Inferensys

Glossary

Data Privacy Vocabulary (DPV)

A W3C community group standard providing a formal, interoperable ontology for describing the legal and technical concepts of personal data processing and privacy policies.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
ONTOLOGY STANDARD

What is Data Privacy Vocabulary (DPV)?

The Data Privacy Vocabulary (DPV) is a formal, machine-readable ontology developed by the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) to represent the legal and technical concepts associated with personal data processing and privacy policies.

The Data Privacy Vocabulary (DPV) is an interoperable semantic model that provides a standardized taxonomy for describing personal data categories, processing purposes, legal bases, and technical-organizational measures. By serializing privacy concepts in RDF and OWL2, DPV enables automated compliance checking and bridges the semantic gap between legal privacy requirements and their technical implementation in enterprise systems.

DPV serves as a foundational layer for expressing machine-readable consent records, Records of Processing Activities (RoPA), and Data Protection Impact Assessments (DPIAs). Its extensible design allows domain-specific extensions for regulations like the GDPR, enabling privacy engineers to encode obligations such as the right to erasure and purpose limitation directly into software architectures for automated data subject rights fulfillment.

ONTOLOGICAL FOUNDATIONS

Core Characteristics of DPV

The Data Privacy Vocabulary provides a formal, machine-readable taxonomy for representing the core concepts of personal data processing, enabling interoperable policy expression and automated compliance checking.

01

Formal Semantic Modeling

DPV is built on W3C Semantic Web standards (RDF, OWL), providing a rigorous ontological structure rather than a flat list of terms. This allows machines to infer logical relationships between concepts.

  • RDF Triples: All statements are structured as subject-predicate-object, enabling graph-based querying.
  • OWL Axioms: Formal constraints define class hierarchies, property domains, and cardinality restrictions.
  • Inference: A system can deduce that if data is 'Anonymized', it is no longer 'PersonalData' without explicit programming.
02

Core Taxonomical Hierarchy

DPV organizes privacy concepts into a strict, extensible class hierarchy rooted in Purpose, Processing, PersonalData, LegalBasis, and TechnicalOrganisationalMeasure.

  • Purpose: Defines why data is processed (e.g., dpv:Marketing, dpv:ServiceProvision).
  • PersonalData: Categorizes what data is involved (e.g., dpv:SpecialCategoryPersonalData, dpv:Financial).
  • LegalBasis: Specifies the legal justification (e.g., dpv:Consent, dpv:LegitimateInterest).
  • Processing: Describes how data is handled (e.g., dpv:Collect, dpv:Store, dpv:AutomatedDecisionMaking).
03

Extensibility via Profiles

DPV is designed as a modular base ontology that can be extended with domain-specific profiles without breaking core interoperability. This prevents vendor lock-in while allowing for regulatory specificity.

  • DPV-GDPR: Extends DPV with specific EU GDPR concepts like dpv-gdpr:RightToErasure and dpv-gdpr:DPIA.
  • DPV-PD: A detailed taxonomy of personal data categories (e.g., dpv-pd:Biometric, dpv-pd:EthnicOrigin).
  • DPV-LEGAL: Jurisdiction-specific legal statuses and compliance records.
  • Custom Extensions: Organizations can create proprietary subclasses while remaining compatible with the core DPV standard.
04

Machine-Readable Policy Serialization

DPV enables the creation of serialized privacy policies in formats like JSON-LD and Turtle that software agents can parse, compare, and validate automatically.

  • Consent Receipts: A DPV-based record proving a specific user granted consent for a specific purpose at a specific time.
  • Policy Matching: An agent can compare a user's expressed privacy preferences against a service's DPV-encoded policy to detect conflicts.
  • Automated Compliance: A processor can check if a requested processing operation is permitted under the controller's declared DPV purposes.
05

Risk and Context Modeling

DPV includes constructs for modeling the context and risk of processing activities, moving beyond simple binary permissions to nuanced impact assessments.

  • Context: Defines the processing environment, including dpv:StorageLocation, dpv:Recipient, and dpv:Scale.
  • Risk: Links processing to potential dpv:Consequence and dpv:Impact (e.g., dpv:Discrimination, dpv:FinancialLoss).
  • Mitigation: Associates dpv:TechnicalOrganisationalMeasure (like dpv:Encryption or dpv:Pseudonymisation) to specific risks.
  • This structure directly supports automated generation of Data Protection Impact Assessments (DPIAs).
06

Interoperability with External Standards

DPV is designed to map to and align with other major privacy and data governance frameworks, acting as a semantic bridge between regulatory silos.

  • ISO/IEC 29184: Maps to ISO's privacy notice requirements.
  • GDPR & CCPA: Provides explicit legal basis and right taxonomies for these regulations.
  • W3C Data Privacy Controls: Aligns with the W3C's technical privacy architecture for the web platform.
  • Solid Protocol: Used within Tim Berners-Lee's decentralized web project to manage data access permissions in personal online datastores (Pods).
DATA PRIVACY VOCABULARY

Frequently Asked Questions

Clear, technical answers to the most common questions about the W3C Data Privacy Vocabulary (DPV) standard, its implementation, and its role in automating enterprise privacy compliance.

The Data Privacy Vocabulary (DPV) is a formal, machine-readable ontology developed by the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) that provides a standardized semantic framework for describing the legal and technical concepts involved in personal data processing. It works by defining a taxonomy of interoperable terms—represented as RDF (Resource Description Framework) classes and properties—that model the core entities of privacy: Purpose, PersonalData, Processing, LegalBasis, TechnicalOrganisationalMeasure, and Recipient. By serializing privacy policies into this structured format, DPV enables automated compliance checking, policy comparison, and the generation of machine-readable transparency notices. The vocabulary is modular, with extensions for specific regulations like GDPR (the dpv-gdpr module) and technical domains like AI (the dpv-ai module), allowing organizations to encode complex legal obligations into software logic rather than relying on ambiguous natural language documents.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.