Data Privacy Glossary
There are many terms being thrown around nowadays when it comes to data privacy. From the Facebook/Cambridge Analytica scandal, to GDPR and everything in between, there’s a lot more that we don’t know
about this subject than most of us think there is. We should all have a basic understanding about this subject and if possible, be able to explain the key terms to others. This is why I decided to compile a list of (in my opinion) most important words on data privacy with their definitions.
Adequacy Decision – A decision made by the European Commission that a non-EU country offers an adequate level of personal data protection through its own domestic privacy laws or international commitments it has made. When the European Commission has determined that a country meets the requirements for an adequacy decision, it allows that country to conduct cross-border data transfers.
Anonymization – The process of altering personal data so that it is no longer identifiable. This process is irreversible.
Appropriate Safeguards – This is a term used in GDPR in several different contexts, such as transferring personal data to countries outside of the European Union, processing special categories of data, and (3) the processing of personal data in a law enforcement context. It usually refers to the application of the general data protection principles.
Automated Decision Making – A term from GDPR used to describe when a system uses technology without human involvement to create a profile or decide.
Autonomy Privacy – When an individual can behave as they wish (including online behavior) without the concern of being observed or tracked.
Binding Corporate Rules – Also referred to as BCRs developed by the EU Article 29 Working Party. BCRs are internal rules, approved by the data protection authority in the applicable EU member state, allowing multinational corporations, international organizations, and groups of companies to share personal data outside of the EU while still complying with EU data protection laws.
Binding Safe Processor Rules – Principles for processors to follow to protect an individual's personal data. If a business's processor is approved as a "safe processor," it can conduct international transfers (under GDPR).
Biometric Data – It refers to data generated by automated means that can identify or confirm the identity of a person, such as behavioral or physical characteristics. Examples include fingerprint, retina scan, voice print, facial characteristics, identifying DNA information. In many global laws, biometric data is deemed a "special category."
Breach Disclosure – The act of notifying regulators and victims of incidents that affect their confidentiality, anonymity, and personal information security.
California Consumer Privacy Act (CCPA) – This is a comprehensive, state-level privacy law that goes into effect in January 2020 in California. This law gives specific privacy rights to the consumers and allows them to opt-out to sell their personal data.
California Consumer Protection Act (CCPA) – Signed into law in 2018 and will take effect in January 2020, this act introduces new privacy rights for individuals living within the state of California. It is the first sweeping privacy law in the United States.
California Investigative Consumer Reporting Agencies Act – A California state law that forces employers to notify their consumers before obtaining and using their consumer report.
California Online Privacy Protection Act (CalOPPA) requires all websites interacting with California residents to provide a privacy statement to users.
CAN-SPAM – Controlling the Assault of Non-Solicited Pornography And Marketing- Passed in 2003, a U.S. law sets the rules for commercial emails and messages.
CASL – Canadian Anti-Spam Legislation – Passed in 2013, this Canadian law protects all emails, texts, instant messages, and automated mobile phone messages sent commercially to computers and phones or accessed by them in Canada.
Chief Privacy Officer – A leadership position in an organization responsible for managing privacy risks, laws, and policies.
Children's Online Privacy Protection Act of 1998 (COPPA) – Imposes requirements on the operators of websites directed towards children under 13 years of age.
CISO – Chief Information Security Officer – An executive-level employee responsible for identifying/managing risks as they arise and involves developing a security strategy to protect the organization's data and assets from breaches. And to identify and manage risks as they arise.
Communications Privacy – This type of privacy protects communications such as postal mail, telephone activity, email, and other communication types.
Confidentiality – The act of protecting data against unauthorized or unlawful processing. The GDPR states that organizations must be able to maintain confidentiality.
Consent – According to GDPR, consent is a data subject's act, agreeing to specific data processing. For consent to be valid, it must be freely given, specific, informed, and unambiguous. The data subject must be able to withdraw their consent after it is given easily. Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. The consent shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject.
Controller – Per the GDPR, the controller is "the natural or legal person, public authority, agency or other body which determines the purposes and means of processing data."
