e
q
u
e
s
t
a
d
e
m
o
Data Privacy Glossary
Navigating the landscape of data privacy and compliance can be daunting. If you’re new to the field, or simply need a refresher, here is a list of the most common data privacy terms you should be aware of.
Adequate Level of Protection
This refers to the level of data protection that the GDPR requires from a country or international organization before cross-border data transfers can take place.
Anonymization
Also known as Data Masking, this is the process of altering personally identifiable data (PII) so that it cannot be used to identify an individual.
Audit Trail
An audit trail is a trail of documentation used to record activity for auditing purposes. For compliance purposes, this includes all records of regulatory compliance.
Authentication
Authentication is the process of verifying a person’s identity before granting access to a resource.
Biometric Data
Biometric data is any data that concerns physical characteristics, such as fingerprints, voice, or DNA.
Breach Disclosure
The process of notifying regulators and/or victims of incidents affecting the confidentiality and security of personal data.
CCPA
The California Consumer Privacy Act (CCPA) is a state-level privacy law of California, which applies to all businesses that collect personal data from residents of California.
Cloud
The provision of information technology services over the Internet.
Consent
The right of a data subject to decline or agree to the collection and processing of their personal data.
COPPA
The Children’s Online Privacy Protection Act of 1998 is a federal law that requires companies to obtain explicit, verifiable permission from parents before collecting, using or disclosing personal information from children under 13 or targeting them with behavioral ads.
Cookie
A small file stored by a website that tracks browser activity, remembers user preferences and keeps users logged in for subsequent sessions.
Customer Information
Data that relates to business clients, healthcare patients or any member of the public that uses a service.
Cybersecurity
The protection of a business’s online properties and any data stored therein.
Data Breach
A data breach is any unauthorized access or disclosure of sensitive or personal data.
Data Broker
Entities that collect and sell personal data.
Data Centers
Facilities that store data and house a network’s most critical systems.
Data Localization
The legal requirement that data be physically stored in the same country or group of countries that it originated from.
Data Elements
A unit of data such as date of birth, numerical identifier, or location co-ordinates.
Data Loss
The accidental loss of data, whether via user error, loss, or theft.
Data Masking
A method of data protection that involves de-identifying data so that the structure remains the same but the content can no longer be used to identify someone.
Data Portability
A right under the GDPR that ensures data subjects are allowed to receive their personal data from a data controller in a commonly used and machine-readable format.
Data Processing
Any action that is performed on personal data, including collecting, storing and transferring data.
Data Protection
Data Protection refers to any software or activity related to protecting the safety and integrity of private data.
Data Protection Authority
A Data Protection Authority (DPA) is an independent public authority that supervises and enforces data protection laws.
Data Protection (DP) Principles
As set out by the GDPR, Data Protection Principles pertain to the state of personal data in relation to processing, collection, status, storage, compliance and responsibility.
Dataset
An organized collection of data.
De-identification
Also known as Data Masking, this is the process of removing identifying characteristics from data.
Disaster Recovery Plan
A plan to implement the process of recovery of IT systems and data in the event of a disaster.
Development Lifecycle
The lifecycle of a product that spans the start and end of the development process, whether continuous or in stages from the beginning to product decommissioning.
Dev-Ops
Tools, processes and teams that combine the activities of software development and IT operations.
Direct Identifiers
Direct identifiers are data elements that relate to a specific individual, such as name, address, Social Security Number, e-mail address, or biometric record.
Due Diligence
The process of maintaining a plan to protect data, prevent fraud, and detect data breaches when they occur.
Dynamic Data Masking
A type of data masking used when certain departments require access to limited amounts of sensitive data. The rest would remain shielded.
EHR
An electronic health record is a digital record of health information that allows a patient’s medical information to move with them.
Employee Information
Personal information of employees collected by an organization.
EMR
An electronic medical record is a digital version of a chart mainly used for diagnosis and treatment.
Encryption
Encryption is a type of data protection that transforms plaintext data into ciphertext, effectively hiding the original data’s meaning. Encryption renders information unreadable without an encryption key.
ePHI
Electronically protected health information.
EU-US Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield frameworks were set in motion by the U.S. Department of Commerce to govern the collection, use, and retention of personal data transferred from the EU, UK, or Switzerland to the United States, respectively.
Federal Law on the Protection of Personal Data
Mexico’s Federal Law on the Protection of Personal Data held by Private Properties 2010 regulates the processing of personal data for private enterprises.
FERPA
The Federal Family Educational Rights and Privacy Act protects the privacy of student education records and applies to all schools that receive funds from the U.S. government.
Flow of data
The channels by which data travels within and without an organization.
GDPR
The General Data Protection Regulation (GDPR) is a European data privacy law that extends to all businesses (including businesses that operate outside of Europe) that offer goods and services to European residents and collect personal data in the process.
Generalization
This is a method of data masking that eliminates only some parts of the data to make it less identifiable but also retains referential integrity.
GLBA
The Gramm-Leach-Bliley Act, which is the commonly used name for The Financial Services Modernization Act of 1999, applies to any company engaged in financial activities in the U.S.
Hacker
A hacker is an individual that violates computer security through technological means.
Harm assessment process
An assessment of the risks faced by customers throughout the data life cycle. This process identifies business practices that could cause potential harm to customers.
HIPAA
The Health Insurance Portability and Accountability Act, or HIPAA, is an American law that outlines the rules and regulations for medical data protection.
HITECH
The Health Information Technology for Economic and Clinical Health Act aims to build on the healthcare security and privacy requirements set forth by HIPAA. HITECH by adding tiered monetary penalties for noncompliance, as well as the requirement for breach notifications.
