Data Protection Glossary

Access control restricts who can view, modify, or delete data based on identity, role, and authorization policies, ensuring only authorized personnel access personal data.

The accountability principle requires organizations to demonstrate their compliance with data protection principles through proper documentation, policies, procedures, and technical measures.

An adequacy decision is a determination by the European Commission that a third country or international organization provides an adequate level of data protection, allowing free transfer of personal data from the EU without additional safeguards.

API security encompasses practices and technologies that protect application programming interfaces from unauthorized access and data exposure.

The APPI is Japan's primary data protection law that regulates the handling of personal information by business operators, with 2022 amendments strengthening individual rights and cross-border transfer rules.

Automated decision-making refers to decisions made by technological means without human involvement, which under the GDPR is restricted when it produces legal or similarly significant effects on individuals.

Binding Corporate Rules are internal codes of conduct approved by data protection authorities that permit multinational organizations to transfer personal data within their corporate group across international borders.

Binding Corporate Rules are internal data protection policies approved by EU supervisory authorities that allow multinational organizations to transfer personal data within their corporate group to countries without adequate data protection.

The CCPA, as amended by the CPRA, is California's comprehensive consumer privacy law granting residents the right to know, delete, and opt out of the sale or sharing of their personal information, enforced by the California Privacy Protection Agency.

Cloud data protection encompasses the policies, technologies, and controls used to protect personal data stored and processed in cloud computing environments.

A code of conduct in data protection is a set of rules developed by an industry association or group of organizations that specifies how data protection regulations apply to specific processing activities within their sector.

A compliance audit is a systematic review of an organization's adherence to data protection laws, regulations, policies, and standards, identifying gaps and areas for improvement.

Consent management is the systematic process of obtaining, recording, tracking, and managing individuals' consent for the collection and processing of their personal data in compliance with privacy regulations.

Cookie consent is the requirement under privacy laws for websites to obtain user permission before placing non-essential cookies or similar tracking technologies on a user's device.

COPPA is a US federal law that requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children.

Cross-border data transfer refers to the movement of personal data from one country or jurisdiction to another, which is regulated by data protection laws that impose specific requirements to ensure adequate protection.

Dark data is information collected and stored by an organization but never analyzed, used, or leveraged, often containing personal data that creates unmanaged privacy risk.

Anonymization irreversibly transforms personal data so that individuals can no longer be identified, even by the data controller, removing the data from privacy regulation scope.

Data breach notification is the legal requirement for organizations to inform supervisory authorities and affected individuals when a security incident results in unauthorized access to, or loss of, personal data.

A data catalog is a centralized inventory of data assets across an organization, providing metadata, classification, lineage, and search capabilities for data governance.

Data classification is the process of categorizing data by sensitivity level, type, and regulatory applicability to determine appropriate protection measures and handling procedures.

Data discovery is the automated process of identifying and cataloging personal data across an organization technology landscape, including databases, file systems, cloud storage, and SaaS applications.

Encryption transforms readable data into an unreadable format using cryptographic algorithms, protecting confidentiality by ensuring only authorized parties with the correct key can access the data.

A Data Fiduciary under India's DPDPA is any person or entity that alone or in conjunction with others determines the purpose and means of processing digital personal data, analogous to a data controller under the GDPR.

Data governance is the overall management of data availability, usability, integrity, and security within an organization, establishing policies, procedures, and accountability for data management.

A data inventory is a comprehensive catalog of all personal data an organization collects, stores, and processes, including details about data types, locations, purposes, and retention periods.

Data lineage tracks the origin, movement, and transformation of data through systems, providing visibility into how personal data flows across the organization.

DLP is a set of tools and processes that detect and prevent unauthorized transmission, sharing, or exfiltration of sensitive personal data outside the organization.

Data mapping is the process of identifying and documenting how personal data flows through an organization, including where it is collected, stored, processed, shared, and eventually deleted.

Data mapping documents where personal data exists, how it flows between systems, who has access, and what processing activities are performed.

Data masking replaces sensitive data with realistic but fictitious values, protecting privacy while maintaining data utility for testing, development, and analytics.

Data minimization is a core data protection principle requiring organizations to collect and process only the personal data that is strictly necessary for the specified purpose, and no more.

A Data Principal (under India's DPDPA) or Data Subject (under the GDPR) is the individual whose personal data is being collected, processed, or stored by an organization.

A Data Processing Agreement is a legally binding contract between a data controller and a data processor that governs how personal data will be processed, ensuring compliance with data protection regulations.

A Data Protection Board is a regulatory body established to oversee and enforce data protection laws, such as the Data Protection Board of India under the DPDPA or the European Data Protection Board under the GDPR.

Data protection certification is a formal attestation by an accredited body that an organization's data processing operations comply with specific data protection standards or regulatory requirements.