Cookie- A small text file of information that certain Web sites attach to a user's hard drive while browsing the Web site. A cookie can contain user ID, user preferences, archive shopping cart information, etc. Cookies can contain Personally Identifiable Information (as defined below).
Cross-Border Data Transfers – The transportation of personal data from one jurisdiction (usually country) to another. For the GDPR, this refers to any transportation of personal data from the European Union to a third country (only allowed if the European Commission has determined that they have adequate protection measures).
Customer Access – Giving the customer access to the personal information an organization is collecting and giving them the ability to review, delete, and edit their personal information.
Data Breach – The unauthorized access and procurement of data compromise the security of personally identifiable information maintained by a collector.
Data Classification – When an organization gives different authorization levels to individuals to access a data inventory to protect the data.
Data Element – Unique pieces of collected information such as name, address, IP address, date of birth, etc.
Data Erasure – Also known as the Right to be Forgotten under GDPR or Right to Deletion under CCPA, it allows the data subject to request the data controller or company delete and stop sharing their personal data. There are a few exceptions to this under each privacy law.
Data Inventory – The location, including how it is shared and organized, of personal data. Data inventory allows for the identification of inconsistent data versions.
Data Masking – The process of de-identifying data through anonymization, pseudonymization, or some other method of obscuring the identifiable data.
Data Portability – The data subject's right to receive a copy of the data subject provided to the controller. The data should be presented in a structured, machine-readable format that is commonly used. It should be provided directly to the data subject or upon request by the data subject. The data subject also has the right to share that information directly with another controller.
Data Protection Impact Assessment (DPIA) – As required under GDPR, companies engaging in high-risk processing activity must complete an assessment that identifies, assesses, and mitigates risks of a business' data processing activity. A DPIA should be performed for each different type of high-risk processing activity.
Data Protection Offer (DPO) – A data privacy expert who ensures compliance with GDPR policies and procedures and generally reports directly to company management or the company board in some situations.
Data Subject (Individual) – A natural person whose personal data is collected, held, or processed by a controller or processor.
De-Identification – The method of removing identifiable characteristics from personal data effectively anonymizing the data.
Digital Fingerprinting – Digital fingerprints are log files pulled from original content representing the content's defining characteristics and are used by content owners to identify website visitors. A log file can be the visitor's IP address, a timestamp, or even the visitor's browser preferences (think the type of font, color scheme, etc.).
Digital Signature – This type of signature is used to authenticate an electronic document (often used in emails).
Do Not Track (DNT) – An application that gives individuals the ability to request that applications disable tracking their online behavior and activities.
Electronic Surveillance – The act of monitoring an individual (typically unknown by the individual) through video, reading their communications, location services, and other electronic means.
Encrypted Data: The individual can only decode the process of converting plaintext (any data) into an encoded version with the proper decryption key. Encryption is a security measure that protects sensitive personal data to ensure that the data is only accessible/readable by those with authorization.
Encryption- The process by which data is converted into private code to ensure secure transmission.
ePrivacy Directive/Regulation – In the EU in 2002, this directive passed and was later amended in 2009. It addresses privacy regarding digital communication, digital marketing, and cookies. An updated regulation is expected to be finalized in 2019.
EU – The acronym for the European Union, a political and economic union comprised of 28 member states located primarily in Europe.
European Data Protection Board (EDPB) – EDPB is an EU body responsible for applying GDPR to ensure consistency across the EU. It is comprised of a representative from the DPA in each EU member state and the European Commission. It was formerly known as Article 29 Working Party (A29WP).
European Data Protection Supervisor (EDPS) – The EDPS has the responsibility to ensure that EU institutions and bodies provide individuals with the right to privacy when processing personal information.
Fair Credit Reporting Act – This act requires accurate data collection, gives the right to consumers to correct their information, and limits the use of consumer reports and data collection.
Family Educational Rights and Privacy Act (FERPA) – The FERPA protects students' privacy and their records.
Federal Trade Commission (FTC) – This agency protects consumers and collects and acts on organizations' complaints. It also prohibits unfair and deceptive trade practices per Section 5.
