Understanding and complying with data protection and privacy regulations is hard enough. With all of the jargon and acronyms thrown around, it can sometimes feel like lawyers and regulators don't want you to understand. Fear not, we've put together a comprehensive data protection and privacy glossary to help you sort it all out.
Access control is the process of restricting access to resources, such as computers, files, or services, to authorized users only.
The dictionary definition of accountability, according to Webster's is "an obligation or willingness to accept responsibility or to account for one's actions." The definition used by the GDPR and other data protection frameworks is builds on that principle by requiring that organizations be able to demonstrate that their handling of personal data is done in compliance with the law.
Accuracy is a data protection principle that mandates that personal data is accurate and up-to-date. According to the fourth principle of GDPR, any personal data collected or processed must be "accurate and, where necessary, kept up to date." Furthermore, GDPR mandates that "every reasonable step must be taken to ensure that personal data that are inaccurate," in regards to the purposes for which they are processed, "are erased or rectified without delay."
Active Data Collection
Active data collection refers to data that is collected knowingly and transparently from the user, such as through a web form, check box, or survey.
Activity monitors identify suspicious behavior by monitoring activity on machines and networks.
Adequate Level of Protection
Under the GDPR, "Adequate Level of Protection" refers to the level of data protection that the European Commission requires from a third country or international organization before approving cross-border data transfers to that third country or international organization.
In making their judgement, the European Commission considers not only the data protection rules, and security measures of the third country or international org., but also the rule of law, respect for human rights, and the enforcement of compliance and data protection rules.
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES), also known as RijnDael is an encryption standard chosen by NIST in 2001 as a replacement for the Data Encryption Standard (DES). The AES is a symmetric-key algorithm, which means the same key is used for encrypting and decrypting data.
Data Anonymization is a process that alters personally identifiable data (PII) in such a manner that it can no longer be used to identify an individual. This can be done by removing certain identifying values from data sets, or by generalizing identifying values.
Anonymous data is data that is not related to an identifiable individual and cannot be used in combination with other data to identify individuals. Anonymous data is not protected by the GDPR.
In the context of the GDPR, "Appropriate Safeguards" refers to the application of the GDPR's data protection principles to data processing. The GDPR's Data protection principles include transparency, data minimization, storage limitation, data quality, legal basis for processing, and purpose limitation.
Article 29 Working Party
The Article 29 Working Party (WP29) was the former EU independent advisory body on data protection and privacy. It was replaced by the European Data Protection Board (EDPB) when the GDPR went into effect.
Auditing is the act of systematically examining, evaluating, and analyzing an organization's assets to ensure compliance and security standards are met.
An audit trail is a trail of files, logs, or paperwork used to record an activity for auditing purposes.
Authentication is the process of verifying a claimed identity and proving that someone is who they claim to be when attempting to access a resource.
Authenticity is the quality of validity of a piece of information; that it is accurate and has not been changed.
Data processing that is performed without human interaction.
Availability, or accessibility, is the property of having data accessible on demand when it is needed by the organization or requested by the data subject. The GDPR requires that personal data be available to the data subject upon request.
A backdoor is a tool installed by an attacker in order to give themselves easy access to a compromised system, without alerting security mechanisms.
Binding Corporate Rules (BCRs)
Under the GDPR, Binding Corporate Rules (BCRs) are an appropriate safeguard that allows for cross-border data transfers between multinational components of a global corporation or organization. BCRs ensure that the entire organization follows the same set of binding data protection standards.
Biometric data is any data that concerns physical characteristics, such as fingerprints, voice, or DNA. The GDPR does not allow the processing of biometrics data except under special circumstances.
Brazil General Data Protection Law
Inspired by the GDPR, in mid-August of 2018, Brazil passed a new legal framework aimed at governing the use and processing of personal data in Brazil: the General Data Protection Law. The law replaces approximately 40 or so laws that currently deal with the protection of privacy and personal data, and is aimed at guaranteeing individual rights, and encouraging economic growth by creating clear and transparent rules for data collection. For more information, check out our full coverage of the bill here.
