Data Privacy Glossary
Navigating the landscape of data privacy and compliance can be daunting. If you’re new to the field, or simply need a refresher, here is a list of the most common data privacy terms you should be aware of.
Adequate Level of Protection
This refers to the level of data protection that the GDPR requires from a country or international organization before cross-border data transfers can take place.
Also known as Data Masking, this is the process of altering personally identifiable data (PII) so that it cannot be used to identify an individual.
An audit trail is a trail of documentation used to record activity for auditing purposes. For compliance purposes, this includes all records of regulatory compliance.
Authentication is the process of verifying a person’s identity before granting access to a resource.
Biometric data is any data that concerns physical characteristics, such as fingerprints, voice, or DNA.
The process of notifying regulators and/or victims of incidents affecting the confidentiality and security of personal data.
The California Consumer Privacy Act (CCPA) is a state-level privacy law of California, which applies to all businesses that collect personal data from residents of California.
The provision of information technology services over the Internet.
The right of a data subject to decline or agree to the collection and processing of their personal data.
The Children’s Online Privacy Protection Act of 1998 is a federal law that requires companies to obtain explicit, verifiable permission from parents before collecting, using or disclosing personal information from children under 13 or targeting them with behavioral ads.
A small file stored by a website that tracks browser activity, remembers user preferences and keeps users logged in for subsequent sessions.
Data that relates to business clients, healthcare patients or any member of the public that uses a service.
The protection of a business’s online properties and any data stored therein.
A data breach is any unauthorized access or disclosure of sensitive or personal data.
Entities that collect and sell personal data.
Facilities that store data and house a network’s most critical systems.
The legal requirement that data be physically stored in the same country or group of countries that it originated from.
A unit of data such as date of birth, numerical identifier, or location co-ordinates.
The accidental loss of data, whether via user error, loss, or theft.
A method of data protection that involves de-identifying data so that the structure remains the same but the content can no longer be used to identify someone.
A right under the GDPR that ensures data subjects are allowed to receive their personal data from a data controller in a commonly used and machine-readable format.
Any action that is performed on personal data, including collecting, storing and transferring data.
Data Protection refers to any software or activity related to protecting the safety and integrity of private data.
Data Protection Authority
A Data Protection Authority (DPA) is an independent public authority that supervises and enforces data protection laws.
Data Protection (DP) Principles
As set out by the GDPR, Data Protection Principles pertain to the state of personal data in relation to processing, collection, status, storage, compliance and responsibility.
An organized collection of data.
Also known as Data Masking, this is the process of removing identifying characteristics from data.
Disaster Recovery Plan
A plan to implement the process of recovery of IT systems and data in the event of a disaster.
The lifecycle of a product that spans the start and end of the development process, whether continuous or in stages from the beginning to product decommissioning.
Tools, processes and teams that combine the activities of software development and IT operations.
Direct identifiers are data elements that relate to a specific individual, such as name, address, Social Security Number, e-mail address, or biometric record.
The process of maintaining a plan to protect data, prevent fraud, and detect data breaches when they occur.
Dynamic Data Masking
A type of data masking used when certain departments require access to limited amounts of sensitive data. The rest would remain shielded.
An electronic health record is a digital record of health information that allows a patient’s medical information to move with them.
Personal information of employees collected by an organization.
An electronic medical record is a digital version of a chart mainly used for diagnosis and treatment.
Encryption is a type of data protection that transforms plaintext data into ciphertext, effectively hiding the original data’s meaning. Encryption renders information unreadable without an encryption key.
Electronically protected health information.
EU-US Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield frameworks were set in motion by the U.S. Department of Commerce to govern the collection, use, and retention of personal data transferred from the EU, UK, or Switzerland to the United States, respectively.
Federal Law on the Protection of Personal Data
Mexico’s Federal Law on the Protection of Personal Data held by Private Properties 2010 regulates the processing of personal data for private enterprises.
The Federal Family Educational Rights and Privacy Act protects the privacy of student education records and applies to all schools that receive funds from the U.S. government.
Flow of data
The channels by which data travels within and without an organization.
The General Data Protection Regulation (GDPR) is a European data privacy law that extends to all businesses (including businesses that operate outside of Europe) that offer goods and services to European residents and collect personal data in the process.
This is a method of data masking that eliminates only some parts of the data to make it less identifiable but also retains referential integrity.
The Gramm-Leach-Bliley Act, which is the commonly used name for The Financial Services Modernization Act of 1999, applies to any company engaged in financial activities in the U.S.
A hacker is an individual that violates computer security through technological means.
Harm assessment process
An assessment of the risks faced by customers throughout the data life cycle. This process identifies business practices that could cause potential harm to customers.
The Health Insurance Portability and Accountability Act, or HIPAA, is an American law that outlines the rules and regulations for medical data protection.
The Health Information Technology for Economic and Clinical Health Act aims to build on the healthcare security and privacy requirements set forth by HIPAA. HITECH by adding tiered monetary penalties for noncompliance, as well as the requirement for breach notifications.