Firewall- Specialized software and/or hardware designed to prohibit unauthorized access to information on a computer network.
First-Party Collection – The data subject gives permission directly to the controller to collect their information.
Fractional Privacy Officer – An outsourced privacy professional who provides their time and guidance to a company on an ongoing basis, generally part-time and remotely.
Freely Given – When a data subject voluntarily consents to data processing and where there is no risk of significant consequences if they do not choose to provide consent. The GDPR requires that a data subject's consent is freely given.
General Data Protection Regulation (GDPR) – A privacy regulation and legal framework that sets guidelines for collecting and processing personal data of individuals within the EU. It became effective May 25, 2018.
GLBA Gramm-Leach Bliley Act – A US federal law that requires financial institutions to explain to customers how private information is protected, how personal information is shared, and how a customer can opt-out of information shared with third parties.
HIPAA – Health Insurance Portability and Accountability Act. Itisa US federal law provides privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. An important distinction is that not all health information is automatically covered under HIPAA.
Identifiable Data – Refers to data linked to a specific person, thus identifying that person.
Individual Rights – Data Subject Access Requests are often referred to as Individual Rights. These rights generally include the right to be informed, the right of access, the right to rectification, the right to erasure/to be forgotten, the right to restrict processing, the right to data portability, the right to object, rights about automated decision making and profiling, and the right to opt-out of the sale of data.
Information Security – The act of securing information to prevent unauthorized access or misuse of information.
Informed – When an individual has been provided all of the necessary information to decide data processing. Under GDPR, the data subject must be informed when providing consent.
Integrity – In regards to data, integrity refers to the data's accuracy, consistency, and trustworthiness. The GDPR requires organizations to uphold the integrity of the data that they are collecting.
Laws/Enforcement Bodies/Roles Section
Legal Basis – The GDPR requires that a controller meet one of six legal circumstances to collect personal information. The six legal bases include (1) consent, (2) contract, (3) legal obligation, (4) vital interests, (5) public task, or (6) legitimate interests.
Main Establishment – A location chosen by the data controller for its central administration in the EU will be bound to applicable local laws and regulations.
Metadata – Data that gives additional information to describe or provide context for other data.
Multi-Factor Authentication – During login, this requires both a password and a second form of authentication, such as a code sent to a phone, confirming a phone call, or entering an ever-changing password provided through an application.
Negligence – An organization is responsible for damages if it fails to meet the legal obligations to protect personal information.
Non-Public Personal Information – Per GLBA, it is defined as identifiable financial information provided by a customer.
Obfuscation – A version of data masking that makes personal data difficult to understand to hide the actual data.
Opt-In – An individual makes an affirmative choice to share their personal information with a third party.
Opt-Out – An individual takes a step (such as clicking a button or checking a box) that disallows third parties to share their personal information.
Personal Data(also referred to as 'Personal Information') – Information that relates to an identified or identifiable person (also referred to as data Subject' or 'Individual')
Personally Identifiable Information (PII)- Information that can be traced back to a specific individual user, e.g., name, postal address, email address, telephone number, or Social Security number. Personal user preferences tracked by a Web site via a "Cookie" (see definition above) is also considered personally identifiable when linked to other Personally Identifiable Information provided by users online. (Compare With Aggregate Information.)
Pipieda – Personal Information Protection and Electronic Documents Act – Canada's version of the GDPR requires businesses to obtain an individual's consent when they collect, use, or disclose that individual's personal information.
Privacy by Design (PbD) – Incorporating privacy at the beginning and throughout the entire design and engineering process of product and service development.
Privacy Impact Assessment – A process, often a questionnaire, used by a company to identify and assess privacy risks throughout a product or system lifecycle. It helps identify data collected, used, shared, and stored, and allows the company to determine what should be done to mitigate risks when processing personal data.
Privacy Rule – Per HIPAA, this rule requires institutions and organizations to protect an individual's medical records and information.