HITRUST framework
HITRUST is an independent non-profit organization established to help the healthcare industry manage risk. HITRUST created a set of rules, known as its common security framework (CSF), that it updates annually to keep up with current breach data and cyber threats.
Human error
Human error is the cause of most internal breaches – simply not being aware that a certain activity poses a risk. Examples of human error include accidentally introducing Malware through a device or phishing email, having a weak or shared password, or accidentally sharing sensitive information with someone outside the organization.
Identifiers
Data elements that relate to a specific individual.
Identity Theft
Theft of an individual’s personally identifiable information, and the fraudulent use of that information for financial gain.
Indirect Identifier
An indirect identifier is a value that cannot be used to identify an individual on its own, but if used together with other elements, can be used to identify someone.
Insider threat
Data privacy threats that stem from inside an organization. See How To Train Your Team To Avoid The Most Common Insider Threats
k-anonymity
A data masking algorithm that relies on the creation of generalized, truncated or redacted quasi-identifiers as replacements for direct identifiers.
l-diversity
A data masking algorithm that builds on k-anonymity by requiring at least "l" distinct values in each group of k records for sensitive attributes.
Malware
Used to describe malicious software intended to infiltrate computers or computer networks.
Multi-Factor Authentication (MFA)
An authentication process that requires more than one factor of verification.
NIST
The National Institute of Standards and Technology is a unit of the US Commerce Department tasked with promoting and maintaining measurement standards. Its Privacy Framework is entirely voluntary, but has been widely adopted as a tool to manage cybersecurity risk.
NIST Framework
The NIST Privacy Framework is a tool for improving privacy and cybersecurity through the use of a risk management structure. It is composed of three parts: Core, Profiles, and Implementation.
Non-Production Environments
A non-production environment is an environment used exclusively for purposes other than production, such as developing and testing code.
Obfuscation
Obfuscation is a form of data protection that involves removing sensitive values from files and databases altogether. It is the most extreme form of data masking.
On-the-fly data masking
When data needs to be masked in real-time during specific scenarios, such as when there is a lack of space.
Opt In/Out
To opt-in to grant consent for data to be collected. To opt-out is to withdraw that consent.
PCI DSS
The PCI Data Security Standard (PCI DSS) is a security standard for the usage of payment card data created by the Payment Card Industry Security Standards Council.
Personal Data
Any information relating to an identified or identifiable natural person.
PII
Personal Identifiable Information. Information from which the identity of an individual can be inferred and any other information that is linkable to an individual, such as medical, educational, financial, and employment information.
PHI
Protected Health Information. Any individually identifiable health information transmitted or maintained by an entity.
Phishing
Any attempt to trick a user into an action such as entering credentials at a fake website, clicking a malicious link, or downloading a malicious file.
Physical loss
A type of data breach caused by the physical loss or theft of documents that contain sensitive information, for example, patient files, a list of customer credit card numbers, or a spreadsheet of contact details.
PIPEDA
In Canada, the Personal Information Protection and Electronic Documents Act covers the disclosure of personal information in the private sector.
Privacy Laws
A binding legislative act that relates to the collection, ownership, processing and sale of private data. See Data Privacy Regulations You Need To Know About
Privacy Policy
A statement that governs an organization or entity’s handling of personal information.
Production Environment
A production environment is a development environment where software or products are deployed into operation.
Pseudonymization
The processing of personal data in such a manner that it can no longer be attributed to an individual.
Random substitution
A type of data masking that replaces a given value with a random value from a pre-compiled data set, like a credit card database.
Ransomware
Malware that encrypts a device and denies the user access to key files unless they pay a fee to recover them.
Referential Integrity
Referential integrity refers to the accuracy and consistency of data within a table.
Right to be Forgotten
An individual’s right to have their personal data deleted by a business or other organization possessing that data.
Risk Assessment
The process by which risks are identified and the impact of those risks is determined.
Safe Harbor
The International Safe Harbor Privacy Principles were developed in order to prevent private organizations in Europe or the U.S. that store customer data from accidentally disclosing or losing personal information.
Security Policy
Encompasses internal, technological and physical security measures to protect an organization’s private data.
Sensitive Data
Sensitive data is a type of data that describes a person and that used together to identify that person. This includes personal information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, health or political affiliations.
Sensitive Data Discovery
A form of data protection that connects to databases and identifies any information that can be used to identify someone, such as social security numbers, account numbers, addresses, credit card numbers, and medical records.
Shuffling
A method of data masking that randomly shuffles information within a column.
SSIS
SQL Server Integration Services is a component of the Microsoft SQL Server database software used to perform data migration tasks.
Static data masking
Static data masking uses a stable, non-changing environment with an original copy of the production database or other type of storage to anonymize data. It is mainly used to refresh non-production environments and prevent insider threats.
Structured Data
Structured Data is information that has been formatted into rows and columns.
Substitution
A substitution algorithm masks data by replacing a given value with another value suitable for the given entity, be it a field or part of the text or any other type of entity.
Test data
Test data is data that is used within copies of production environments, called testing environments, to test changes and updates made by developers.
Third-Party Collection
Data acquired from a source other than directly from the subject of the data.
Terms of Service
The set of rules which govern the use of a service and must be agreed to, either implicitly through the use of that service or explicitly, in order to make use of that service.
Tokenization
A system of de-identifying data that uses random tokens as stand-ins for meaningful data.
Transparency
Taking appropriate measures to provide any information relating to the processing of data subject.
Unstructured Data
This refers to information that doesn't reside in a traditional row-column database such as in an image.