- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Tue, 19 Apr 2022 21:05:41 +0100
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Hi. I'm happy to announce my proposal to present DPV at PEPR has been accepted as a 10min talk (+5min Q&A). This will be a virtual presentation, for which a video has to be submitted by JUN-07. See below proposed topics and submitted info. Comments and suggestions are welcome. _________________ 1. Venue Information 2. Abstract 3. Talk summary 4. Reviews impressions 5. Submitted Entry .. 1. Short description of talk/panel .. 2. Long description .. 3. Session outline .. 4. Audience take-aways 1 Venue Information =================== - USENIX Conference on Privacy Engineering Practice and Respect <https://www.usenix.org/conference/pepr22> - [2022-06-23 Thu]--[2022-06-24 Fri] 2 Abstract ========== People, organisations, laws, and use-cases have different perspectives and interpretations of concepts and requirements which cannot be modelled into a single coherent universal vocabulary. The Data Privacy Vocabulary (DPV) provides a core framework of ‘common concepts’ that can be extended to represent specific laws, domains, or applications. Through this, it enables expressing machine-readable metadata about the use and processing of personal data based on legislative requirements such as the General Data Protection Regulation (GDPR). This talk introduces the fundamental concepts in DPV and how it facilitates a pragmatic approach to manage legal compliance and privacy engineering through use of machine-readability and interoperability. 3 Talk summary ============== - DPV overview - and relevance to legal requirements - 5mins - Connecting privacy engineering to legal compliance - 2 mins - Applications of DPV: How to use it - 3 mins - Total: 10mins 4 Reviews impressions ===================== - project is still in the state of development - library doesn't seem to be applicable yet - good to make privacy engineers aware of the various approaches - maybe a broader presentation of topic by itself - maybe presented as an overview of this space * other developments * pros and cons * what more is needed or what is currently missing to create an ecosystem of machine readable privacy annotations * other solutions and why not collaborate with them - open source provides additional value and relevance - distinction between legal and engineering privacy related taxonomies - and how to manage those differences - a comprehensive and consistent vocabulary is useful for interoperability - more details about how DPV was generated i.e. community, methodology, considerations in finalising a concept, broader applicability - how should the DPV be used? who are the audience? - DPV is replacement for legal terminology or to be used alongside it? - specific domains and groups that the vocabulary is intended to be used in 5 Submitted Entry ================= 5.1 Short description of talk/panel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ People, organisations, laws, and use-cases have different perspectives and interpretations of concepts and requirements which cannot be modelled into a single coherent universal vocabulary. The Data Privacy Vocabulary (DPV) provides a core framework of ‘common concepts’ that can be extended to represent specific laws, domains, or applications. Through this, it enables expressing machine-readable metadata about the use and processing of personal data based on legislative requirements such as the General Data Protection Regulation (GDPR). This talk introduces the fundamental concepts technologies need to document and presents how DPV facilitates a pragmatic approach to manage legal compliance and privacy engineering through use of machine-readability and interoperability. 5.2 Long description ~~~~~~~~~~~~~~~~~~~~ In dealing with legal compliance and its obligations, organisations and authorities take an ad-hoc approach where information is expressed primarily for humans and conventionally maintained using spreadsheets. In developing technologies that assist with this, the following problems arise: (i) lack of standardised vocabularies to represent information about use and processing of personal data; (ii) lack of descriptive taxonomies that describe purposes of processing personal data which are not restricted to a particular domain or use-case; and (iii) lack of machine-readable representations of concepts that can be used for technical interoperability of information. The motivation of DPV is to provide a 'data model' or a 'taxonomy' of concepts that act as a vocabulary for the interoperable representation and exchange of information about personal data and its processing. For this, the DPV specification represents an abstract model of concepts and relationships that can be implemented and applied using technologies appropriate to the use-case's requirements. For example, consider the term 'personal data' (as under GDPR), which is different from 'PII' (as under American laws or ISO terms). In this, it is imperative to understand that PII is a specific form of personal data. Similarly, specifying 'email', 'phone number', 'twitter id' are personal data regarding 'contact' or 'communication' permits matching semantics between two use-cases as: "We use your contact information" being compatible with "Please enter your email here". The DPV is a community led effort to create taxonomies of concepts that enable representation of relevant information, and to provide a rich hierarchy of information that can be used in a variety of tasks associated with use of personal data. Its taxonomies consist of categories regarding: personal data, purposes (e.g. Marketing, Service Provision), processing operations (e.g. Collect, Use, Share), legal basis (e.g. contract, consent), entities (e.g. Controllers, Authorities), technical measures (e.g. access control, encryption), organisational measures (e.g. policies, training), and many more. This talk introduces these hierarchies within DPV, and how they relate to various legal-compliance oriented tasks, such as maintaining records regarding processing of personal data, crafting privacy notices, generating consent requests, and annotating code/workflows with relevant information for privacy-engineering by design. The following is an illustrative, but non-exhaustive list of applications possible with the DPV: 1) Document annotation - identifying and annotating concepts within documents such as privacy policies, legal compliance documentation, web pages 2) Representing Policies – expressing policies for how personal data should be ‘handled’, policies for describing an use-cases’ use of personal data 3) Workflow management - annotating code and data flows with DPV concepts to document their roles in data governance and legal compliance 4) Representing Rules – creating and utilising rules for expressing constraints or obligations regarding the use of personal data, checking conformance with obligations such as for legal compliance 5.3 Session outline ~~~~~~~~~~~~~~~~~~~ - Introduction to requirements for understanding and documenting data flows - 5mins - The Data Privacy Vocabulary (DPV) as an initiative - 5 mins - Deep dive into DPV with practical examples e.g. notices, annotating API calls - 5 mins - Potentials for Legal compliance automation - 5mins - Total time: 20mins 5.4 Audience take-aways ~~~~~~~~~~~~~~~~~~~~~~~ 1) Legal compliance tasks are a shared effort given the relationships between different actors in terms of providers, consumers, publishers, etc. 2) Interoperability is beneficial in reducing the amount of work needed to create documentation and ensure legal and privacy engineering is addressed by design 3) Open standards are better than proprietary solutions because they can be extended and customised to fit the problem at hand, while providing a basic framework to enable shared interpretations 4) The DPV provides all of the above, and is a rich toolkit for use in privacy engineering. It can be combined with implementations, standards, and organisational governance practices readily. --- Regards, -- --- Harshvardhan J. Pandit, Ph.D Research Fellow ADAPT Centre, Trinity College Dublin https://harshp.com/
Received on Tuesday, 19 April 2022 20:05:57 UTC