Data Protection Glossary
Introduction
Data protection terminology can be complicated and change across regulations, frameworks, and jurisdictions. This data protection glossary provides concise, practical definitions of important data protection terms used in international regulations, standards, and best practices.
Term Glossary
Accountability
A core GDPR principle intended to ensure that controllers are responsible for demonstrating compliance with data protection principles in practice. Accountability requires that organisations put in place internal mechanisms and control systems that ensure compliance and provide evidence, such as audit reports, documentation, and records, to demonstrate compliance to regulators and data subjects.
Anonymisation
The irreversible removal or transformation of personal data so that individuals can no longer be identified, either directly or indirectly. True anonymisation permanently breaks the link between data and identity, meaning the data falls outside the scope of data protection regulations. Achieving genuine anonymisation is technically challenging and requires consideration of all reasonably available re-identification methods.
Binding Corporate Rules
Internal data protection policies adopted by international organisations or multinational groups that enable legitimate transfers of personal data between different entities within the same corporate group. Binding Corporate Rules provide a legally binding framework that ensures consistent data protection standards across all group entities and require approval from data protection authorities.
Biometric Data
Personal data resulting from specific technical processing of an individual’s physical, physiological, or behavioural characteristics, such as fingerprints, iris scans, facial recognition data, voice patterns, and DNA. Biometric data is typically treated as a special category of data requiring enhanced protection and specific legal justification for processing.
California Consumer Privacy Act (CCPA)
A United States privacy law was passed in California in 2018, granting California residents rights over their personal information, including the right to know what data is collected, the right to delete data, the right to opt out of data sales, and the right to non-discrimination. The CCPA applies to for-profit businesses that collect personal information from California residents and meet specific revenue or data volume thresholds.
California Privacy Rights Act (CPRA)
Amendment and expansion of the CCPA, passed in California in 2020, added consumer rights, including the right to correct personal information, the right to limit the use of sensitive personal information, and rights related to automated decision-making. The CPRA established the California Privacy Protection Agency to enforce privacy law and impose penalties for violations.
Complaint
A formal submission to a data protection authority or supervisory authority by an individual alleging that an organisation has violated their data protection rights. Data protection authorities have the power to investigate complaints and enforce compliance through investigations, orders, and penalties.
Confidentiality
A GDPR principle that requires personal data be protected against unauthorised or accidental access, disclosure, or misuse. Confidentiality ensures that only authorised individuals can access personal data, requiring organisations to implement technical and organisational safeguards throughout the data lifecycle.
Consent
Permission freely given, specific, informed, and unambiguous agreement to the processing of personal data for defined purposes. Requires that individuals understand what they are agreeing to, how their data will be used, and can withdraw consent at any time. Consent must be genuinely voluntary and cannot be a condition for unrelated services.
Controller
The organisation or individual that determines the purposes, means, and methods of personal data processing. Controllers bear primary responsibility for compliance and must ensure that all data protection principles are met, including lawfulness, transparency, security, and individuals’ rights.
Data Breach
An incident where personal data is accessed, used, or disclosed without authorisation, or is accidentally or unlawfully destroyed, lost, or altered. Organisations must assess breaches and notify relevant parties. If a breach is likely to result in risk to individual rights, authorities and affected individuals must be notified.
Data Minimisation
The principle requires that only personal data that is adequate, relevant, and necessary for specific purposes should be collected and processed. Data minimisation prevents excessive data collection and reduces privacy risks by limiting the amount of personal information an organisation holds.
Data Processing Agreement
A written contract between a data controller and a data processor specifying the nature, scope, and purpose of processing, security obligations, data subject rights, and confidentiality requirements. Data Processing Agreements are legally required when a controller engages a processor to handle personal data on its behalf.
Data Protection Authority
An independent public body (also called a supervisory authority) responsible for monitoring compliance with data protection law, investigating complaints, and protecting individual rights. Data Protection Authorities have investigative and enforcement powers, including issuing guidance, conducting audits, and imposing penalties.
Data Protection Impact Assessment
A structured analysis is required when an organisation plans processing activities that pose a high risk to individual rights and freedoms. Data Protection Impact Assessments identify potential risks, evaluate their likelihood and severity, and document measures implemented to mitigate them. They demonstrate accountability and help organisations build privacy protections from project inception.
Data Protection Officer
An independent expert appointed by organisations to oversee data protection compliance and act as a liaison with data protection authorities. Data Protection Officers monitor compliance, maintain processing records, handle individual requests, and provide advice on data protection obligations. In many jurisdictions, public authorities and organisations that process large volumes of data must appoint a Data Protection Officer.