Breach disclosure, or breach notification is the act of notifying regulators as well as victims of data breaches that an incident has occurred. Under Article 34 of the GDPR, an organization must notify affected users within 72 hours of the incident.
Bureau of Consumer Protection
A Bureau of the United States’ Federal Trade Commission that is tasked with stopping fraudulent business practices.
California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a state-level privacy law for California, which comes into effect in 2020. The law, which is the first state-level privacy law passed in the US, applies to all businesses that collect personal data from Californians. The CCPA mirrors the requirements of the GDPR in many ways, such as establishing the right of users to access personal data and request deletion.
A certification is a declaration by a certifying body that an organization or product meets certain security or compliance requirements.
A form of authentication that uses SSL and certificates to authenticate and encrypt HTTP traffic.
Chief Information Security Officer (CISO)
An executive within an organization who is the head of information security.
Chief Privacy Officer
An executive within an organization who is responsible for managing compliance with privacy laws and policies.
Children’s Online Privacy Protection Act (COPPA) of 1998
A Federal law that applies to websites and online services directed at children under the age of 13, as well as websites and services that collect personal information from children under the age of 13. COPPA requires privacy notices and parental consent for data collection.
Chinese Cybersecurity Law (CSL)
The Chinese Cybersecurity Law is a sweeping cybersecurity and privacy law passed in 2016, and put into effect in 2017. The law mirrors the GDPR in many ways, including data localization requirements, and the inclusion of rights such as the right to erasure. However, unlike the GDPR, the CSL gives enforcement agencies broad leeway to decide which companies must be compliant, and what, exactly, compliance looks like. For more on the CSL, read my post on the law here.
In a privacy context, choice is the ability of data subjects to freely and genuinely choose whether or not to consent to data collection. Implied consent is not considered valid choice under the General Data Protection Regulation.
A cryptographic algorithm used for encryption and decryption.
Cloud computing is the delivery of information technology services or resources via a network, rather than from on-premise hardware and resources. There are five main characteristics of cloud computing: on-demand self-service, broad network access, resource pooling, rapid expansion (typically referred to as elasticity), and measured service. Essentially, a cloud provider works like a utility company (think electric or water)—they host the resources or services that you need, and deliver them on-demand, scaling up or down to suit your needs. For more information, check out our Cloud Computing Glossary.
Cloud Service Provider (CSP)
A cloud service provider is any company that sells a cloud computing service, be it PaaS, IaaS, or SaaS.
Codes of Conduct
Codes of Conduct are a valid adequacy mechanism for the cross-border transfer of personal data under the GDPR. Similar to Binding Corporate Rules, Codes of Conduct are rules developed by groups representing data controllers or processors, such as industry trade groups, in order to demonstrate compliance with data protection rules. Those rules are then approved or disapproved by the European Data Protection Board.
Confidentiality is the guarantee that information is only available to those who are authorized to use it.
In the context of privacy, consent is the ability of a data subject to decline or consent to the collection and processing of their personal data. Consent can be explicit, such as opting-in via a form, or implied, such as agreeing to an End-User License Agreement, or not opting out. Under many data protection laws, consent must always be explicit.
Consumer Financial Protection Bureau (CFPB)
An independent bureau of the United States Federal Reserve intended to oversee and regulate the financial industry. The CFPB was created by the Dodd-Frank Act.
A security measure used to prevent identity theft that locks an individual’s data at consumer reporting agencies, thus preventing new lines of credit from being opened.
Critical Infrastructure is any computer systems or networks that are deemed important enough that their incapacitation would result in major issues.
Cross-border Data Transfers
Cross-border Data Transfers are the transfer of personal data from one legal jurisdiction, such as the EU, to another, such as the US. Many data protection laws place major restrictions on cross-border data transfers.
The protection of information and communications against damage, exploitation, or unauthorized use.
A data breach is any unauthorized access to, movement of, or disclosure of sensitive or personal data.
Data Breach Notification
See Breach Disclosure.
According to the GDPR, a Data Broker is any entity that collects and sells individuals’ personal data.
According to the GDPR, a Data Controller is an organization, agency, public authority, or individual that determines the how and why of data processing. The data controller may also be a data processor, or they may employ a third-party data processor.
