Copyright © 2025 the Contributors to the Guide for using DPV for GDPR's DPIA Specification, published by the Data Privacy Vocabularies and Controls Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.
This document will provide a guide for using DPV for GDPR's DPIA. Currently, it is a work in progress.
The EU-GDPR Article 35 requires a "Data Protection Impact Assessment" (DPIA) assessing the impact of processing activities involving personal data on the data subject's rights and freedoms. This requires maintaining information about whether such a DPIA is required, and if yes, then how it was conducted and what were its findings, and based on which whether processing activities were justified or were halted or not conducted. This GUIDE-GDPR-DPIA will provide guidance to implement machine-readable DPIA using the DPV.
The scope of this guide would be to create machine-readable DPIAs that can provide the information as required for implementing DPIA according to GDPR requirements. The scope as of now does not include providing tools or libraries for the creation of DPIA or interfaces or other means to work with this information. This will be based on the peer-reviewed article A Semantic Specification for Data Protection Impact Assessments (DPIA) and will incorporate work being developed in #183
DPV Specifications: The [DPV] is the core specification within the DPV family, with the following extensions: Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH] and [AI], [JUSTIFICATIONS], [SECTOR] specific extensions, and [LEGAL] extensions modelling specific jurisdictions and regulations. A [PRIMER] introduces the concepts and modelling of DPV specifications, and [GUIDES] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
To cite and understand the structure of DPV, the article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards (open access version here). The earlier article "Creating A Vocabulary for Data Privacy" (2019) describes how the DPV was developed (open access versions here, here, and here).
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.
GitHub Issues are preferred for discussion of this specification.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.