNING

GitHub Issues are preferred for discussion of this specification.

Funding Acknowledgements

Funding Sponsors

The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.

Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.

The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).

Funding Acknowledgements for Contributors

The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.

A. References

A.1 Informative references

[AI]
AI Technology concepts for DPV. URL: https://w3id.org/dpv/ai
[DPV]
Data Privacy Vocabulary (DPV) Specification. URL: https://w3id.org/dpv
[GUIDES]
Guides for DPV. URL: https://w3id.org/dpv/guides
[JUSTIFICATIONS]
Concepts representing Justifications for DPV. URL: https://w3id.org/dpv/justifications
Legal Jurisdiction-relevant concepts for DPV. URL: https://w3id.org/dpv/legal
[LOC]
Location and Geo-Political Membership concepts for DPV. URL: https://w3id.org/dpv/loc
[PD]
Personal Data categories for DPV. URL: https://w3id.org/dpv/pd
[PRIMER]
Primer for Data Privacy Vocabulary. URL: https://w3id.org/dpv/primer
[RISK]
Risk Assessment and Management concepts for DPV. URL: https://w3id.org/dpv/risk
[SECTOR]
Sector-specific Extensions for DPV. URL: https://w3id.org/dpv/sector
[TECH]
Technology concepts for DPV. URL: https://w3id.org/dpv/tech