Privacy Shield Certification – Framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration. It is a framework that allows It is designed to have a company to self-certify to a set of data protection requirements that will enable it to transfer personal data from the EU or Switzerland to the US.
Private Right of Action – This provides individuals a violation of the law harms the right to file a lawsuit (against the violator).
Privileged information refers to any forms of data under the Rules of Court, and other pertinent laws constitute privileged communication.
Processing – Any activity performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Profiling: The use of personal data that is used to evaluate, analyze, or to predict data subject behavior and to make decisions based on that outcome. Profiling is generally performed automatically by systems.
Pseudonymity- This concept originated in the field of cryptography. Pseudonymity can prove a consistent identity without revealing one's actual name, instead of using an alias or pseudonym. Pseudonymity combines many of the advantages of both a known identity and anonymity. In anonymity, one's identity isn't known, but pseudonymity creates a separate, persistent "virtual" identity that can't be linked to a specific person, group, or organization. Pseudonymous remailers, called "nym servers," take messages addressed to the pseudonym and resend them to the pseudonym's real email address. They can also forward messages to others as though they came from the server's pseudonym's address. And unlike with anonymous email, users can reply to a pseudonymous sender, and pseudonyms can establish reputations in the digital world.
Pseudonymization – It is a procedure where personal data fields within a data record are replaced by one or more artificial identifiers so that the personal data not be attributed to one single individual. This process is reversible by an authorized individual; therefore, it is not permanent like anonymization.
Recipient – The natural person, public authority, agency, another body, or company to which personal data is disclosed.
Records of Processing Activities (RPA) – Often referred to as the Article 30 report. This is a required set of records that documents in detail the data processing activities that the company is responsible for. There are specific items to be included in the Article 30 report, such as:
Rectification (Also referred to as the "Right to Correct) – The right of an individual to request that an organization or third party correct their personal information. Under the GDPR, individuals have the right to rectify, and controllers must fix inaccurate personal data if requested.
Redaction – The process of removing or obscuring information from documents.
Regulation – A binding legislative act that details how a company should comply with said regulation. This could be industry imposed and self-regulatory framework like the Digital Advertising Alliance's Self-Regulatory Framework, or it could be imposed by lawmakers such as the ePrivacy Directive.
Re-identification occurs when de-identified data is matched back to an individual, making the individual identifiable.
Representative – A data protection authority in the EU appointed by the data processor or controller.
Restriction of processing – The right of a data subject to limit the future processing of their own stored personal data.
Retention – The notion that organizations should only retain personal information for as long as needed to fulfill the original statement of purpose.
Right to Access – Also known as the Data Subject Access Right (DSAR). This right allows the data subject to request in writing to be provided a copy of the controller's personal data being processed. The controller should also explain the purpose of processing the data subject's personal data. Privacy laws differ in how long a controller has to respond to a DSAR.
Right to be Forgotten or Right to Deletion – Also referred to as Data Erasure, it entitles the data subject to request that the data controller erases their personal data, ceases further dissemination of the data, and potentially have third parties cease processing of the data.
Security Policies- The set of laws, rules, and practices that regulate how an organization manages, protects and distributes sensitive information.
Sensitive Personal Information – Information regarding an individual's race, ethnicity, marital status, religion, health records, sexuality, social security number, license, etc.
Spam – Unsolicited information that is sent to an individual typically via electronic communication.
Supervisory Authority (SA) – A public authority established by a member state of the EU oversees the execution of GDPR.
TCPA – Telephone Consumer Protection Act. A US federal law that restricts marketing and debt collection automated dialing and pre-recorded messages. It covers cell phones, landlines, text messages, and unsolicited faxes. It also covers phone numbers listed in the Do Not Call Registry.
Territorial Privacy – This type of privacy limits intruding into an individual's territorial environment, such as their home or workplace.
Third-Party- Any person/organization except a party of the company or its affiliate.
Transparency – An organization is required to be open in collecting and using personal data.
Unambiguous Consent – When an individual provides consent, fully understanding the outcome of their decision. The organization must clearly articulate the outcome in a way where the individual fully understands.