Data Retention
The time period for which organisations may keep personal data. Data protection frameworks require that personal data be kept only as long as necessary for the purposes for which it was collected. Organisations must establish and document retention schedules and securely delete or anonymise data once the retention period expires.
Data Subject
Any identified or identifiable natural person to whom personal data relates. Data subjects have specific rights under data protection laws, including the right to access their data, rectify inaccurate information, object to processing, and request deletion. Organisations must recognise and respect data subjects’ rights throughout their data-handling practices.
Data Subject Request
A formal request from an individual to an organisation regarding their personal data. Data subject requests include access, rectification, deletion, objection, and portability requests. Organisations must have procedures for receiving, verifying, and responding to data subject requests within the legally specified timeframes.
Data Transfer
The movement of personal data across borders, particularly outside the jurisdiction where it was collected. Data transfers to countries without adequate data protection frameworks require legal mechanisms such as Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions to ensure data remains adequately protected.
EDPB / EDPS
The European Data Protection Board (EDPB) represents all EU Member States’ data protection authorities and is responsible for ensuring consistent application of data protection law across the EU. The EDPB issues guidelines and opinions that provide authoritative interpretation of data protection requirements. The European Data Protection Supervisor (EDPS) oversees data protection compliance within EU institutions.
E-Privacy Directive
EU law (2009/136/EC) complements data protection regulations by addressing the confidentiality of electronic communications and regulating the use of cookies. The ePrivacy Directive requires consent before storing information on users’ devices and restricts the use of personal data for electronic marketing.
Erasure (Right to)
The right of individuals to request that organisations delete their personal data. Also known as the “right to be forgotten,” this right applies when data is no longer necessary for its original purpose, when the individual withdraws consent, when the individual objects to processing, or when data was processed unlawfully. Exceptions exist for legal obligations and other legitimate purposes.
EU AI Act
EU regulation (2024/1689) establishing a comprehensive legal framework for artificial intelligence systems used in the EU. The AI Act categorises AI systems by risk level and imposes requirements for high-risk AI systems, including documentation, transparency, human oversight, and impact assessments. The regulation addresses AI-specific risks to fundamental rights and freedoms, including privacy. Prohibited AI practices became effective February 2, 2025, while broader high-risk requirements apply from August 2026 onwards.
General Data Protection Regulation (GDPR)
The primary data protection regulation in the European Union, effective since 2018, governs the processing of personal data and protects the rights of EU data subjects. The GDPR applies to organisations that process the personal data of EU residents, regardless of where the organisation is located, and sets requirements for lawfulness, transparency, security, individual rights, and accountability.
Health Insurance Portability and Accountability Act (HIPAA)
U.S. federal law protects the privacy and security of health information in the healthcare industry. HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. It requires safeguards for protected health information, individual rights to access and amend health information, and notification requirements for breaches.
ISO/IEC 27001
International standard for information security management systems. ISO/IEC 27001 specifies requirements for establishing, implementing, maintaining, and improving an information security management system. Organisations can achieve certification by demonstrating compliance with the standard’s security controls and management requirements, which support data protection compliance.
ISO/IEC 27002
An international standard providing guidelines and recommendations for information security management controls. ISO/IEC 27002 offers detailed guidance on implementing the controls required by ISO/IEC 27001, including specific measures for data protection, access control, encryption, incident management, and security awareness.
ISO/IEC 27701
International standard extending ISO/IEC 27001 and 27002 specifically to address privacy management. ISO/IEC 27701 provides requirements and guidance for managing personal data through privacy information management systems (PIMS), supporting compliance with data protection regulations like GDPR, CCPA, LGPD, and similar frameworks. It helps organisations integrate privacy considerations into their broader information security programs and is the first international standard specifically for privacy information management.
Lawful Basis
The legal justification is required before processing any personal data. Data protection frameworks typically specify multiple lawful bases such as consent, contractual necessity, legal obligation, vital interests protection, public task performance, and legitimate interests. Every instance of personal data processing must fall under at least one lawful basis.
Legitimate Interests
One of several lawful bases for processing personal data when the organisation or a third party pursues legitimate business interests that do not override individuals’ rights and freedoms. Processing under legitimate interests requires balancing organisational interests against individual privacy expectations and must be necessary and proportionate.
