- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Tue, 19 Apr 2022 21:05:41 +0100
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Hi. I'm happy to announce my proposal to present DPV at PEPR has been
accepted as a 10min talk (+5min Q&A). This will be a virtual
presentation, for which a video has to be submitted by JUN-07.
See below proposed topics and submitted info. Comments and suggestions
are welcome.
_________________
1. Venue Information
2. Abstract
3. Talk summary
4. Reviews impressions
5. Submitted Entry
.. 1. Short description of talk/panel
.. 2. Long description
.. 3. Session outline
.. 4. Audience take-aways
1 Venue Information
===================
- USENIX Conference on Privacy Engineering Practice and Respect
<https://www.usenix.org/conference/pepr22>
- [2022-06-23 Thu]--[2022-06-24 Fri]
2 Abstract
==========
People, organisations, laws, and use-cases have different perspectives
and interpretations of concepts and requirements which cannot be
modelled into a single coherent universal vocabulary. The Data Privacy
Vocabulary (DPV) provides a core framework of ‘common concepts’ that
can be extended to represent specific laws, domains, or
applications. Through this, it enables expressing machine-readable
metadata about the use and processing of personal data based on
legislative requirements such as the General Data Protection
Regulation (GDPR). This talk introduces the fundamental concepts in
DPV and how it facilitates a pragmatic approach to manage legal
compliance and privacy engineering through use of machine-readability
and interoperability.
3 Talk summary
==============
- DPV overview - and relevance to legal requirements - 5mins
- Connecting privacy engineering to legal compliance - 2 mins
- Applications of DPV: How to use it - 3 mins
- Total: 10mins
4 Reviews impressions
=====================
- project is still in the state of development
- library doesn't seem to be applicable yet
- good to make privacy engineers aware of the various approaches
- maybe a broader presentation of topic by itself
- maybe presented as an overview of this space
* other developments
* pros and cons
* what more is needed or what is currently missing to create an
ecosystem of machine readable privacy annotations
* other solutions and why not collaborate with them
- open source provides additional value and relevance
- distinction between legal and engineering privacy related taxonomies
- and how to manage those differences
- a comprehensive and consistent vocabulary is useful for
interoperability
- more details about how DPV was generated i.e. community,
methodology, considerations in finalising a concept, broader
applicability
- how should the DPV be used? who are the audience?
- DPV is replacement for legal terminology or to be used alongside it?
- specific domains and groups that the vocabulary is intended to be
used in
5 Submitted Entry
=================
5.1 Short description of talk/panel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
People, organisations, laws, and use-cases have different perspectives
and interpretations of concepts and requirements which cannot be
modelled into a single coherent universal vocabulary. The Data Privacy
Vocabulary (DPV) provides a core framework of ‘common concepts’ that
can be extended to represent specific laws, domains, or
applications. Through this, it enables expressing machine-readable
metadata about the use and processing of personal data based on
legislative requirements such as the General Data Protection
Regulation (GDPR). This talk introduces the fundamental concepts
technologies need to document and presents how DPV facilitates a
pragmatic approach to manage legal compliance and privacy engineering
through use of machine-readability and interoperability.
5.2 Long description
~~~~~~~~~~~~~~~~~~~~
In dealing with legal compliance and its obligations, organisations
and authorities take an ad-hoc approach where information is expressed
primarily for humans and conventionally maintained using
spreadsheets. In developing technologies that assist with this, the
following problems arise: (i) lack of standardised vocabularies to
represent information about use and processing of personal data; (ii)
lack of descriptive taxonomies that describe purposes of processing
personal data which are not restricted to a particular domain or
use-case; and (iii) lack of machine-readable representations of
concepts that can be used for technical interoperability of
information.
The motivation of DPV is to provide a 'data model' or a 'taxonomy' of
concepts that act as a vocabulary for the interoperable representation
and exchange of information about personal data and its
processing. For this, the DPV specification represents an abstract
model of concepts and relationships that can be implemented and
applied using technologies appropriate to the use-case's requirements.
For example, consider the term 'personal data' (as under GDPR), which
is different from 'PII' (as under American laws or ISO terms). In
this, it is imperative to understand that PII is a specific form of
personal data. Similarly, specifying 'email', 'phone number', 'twitter
id' are personal data regarding 'contact' or 'communication' permits
matching semantics between two use-cases as: "We use your contact
information" being compatible with "Please enter your email here".
The DPV is a community led effort to create taxonomies of concepts
that enable representation of relevant information, and to provide a
rich hierarchy of information that can be used in a variety of tasks
associated with use of personal data. Its taxonomies consist of
categories regarding: personal data, purposes (e.g. Marketing, Service
Provision), processing operations (e.g. Collect, Use, Share), legal
basis (e.g. contract, consent), entities (e.g. Controllers,
Authorities), technical measures (e.g. access control, encryption),
organisational measures (e.g. policies, training), and many more.
This talk introduces these hierarchies within DPV, and how they relate
to various legal-compliance oriented tasks, such as maintaining
records regarding processing of personal data, crafting privacy
notices, generating consent requests, and annotating code/workflows
with relevant information for privacy-engineering by design.
The following is an illustrative, but non-exhaustive list of
applications possible with the DPV:
1) Document annotation - identifying and annotating concepts within
documents such as privacy policies, legal compliance documentation,
web pages
2) Representing Policies – expressing policies for how personal data
should be ‘handled’, policies for describing an use-cases’ use of
personal data
3) Workflow management - annotating code and data flows with DPV
concepts to document their roles in data governance and legal
compliance
4) Representing Rules – creating and utilising rules for expressing
constraints or obligations regarding the use of personal data,
checking conformance with obligations such as for legal compliance
5.3 Session outline
~~~~~~~~~~~~~~~~~~~
- Introduction to requirements for understanding and documenting data
flows - 5mins
- The Data Privacy Vocabulary (DPV) as an initiative - 5 mins
- Deep dive into DPV with practical examples e.g. notices, annotating
API calls - 5 mins
- Potentials for Legal compliance automation - 5mins
- Total time: 20mins
5.4 Audience take-aways
~~~~~~~~~~~~~~~~~~~~~~~
1) Legal compliance tasks are a shared effort given the relationships
between different actors in terms of providers, consumers,
publishers, etc.
2) Interoperability is beneficial in reducing the amount of work
needed to create documentation and ensure legal and privacy
engineering is addressed by design
3) Open standards are better than proprietary solutions because they
can be extended and customised to fit the problem at hand, while
providing a basic framework to enable shared interpretations
4) The DPV provides all of the above, and is a rich toolkit for use in
privacy engineering. It can be combined with implementations,
standards, and organisational governance practices readily.
---
Regards,
--
---
Harshvardhan J. Pandit, Ph.D
Research Fellow
ADAPT Centre, Trinity College Dublin
https://harshp.com/
Received on Tuesday, 19 April 2022 20:05:57 UTC