Data Encryption Standard (DES)
A popular data encryption standard that uses a secret key randomly chosen from a set of 72 quadrillion values.
Data localization is the requirement that data is physically stored in the same country or group of countries that it originated from. This is a common requirement in modern privacy and data protection bills, such as the GDPR, China’s CSL, and Brazil’s Security Law. For example, under the GDPR, a company collecting the data of an EU citizen would have to store that data on a server in the EU.
The accidental loss of data, whether via accidental deletion, destruction, or theft.
Data Loss Prevention (DLP)
A term referring to procedures or tools used to prevent the loss of data from a network.
Data minimization is a privacy concept that states data collectors should only collect and retain the bare minimum of personal data that is necessary for the data processor to perform their duties, and should delete that data when it is no longer necessary.
Data portability is a right under the GDPR that ensures data subjects are allowed to receive their personal data from a data controller in a commonly used and machine-readable format, and also have the right to request that their data is transferred to another controller.
Data processing is any action that is performed on personal data or sets of personal data, such as collecting, structuring, storing, or disseminating that data.
A data processor in GDPR is defined as any organization that collects, processes, stores or transmits personal data of EU citizens.
In the EU, Data Protection is a legal term referring to laws and regulations aimed at protecting the personal data of individuals and determining that data’s fair use. In the US, it is a general term often used interchangeably with terms like “information security” and “information privacy.”
Data Protection Authority
A Data Protection Authority (DPA) is an independent public authority set up to supervise and enforce data protection laws in the EU. Each EU member state has its own DPA.
Data Protection Officer
A Data Protection Officer (DPO) is an individual within an organization who is tasked with advising the organization on GPDR compliance and communicating with their Data Protection Authority. Organizations that process personal data as part of their business model are required to appoint a DPO.
Data Protection Principle
A principle set forth in Article 5 of the GDPR. The principles listed in Article 5 are: Lawfulness, fairness and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality.
The individual that a piece or set of data pertains to.
The act of stealing of information.
Decryption is the transformation of an encrypted message into plaintext.
Disaster Recovery Plan
A Disaster Recovery Plan is a plan to implement the process of recovery of IT systems and data in the event of a disaster.
See breach disclosure.
Due Diligence is the obligation that organizations maintain a plan to protect data, prevent fraud, and detect data breaches when they occur.
Electronic Medical Records (EMR)
Records that contain the standard medical and clinical data gathered in one provider’s office.
Electronic Health Records (EHRs)
Computer records that go beyond the data collected in the provider’s office and include a more comprehensive patient history. EHRs may be shared across multiple providers or healthcare organizations.
Encryption is the transformation of plaintext data into a protected form called a cipher text, which hides the original data’s meaning. Encryption is required as data protection best practice by multiple data protection laws, including HIPAA and GDPR.
End-User License Agreement (EULA)
An End-User License Agreement is a binding legal document that acts as a contract between the owner of a software application and the user(s) of that application. The EULA may include a payment contract, restrictions on use of the software, and even consent to data collection.
Erasure is the act of erasing personal data. Under Article 17 of the GDPR, data subjects are granted the right to request the erasure of their personal data under the following circumstances: If the legal basis for data processing is the data subjects’ consent, if the data is no longer needed for its original purpose, or if the data has been processed unlawfully. Other omnibus data protection laws, such as the Brazilian General Data Protection Law, have followed the GDPR’s example in establishing a right to erasure.
EU-US Privacy Shield
An adequacy agreement created in 2016 to replace the EU-U.S. Safe Harbor Agreement. The EU-U.S. Privacy Shield lets participating organizations under the jurisdiction of the US Federal Trade Commission transfer personal data from the EU to the United States.
European Data Protection Board
The European Data Protection board is the primary supervisory authority established by the GDPR. The board consists of the heads of EU member states’ supervisory authorities as well as the European Data Protection Supervisor. The goal of the EDPB is to ensure consistent application of the GDPR by member states.
European Data Protection Supervisor
An independent authority that aims to ensure that European organizations and member states comply with the privacy rules of the GDPR.
Any observable occurrence in a computer system or network.