A Data Protection Impact Assessment is a systematic process for evaluating the potential impact of a data processing activity on individuals' privacy, required under the GDPR for processing likely to result in high risk to data subjects.

Pseudonymization replaces direct identifiers with artificial identifiers, reducing privacy risk while maintaining data utility, but the data remains personal data under GDPR.

Data retention refers to policies and practices governing how long personal data is stored before being deleted or anonymized, aligned with regulatory storage limitation requirements.

Data stewardship is the management and oversight of an organization's data assets by designated individuals who ensure data quality, compliance, and proper handling throughout the data lifecycle.

A data subject is an identified or identifiable natural person whose personal data is being collected, held, or processed by an organization.

A Data Subject Access Request is a formal request made by an individual to an organization to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with details about how it is used.

Data Subject Rights are the legal rights granted to individuals under data protection laws, enabling them to control how their personal data is collected, used, stored, and shared by organizations.

Tokenization replaces sensitive data with non-sensitive tokens that can be mapped back to the original data through a secure token vault, protecting data while preserving processability.

Differential privacy is a mathematical framework that adds calibrated noise to data or query results, enabling statistical analysis while providing provable privacy guarantees for individuals.

The UK Data Protection Act 2018 is the United Kingdom's implementation of the GDPR into domestic law, supplementing the UK GDPR with provisions for law enforcement processing, intelligence services, and specific UK exemptions.

The Digital Personal Data Protection Act is India's comprehensive data privacy law enacted in 2023, governing the processing of digital personal data with an emphasis on consent, data fiduciary obligations, and the rights of data principals.

Chapter III of India's DPDPA establishes the rights of Data Principals including the right to information, correction, erasure, grievance redressal, and nomination, forming the core of individual data protection under Indian law.

Encryption at rest protects stored data by encrypting it on disk, in databases, or in storage systems, ensuring data confidentiality even if storage media is physically compromised.

Encryption in transit protects data as it moves between systems using protocols like TLS/SSL, preventing interception and eavesdropping during transmission.

An enforcement action is a measure taken by a supervisory authority or regulatory body against an organization for non-compliance with data protection laws, ranging from warnings to substantial fines.

The ePrivacy Directive is an EU directive that regulates the processing of personal data in electronic communications, including rules on cookies, direct marketing, and confidentiality of communications.

FERPA is a US federal law that protects the privacy of student education records, giving parents and eligible students the right to access and control the disclosure of their educational information.

A gap analysis is an assessment that compares an organization's current data protection practices against the requirements of applicable regulations or standards to identify areas of non-compliance.

The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.

GDPR Article 15 grants data subjects the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data along with specific information about the processing.

GDPR Article 17 establishes the right to erasure, also known as the right to be forgotten, allowing data subjects to request the deletion of their personal data under specific circumstances.

HIPAA is a US federal law that establishes national standards for protecting the privacy and security of individuals' health information, applying to covered entities and their business associates.

IAM is a framework of policies, processes, and technologies that manages digital identities and controls user access to systems and data.

Information governance is the overarching strategy for managing all types of information within an organization, encompassing data governance, records management, compliance, and risk management.

ISO 27701 is an international standard that extends ISO 27001 and ISO 27002 to include privacy-specific requirements for establishing, implementing, maintaining, and improving a Privacy Information Management System (PIMS).

A lawful basis for processing is a legal ground under data protection law that justifies an organization's collection and use of personal data, such as consent, contractual necessity, or legitimate interest.

Legitimate interest is a lawful basis under the GDPR that allows organizations to process personal data when they have a genuine and justifiable reason, provided this does not override the fundamental rights and freedoms of the data subject.

The LGPD is Brazil's general data protection law that regulates the processing of personal data by individuals and organizations, establishing ten legal bases for processing and a national data protection authority (ANPD).

Metadata management organizes and maintains information about data assets including data type, ownership, classification, lineage, and applicable policies.

The NIST Privacy Framework is a voluntary tool developed by the National Institute of Standards and Technology to help organizations identify and manage privacy risks through a flexible, outcome-based approach.

Opt-in and opt-out are two consent models in data privacy. Opt-in requires affirmative action before data processing can occur, while opt-out assumes consent unless the individual actively declines.

PCI DSS is a set of security standards established by major credit card companies to protect cardholder data, requiring organizations that handle payment card information to meet twelve security requirements.

Singapore's PDPA is a comprehensive data protection law that governs the collection, use, disclosure, and care of personal data by organizations, enforced by the Personal Data Protection Commission.

Thailand's PDPA is a comprehensive data protection law modeled after the GDPR that regulates the collection, use, and disclosure of personal data, with full enforcement beginning in June 2022.