Lei Geral de Proteção de Dados (LGPD)
Brazil’s General Data Protection Law, effective since 2020, protects the rights of Brazilian data subjects and applies to organisations that process the personal data of Brazilian residents. The LGPD follows a similar structure to GDPR, requiring lawful bases for processing, individual rights, security measures, and accountability. It applies to the processing of personal data of individuals located in Brazil or carried out in Brazil.
Personal Data
Any information relating to an identified or identifiable natural person. The definition is broad and includes names, identification numbers, location data, online identifiers, email addresses, IP addresses, and any other information that directly or indirectly identifies someone or could identify them when combined with other data.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The Canadian federal privacy law governs how private-sector organisations collect, use, and disclose personal information. PIPEDA applies to for-profit businesses engaged in commercial activities and establishes individual rights, including access, accuracy, consent, and complaint mechanisms. Canadian provinces have enacted similar privacy legislation with substantially equivalent protections.
Processor
An organisation or individual that processes personal data on behalf of a data controller. Processors must follow the controller’s instructions and implement appropriate security measures. Processors act under written contracts specifying the scope of processing and security obligations.
Pseudonymisation
The processing of personal data in a way that prevents direct identification without the use of additional information kept separately and secured. Unlike anonymisation, pseudonymisation is reversible; with access to linking information, individuals can be re-identified. Pseudonymised data remains personal data but presents reduced privacy risks.
Privacy by Design
A principle requiring that organisations integrate data protection considerations into technology, systems, and business processes from the earliest stages of development. Privacy by design embeds privacy protections into project foundations rather than retrofitting compliance after implementation.
Records of Processing Activity (ROPA)
Documentation maintained by data controllers and processors detailing all personal data processing activities. ROPA must include information about processing purposes, categories of personal data processed, recipients of the data, retention periods, and technical and organisational security measures. ROPA serves as evidence of accountability and compliance with data protection obligations.
Right of Access
The right of individuals to request and receive a copy of their personal data held by an organisation, along with information about how it is processed. Organisations must respond to access requests within specified timeframes, typically providing data in a commonly used electronic format.
Right of Rectification
The right of individuals to request correction of inaccurate personal data. Organisations must correct inaccurate information without undue delay and, where feasible, inform third parties who received the inaccurate data of the correction.
Sensitive Personal Information
A broader category than “special category data,” sensitive personal information includes data that requires enhanced protection under data protection frameworks. Examples include health information, financial data, biometric data, behavioural data, genetic information, and social security numbers. Processing sensitive personal information typically requires explicit consent or other specific legal justifications.
Standard Contractual Clauses
Pre-approved contractual language authorising personal data transfers from one jurisdiction to another where data protection laws may differ. Standard Contractual Clauses provide a legal basis for international transfers when no adequacy decision exists, though organisations must conduct impact assessments to identify and mitigate country-specific risks.
Subject Access Request
A formal request from an individual for a copy of their personal data and information about how the organisation processes it. Organisations must respond within specified timeframes, providing all personal data held about the individual along with processing details.
Third Country
Any country outside the jurisdiction covered by a data protection framework (for example, outside the EU/EEA under GDPR). Transfers to third countries require legal mechanisms such as adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules to ensure adequate data protection.
Third Party
Any individual or organisation other than the data subject, data controller, data processor, or employees authorised to process data under the controller’s authority. Third parties can be external recipients of data or independent controllers making their own processing decisions.
Transparency
The principle requires that organisations provide individuals with clear, accessible information about how their personal data is collected, used, and protected. Transparency typically includes privacy notices and other disclosures, helping individuals understand data handling practices.
UK Data Protection Act 2018
UK legislation implementing and supplementing GDPR requirements in the United Kingdom. The Data Protection Act 2018 defines UK-specific rules for data processing, establishes the role of the Information Commissioner’s Office (ICO), and extends data protection to areas not covered by GDPR, including law enforcement processing and national security. It applies to organisations that process the personal data of UK residents.
Video-Surveillance
Systems that capture and store images or video footage containing personal data. Video surveillance must be lawful, necessary, and proportionate, and must include clear signage informing individuals that they are being monitored. Access must be restricted to authorised personnel, and retention must be limited to what is necessary.
Conclusion
This glossary provides a foundational understanding of essential data protection terminology across multiple jurisdictions and regulatory frameworks. For organisation-specific compliance guidance, consult your data protection authority, legal counsel, or a data protection professional who can contextualise these terms within your particular circumstances and jurisdiction.