The unauthorized transfer of data off of a computer or network.
A tool or technique used to breach a network. An exploit will typically “exploit” a flaw in the network or its security.
A discontinuity in a network to prevent unauthorized access.
Federal Communications Commission (FCC)
The Federal Communications Commission (FCC) is an agency of the United States Federal Government that regulates communications and telecommunications.
Federal Information Security Management Act of 2002 (FISMA)
The Federal Information Security Management Act of 2002, or FISMA, is a US federal law that requires federal agencies to implement agency-wide information security programs designed to protect agency operations and data. Under FISMA, contractors working for an agency must also comply with the agency’s security program. FISMA requires agencies to conduct annual audits of their security programs, and provide reports to the Office of Management and Budget, which will then present those reports to Congress. In 2014, the law was amended by The Federal Information Security Modernization Act, commonly called FISMA Reform, which updated the law to eliminate antiquated reporting requirements and replaced them with continuous monitoring requirements.
Federal Privacy Act 1988
The Federal Privacy Act 1988 is an Australian law that regulates how personal information is handled. The law is a notable predecessor to modern privacy laws like the GDPR. To learn more, check out our full post on the law here.
A gateway is any network point that acts as an entrance to a separate network or the internet.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is an omnibus data protection law that applies to all 28 Member States of the European Union.
The aim of the GDPR is to set a high standard for data protection, and to provide one set of data protection rules for the entire EU. The 99 articles of the GDPR set forth several fundamental rights of data protection, including the right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling.
Those rules set by the GDPR apply to any organization that processes the personal data of EU residents, whether that organization itself is based in the EU or not. The GDPR modernizes the principles from the EU's 1995 Data Protection Directive and applies to personal data of EU citizens from that is processed by what the regulation calls data controller and data processors. Financial penalties for non-compliance reach up to USD $24M, or 4% percent of worldwide annual turnover, whichever is higher. For a more in depth view of the GDPR, check out our GDPR Overview post.
A hacker is any individual that violates computer security through technical means.
Health Breach Notification Rule
A rule under HITECH that requires vendors of personal health records to notify consumers when the security of their health information has been breached.
Health Information Technology for Economic and Clinical Health Act (HITECH)
The Health Information Technology for Economic and Clinical Health Act (HITECH) is an American law enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH aims to build on the healthcare security and privacy requirements set forth by HIPAA. HITECH does so by adding tiered monetary penalties for noncompliance, as well as the requirement for breach notifications.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act, or HIPAA, is an American law that sets national standards and regulations for the transfer of electronic healthcare records. Under HIPAA, patients must opt in before their healthcare information can be shared with other organizations.
Who or what someone or something is.
Theft of an individual’s personally identifiable information, and the fraudulent use of that information for monetary gain.
An incident as an adverse network event.
The steps taken in response to a security or data loss incident.
Information Security Policy
The directives, rules, regulations, and best practices that an organization follows to manage and secure information.
Any individual with insider access to an organization's networks or resources that would allow them to exploit the vulnerabilities of that organization's security or steal data.
Data Integrity assurance that information has not been changed and that it is accurate and complete. The GDPR mandates that data controllers and processors implement measures guarantee data integrity.
Internet Service Provider (ISP)
A business that provides access to the internet and related services.
Published initially in 2004, ISO 20022 is an open, international standard that defines the ISO platform for the development of financial message standards. The standard isn’t controlled by any single organization. Anyone in the financial industry can participate, and the standard is free to implement. It features fully-established maintenance, governance and evolution processes that can be used to create standards for financial messaging. For more information, check out our post on ISO 20022.
Least Privilege is a security principle which mandates that users should be granted the least amount of permissions necessary to perform their job.
Legal Basis for Processing
The GDPR mandates that data controllers must demonstrate a legal basis for data processing. The six legal bases for processing listed in the law are: consent, necessity, contract requirement, legal obligation, protection of data subject, public interest, or legitimate interest of the controller.
A generic term for a number of different types of malicious software that is intended to infiltrate computers or computer network.