HITRUST is an independent non-profit organization established to help the healthcare industry manage risk. HITRUST created a set of rules, known as its common security framework (CSF), that it updates annually to keep up with current breach data and cyber threats.
Human error is the cause of most internal breaches – simply not being aware that a certain activity poses a risk. Examples of human error include accidentally introducing Malware through a device or phishing email, having a weak or shared password, or accidentally sharing sensitive information with someone outside the organization.
Data elements that relate to a specific individual.
Theft of an individual’s personally identifiable information, and the fraudulent use of that information for financial gain.
An indirect identifier is a value that cannot be used to identify an individual on its own, but if used together with other elements, can be used to identify someone.
Data privacy threats that stem from inside an organization. See How To Train Your Team To Avoid The Most Common Insider Threats
A data masking algorithm that relies on the creation of generalized, truncated or redacted quasi-identifiers as replacements for direct identifiers.
A data masking algorithm that builds on k-anonymity by requiring at least "l" distinct values in each group of k records for sensitive attributes.
Used to describe malicious software intended to infiltrate computers or computer networks.
Multi-Factor Authentication (MFA)
An authentication process that requires more than one factor of verification.
The National Institute of Standards and Technology is a unit of the US Commerce Department tasked with promoting and maintaining measurement standards. Its Privacy Framework is entirely voluntary, but has been widely adopted as a tool to manage cybersecurity risk.
The NIST Privacy Framework is a tool for improving privacy and cybersecurity through the use of a risk management structure. It is composed of three parts: Core, Profiles, and Implementation.
A non-production environment is an environment used exclusively for purposes other than production, such as developing and testing code.
Obfuscation is a form of data protection that involves removing sensitive values from files and databases altogether. It is the most extreme form of data masking.
On-the-fly data masking
When data needs to be masked in real-time during specific scenarios, such as when there is a lack of space.
To opt-in to grant consent for data to be collected. To opt-out is to withdraw that consent.
The PCI Data Security Standard (PCI DSS) is a security standard for the usage of payment card data created by the Payment Card Industry Security Standards Council.
Any information relating to an identified or identifiable natural person.
Personal Identifiable Information. Information from which the identity of an individual can be inferred and any other information that is linkable to an individual, such as medical, educational, financial, and employment information.
Protected Health Information. Any individually identifiable health information transmitted or maintained by an entity.
Any attempt to trick a user into an action such as entering credentials at a fake website, clicking a malicious link, or downloading a malicious file.
A type of data breach caused by the physical loss or theft of documents that contain sensitive information, for example, patient files, a list of customer credit card numbers, or a spreadsheet of contact details.
In Canada, the Personal Information Protection and Electronic Documents Act covers the disclosure of personal information in the private sector.
A binding legislative act that relates to the collection, ownership, processing and sale of private data. See Data Privacy Regulations You Need To Know About
A statement that governs an organization or entity’s handling of personal information.
A production environment is a development environment where software or products are deployed into operation.
The processing of personal data in such a manner that it can no longer be attributed to an individual.
A type of data masking that replaces a given value with a random value from a pre-compiled data set, like a credit card database.
Malware that encrypts a device and denies the user access to key files unless they pay a fee to recover them.
Referential integrity refers to the accuracy and consistency of data within a table.
Right to be Forgotten
An individual’s right to have their personal data deleted by a business or other organization possessing that data.
The process by which risks are identified and the impact of those risks is determined.
The International Safe Harbor Privacy Principles were developed in order to prevent private organizations in Europe or the U.S. that store customer data from accidentally disclosing or losing personal information.
Encompasses internal, technological and physical security measures to protect an organization’s private data.
Sensitive data is a type of data that describes a person and that used together to identify that person. This includes personal information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, health or political affiliations.
Sensitive Data Discovery
A form of data protection that connects to databases and identifies any information that can be used to identify someone, such as social security numbers, account numbers, addresses, credit card numbers, and medical records.
A method of data masking that randomly shuffles information within a column.
SQL Server Integration Services is a component of the Microsoft SQL Server database software used to perform data migration tasks.
Static data masking
Static data masking uses a stable, non-changing environment with an original copy of the production database or other type of storage to anonymize data. It is mainly used to refresh non-production environments and prevent insider threats.
Structured Data is information that has been formatted into rows and columns.
A substitution algorithm masks data by replacing a given value with another value suitable for the given entity, be it a field or part of the text or any other type of entity.
Test data is data that is used within copies of production environments, called testing environments, to test changes and updates made by developers.
Data acquired from a source other than directly from the subject of the data.
Terms of Service
The set of rules which govern the use of a service and must be agreed to, either implicitly through the use of that service or explicitly, in order to make use of that service.
A system of de-identifying data that uses random tokens as stand-ins for meaningful data.
Taking appropriate measures to provide any information relating to the processing of data subject.
This refers to information that doesn't reside in a traditional row-column database such as in an image.