Data Privacy Vocabularies and Controls Community Group (DPVCG) repository containing specifications for Data Privacy Vocabulary (DPV) and its extensions, primer, and guides, and group meeting minutes.
links: Community Group | GitHub wiki
Announcement: DPV 2.0 Release
The scope of DPV has been expanded to include non-personal data and AI technologies - though the focus of the group remains on privacy and data protection. The structure of the repo has also been changed to incorporate multiple jurisdictions and regulations, and their names have been changed e.g.
dpv-gdpr
islegal/eu/gdpr
. The article Data Privacy Vocabulary (DPV) -- Version 2 by Pandit et al. (2024), accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes DPV v2 in terms of its contents, methodology, current adoptions and uses, and future potential. It also describes the relevance and role of DPV in acting as a common vocabulary to support various regulatory (e.g. EU's DGA and AI Act) and community initiatives (e.g. Solid) emerging across the globe. A Search Index of all concepts from DPV and extensions is available.
is available under a new versioned IRI for continued use - though the DPVCG recommends using the latest version of DPV. Versioned IRIs have been created to refer to specific versions, with https://w3id.org/dpv/1.0 for v1 and https://w3id.org/dpv/2.0 for v2. The versionless IRI https://w3id.org/dpv will always point to the latest version. See the v2 changelog for more details.
The mission of the W3C Data Privacy Vocabularies and Controls CG (DPVCG) is to develop a taxonomy of privacy and data protection related terms, which include in particular terms from the new European General Data Protection Regulation (GDPR), such as a taxonomy of personal data as well as a classification of purposes (i.e., purposes for data collection), and events of disclosures, consent, and processing such personal data.
License: All work produced by DPVCG and provided through this repo or elsewhere is provided by contributors under the W3C Document License. A copy of the license is provided in the LICENSE.md file.
Guidelines for suggesting new concepts, identifying bugs and issues, and sending patches or PRs
Newcomers to the DPV are recommended to start with the Primer to familiarise themselves with the concepts, semantics, and usefulness of the DPV. A Concise Primer is also available for a quick (2-pager) introduction to DPV.
The Data Privacy Vocabulary (DPV) provides an ontology (classes and properties) and taxonomies of concepts to represent information regarding how personal data is processed in the form of an ontology or a knowledge graph. For example, it provides taxonomies associated with:
- purposes of processing
- personal data categories involved
- processing operations
- technical and organisational measures or restrictions applied
- legal basis used to justify processing
- information about legal basis for processing
- rights as applicable
- risks as applicable
The namespace for DPV terms is http://w3id.org/dpv#
with suggested prefix dpv
, and serialisations are provided in RDF/XML, Turtle, JSON-LD, and N3 formats. The default serialisations are defined using RDFS/SKOS semantics, with an alternate serialisation defined using OWL2 semantics.
These extensions provide additional concepts that extend the concepts and scope of the main DPV specification:
- Personal Data (PD) provides a taxonomy of personal data categories
- Location (LOC) provides a taxonomy of location concepts based on ISO 3166 (countries, regions)
- Technology (TECH) provides a taxonomy of technology concepts
- AI provides a taxonomy of AI concepts extending the TECH extension
- Justifications provides concepts for representing justifications i.e. why something must be done or could not be done
- Risk provides concepts for risk assessment and management
The legal extensions provide concepts associated with specific jurisdictions and the laws, authorities, and treaties within them. The Legal page provides an overview of these. The jurisdictions are represented by using their ISO 3166-2 codes.
- European Union (EU)
- Germany (DE)
- Ireland (IE)
- India (IN)
- United Kingdom (GB)
- United States of America (USA)
The NACE Taxonomy serialised in RDFS provides a serialisation of the NACE v2 taxonomy in RDFS for use with DPV terms. Since then, NACE v2.1 has been published by the EU Commission. The DPVCG has decided to retire/not provide an alternative serialisation of NACE as it provided no significant benefit and the best practice for using NACE is to always utilise the official authoritative version.
- The Primer is an introductory document for newcomers to understand the DPV and its concepts. A 2 Page Short Primer provides a succint introduction to the DPV.
- The Use-Cases and Requirements document lists the use-cases and requirements that led to the development of DPV.
- The Examples page provides an index of examples describing the use of DPV concepts.
- The Guides page lists guides for use of DPV in specific domains and applications
- Using DPV in OWL2
- Implementing ISO/IEC 27560:2023 Consent Records and Receipts
- Implementing ISO/IEC 29184:2020 Privacy Notices and Consent - Work in Progress, we welcome participation for this
- Data Breach Management for GDPR - Work in Progress, we welcome participation for this
- Data Protection Impact Assessment (DPIA) for GDPR - Work in Progress, we welcome participation for this
- Records of Processing Activities (ROPA) for GDPR - Work in Progress, we welcome participation for this
- For use of DPV from v2 onwards, Cite as: Data Privacy Vocabulary (DPV) -- Version 2 by Harshvardhan J. Pandit, Beatriz Esteves, Georg P. Krog, Paul Ryan, Delaram Golpayegani, Julian Flake https://arxiv.org/abs/2404.13426 (accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024))
- For use of DPV up to v1 and v1.1, Cite as: The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here.
Releases are provided through the GitHub feature at https://github.com/w3c/dpv/releases and contain zipped collections of DPV specifications, modules, extensions, and accompanying documents.
The following are final reports i.e. formally published by the W3C:
- Primer w3c/cg-reports link
- DPV w3c/cg-reports link
- Personal Data (PD) extension w3c/cg-reports link
- Technology (TECH) extension w3c/cg-reports link
- Risk (RISK) extension w3c/cg-reports link
- Locations (LOC) extension w3c/cg-reports link
- AI Technology (AI) extension w3c/cg-reports link
- Justifications extension w3c/cg-reports link
- Legal extensions w3c/cg-reports link
- Germany (DE) w3c/cg-reports link
- European Union (EU) w3c/cg-reports link
- United Kingdom of Great Britain and Northern Ireland (GB) w3c/cg-reports link
- Ireland (IE) w3c/cg-reports link
- India (IN) w3c/cg-reports link
- United Stated of America (US) w3c/cg-reports link
- Primer w3c/cg-reports link
- DPV w3c/cg-reports link
- DPV-GDPR w3c/cg-reports link
- DPV-PD w3c/cg-reports link
- DPV-OWL w3c/cg-reports link
- DPV-OWL-GDPR w3c/cg-reports link
- DPV-OWL-PD w3c/cg-reports link
- Guide on using DPV in OWL2 w3c/cg-reports link
- DPV-SKOS w3c/cg-reports link
- DPV-SKOS-GDPR w3c/cg-reports link
- DPV-SKOS-PD w3c/cg-reports link
If you're unsure about something, or would like clarifications, or suggestions - please communicate with us or open an issue. We would be happy to help. You can view the current open issues and the public mailing list.
Membership to the group is open to all interested individuals and organisations. To join the group, you need a valid W3C account – which is free to get and can be requested here. The group meets usually through online meeting calls - see meetings calendar and minutes.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work as the chair of DPVCG from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790, and through the ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
Further funding acknowledgements for individual members are provided within relevant specifications.