Markets in Financial Instruments Directive II (MiFID II)
Issued by the European Union, MiFID II is an updated version of the Markets in Financial Instruments Directive, which went into effect in 2007. MiFID II broadens the scope of MiFID to include increased transparency at every stage of a transaction—from when orders are first placed until they are reconciled. Every trade must be closely monitored at every phase. For more information, check out our post on the law here.
Under HITECH, meaningful use is defined as using certified electronic health record (EHR) technology to: Improve quality, safety, efficiency, and reduce health disparities. Engage patients and family. Improve care coordination, and population and public health. Maintain privacy and security of patient health information.
Metadata is that describes other data.
Multi-Factor Authentication (MFA)
An authentication process that requires more than one factor of verification. An example would be a login that requires a username and password combination, as well as an SMS-code verification.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is a unit of the US Commerce Department tasked with promoting and maintaining measurement standards. NIST leads the development and issuance of security standards and guidelines for the federal government.
Negligence is the breach of a legal duty to protect personal information.
Non-repudiation is the ability for a system to prove that a specific user and only that user sent a message and that the message or data hasn't been modified in any way.
When an individual makes an active indication of choice, such as checking a box indicating willingness to share information with third parties.
The opposite of opt-in. Opt-out assumes that a lack of action implies that a choice has been made, such as when a person does not uncheck a box indicating willingness to share information with third parties.
Passive Data Collection
Passive data collection is any data collection technique that gathers information automatically, with or without the end user’s knowledge.
A unique code that authenticates a user’s identity.
Patching is the process of updating software to a different version, often to address security flaws.
PCI Data Security Standard (PCI DSS)
The PCI Data Security Standard (PCI DSS) is a security standard for payment card data drafted by the Payment Card Industry Security Standards Council. Compliance requires third-party security assessments.
Any information relating to an identified or identifiable natural person.
Personal Identifiable Information (PII)
Information from which the identity of an individual can be inferred.
Any attempt to trick a user into an action such as entering credentials at a fake website, clicking a malicious link, or downloading a malicious file. Phishing attacks often take the form of emails that appear to come from a trusted source.
Ordinary readable text.
Malware that encrypts a device and denies the user access to key files unless they pay a fee to recover them.
Backup systems that can maintain functionality in the event of the failure of the main system.
In the concept of privacy, retention is the idea that organizations should only retain information as long as it is pertinent.
Right of Access
An individual’s right to request and receive their personal data from a business or other organization.
Right to be Forgotten
An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.
Right to Correct
The right for individuals to correct or amend information about themselves that is inaccurate.
Right to Deletion
An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.
Risk Assessment is the process by which risks are identified and the impact of those risks is determined.
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act, or SOX, is a US law that regulates the transparency of publicly held companies in relation to fraud and whistleblowers.
Secure Shell (SSH)
A program used to log into another computer over a network, execute tasks on the remote machine, and transfer files from one machine to another.
Secure Sockets Layer (SSL)
A protocol developed to transmit private data and files via the Internet. SSL uses a public key to encrypt data, which is then transmitted via the SSL connection.
A boundary within which security controls are enforced.
Sensitive information, as defined by the federal government, is any unclassified information that, if compromised, could adversely affect the national interest or conduct of federal initiatives.
A one-way cryptographic hash function.
Simple Network Management Protocol (SNMP)
A protocol governing network management and the monitoring of network devices.
Single Sign-On (SSO)
An authentication tool that lets a user use one set of credentials to log into multiple services and tools.
Using manipulative techniques, such as lies, misdirection impersonation, blackmail, and threats to access sensitive information.
Electronic junk mail.
A phishing attack targeted at a specific person, usually an individual with sensitive credentials.
Any potential for violation of security.
The identification of the types of threats that an organization is exposed to.
The method a threat uses to get to the target.
Transport Layer Security (TLS)
A protocol that secures the connection between a server and client. TLS is a successor to SSL.
Two-Factor Authentication (2FA)
See multi-factor authentication.
US-CERT is a partnership between the United States Department of Homeland Security and public and private sector organizations. US-CERT tracks security issues and vulnerabilities and works with vendors to release patches for vulnerabilities.
Any flaw or weakness that can be used to attack a system or organization.