PII is any information that can be used to identify a specific individual, including names, addresses, email addresses, phone numbers, Social Security numbers, and biometric data.

PIPEDA is Canada's federal private-sector privacy law that governs how commercial organizations collect, use, and disclose personal information in the course of commercial activities.

The PIPL is China's comprehensive personal information protection law that regulates the processing of personal information by organizations inside and outside China, with strict cross-border data transfer requirements.

POPIA is South Africa's comprehensive data protection law that promotes the protection of personal information processed by public and private bodies, enforced by the Information Regulator.

Australia's Privacy Act 1988 regulates the handling of personal information by Australian Government agencies and private sector organizations, built around thirteen Australian Privacy Principles.

Privacy by Default means that the strictest privacy settings automatically apply when a customer acquires a new product or service, without requiring any manual input or configuration by the individual.

Privacy by Design is a proactive approach that embeds data protection safeguards into the design and architecture of IT systems, business practices, and products from the earliest stages of development.

A privacy framework is a structured set of guidelines, standards, and best practices that organizations use to develop and maintain their data protection and privacy compliance programs.

A Privacy Impact Assessment is a process used to identify and evaluate the privacy risks of a project, system, or initiative, helping organizations mitigate risks before they materialize.

A privacy notice is a public-facing document that informs individuals about how an organization collects, uses, stores, shares, and protects their personal data, as required by data protection regulations.

A privacy program is a comprehensive organizational framework encompassing the policies, procedures, people, and technologies that manage an organization's data protection obligations and privacy risks.

Privacy Shield was a framework governing transatlantic data transfers between the EU and the US, invalidated by the EU Court of Justice in 2020 and subsequently replaced by the EU-US Data Privacy Framework in 2023.

PETs are technologies designed to protect personal data privacy while enabling data processing, analysis, and sharing for legitimate purposes.

Profiling under the GDPR is any form of automated processing of personal data that evaluates personal aspects of a natural person, such as analyzing or predicting behavior, preferences, interests, or movements.

PHI is individually identifiable health information held or transmitted by a covered entity or its business associate, protected under HIPAA regulations.

Purpose limitation is a data protection principle requiring that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Records of Processing Activities is a mandatory documentation requirement under the GDPR that obliges organizations to maintain detailed records of all personal data processing activities they conduct.

Regulatory compliance refers to an organization's adherence to laws, regulations, guidelines, and specifications relevant to its data processing and business operations.

The right of access grants individuals the ability to obtain from an organization confirmation of whether their personal data is being processed and to receive a copy of that data along with key details about the processing.

The right to data portability allows individuals to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another organization.

The right to erasure, also known as the right to be forgotten, allows individuals to request that organizations delete their personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful.

The right to object allows individuals to oppose the processing of their personal data in certain circumstances, including processing based on legitimate interests, direct marketing, and research or statistical purposes.

The right to rectification allows individuals to request that an organization correct inaccurate personal data or complete incomplete personal data held about them.

The right to restrict processing allows individuals to request that an organization limits its processing of their personal data in certain circumstances, such as while the accuracy of the data is being verified.

RBAC restricts system access based on user roles within an organization, granting permissions to roles rather than individual users.

Secure data deletion ensures personal data is permanently and irreversibly removed from all storage systems, supporting the right to erasure and storage limitation.

Sensitive personal data includes special categories such as health information, biometric data, racial or ethnic origin, religious beliefs, and sexual orientation that require enhanced protection.

Shadow IT refers to technology systems, applications, and cloud services used within an organization without formal IT department approval or oversight.

A Significant Data Fiduciary is a designation under India's DPDPA for Data Fiduciaries that process large volumes of personal data, carrying additional obligations including appointing a DPO and conducting impact assessments.

SOC 2 is a compliance framework developed by the AICPA that evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and privacy of customer data.

The Sarbanes-Oxley Act is a US federal law that establishes requirements for financial reporting, internal controls, and record retention for publicly traded companies to protect investors from fraudulent accounting.

Standard Contractual Clauses are pre-approved model contractual clauses adopted by the European Commission to facilitate lawful international transfers of personal data to countries outside the EEA.

Standard Contractual Clauses are pre-approved contractual terms adopted by the European Commission that provide appropriate safeguards for transferring personal data from the EU to countries without an adequacy decision.

Storage limitation is a data protection principle requiring organizations to retain personal data only for as long as necessary to fulfill the purposes for which it was collected, then securely delete or anonymize it.

A supervisory authority is an independent public body established by a country to monitor and enforce compliance with data protection laws, such as the ICO in the UK or the CNIL in France.

Synthetic data is artificially generated data that statistically resembles real data but contains no actual personal information, useful for testing, development, and analytics.

Zero trust architecture eliminates implicit trust in any network element, requiring continuous verification of every user, device, and connection before granting access.