A Semantic Specification for Data Protection Impact Assessments (DPIA)

The GDPR requires assessing and conducting a Data Protection Impact Assessment||(DPIA) for processing of personal data that may result in high risk and impact||to the data subjects. Documenting this process requires information about the||processing activities, entities and their roles, risks, mitigations and||resulting impacts, and consultations. Given the complexity of this task, it is||difficult for stakeholders to identify relevant risks and mitigations,||especially for emerging technologies, conduct impact assessments for their||use-cases, and document the outcomes in a consistent and reusable manner. We||address this challenge by utilising linked-data to represent DPIA related||information so that it can be better managed and shared in an interoperable||manner. For this, we consulted the guidance documents produced by EU Data||Protection Authorities (DPA) regarding DPIA and by ENISA regarding risk||management. The outcome of our efforts is an extension to the Data Privacy||Vocabulary (DPV) for documenting DPIAs and an ontology for risk management based||on the ISO 31000 series. Our contributions fill an important gap within the||state of the art, and pave the way for EU's vision of data spaces by enabling||information about risks and impacts to shared as machine-readable metadata.

Speakers: