Expand your cybersecurity education with an in-depth glossary of data security terminology and concepts.

Access Control

The process of restricting access to resources, such as computers, files, or services, to authorized users only.

Active Data Collection

Active data collection refers to data that is collected knowingly and transparently from the user, such as through a web form, check box, or survey.

Adequate Level of Protection

Under the GDPR, Adequate Level of Protection refers to the level of data protection that the European Commission requires from a third country or international organization before approving cross-border data transfers to that third country or international organization.In making their judgement, the European Commission considers not only the data protection rules, and security measures of the third country or international org., but also the rule of law, respect for human rights, and the enforcement of compliance and data protection rules.


A type of behavior or action that seems abnormal when observed in the context of an organization and a user's historical activity. It is typically analyzed using some sort of machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior and email message patterns. Anomalies are often a sign that an account is compromised.


Data Anonymization is a process that alters personally identifiable data (PII) in such a manner that it can no longer be used to identify an individual. This can be done by removing certain identifying values from data sets, or by generalizing identifying values.

Anonymous Data

Anonymous data is data that is not related to an identifiable individual and cannot be used in combination with other data to identify individuals. Anonymous data is not protected by the GDPR.

Appropriate Safeguards

In the context of the GDPR, Appropriate Safeguards refers to the application of the GDPR's data protection principles to data processing. The GDPR's data protection principles include transparency, data minimization, storage limitation, data quality, legal basis for processing, and purpose limitation.

Audit Trail

A trail of files, logs, or paperwork used to record an activity for auditing purposes.


The act of systematically examining, evaluating, and analyzing an organization's assets to ensure compliance and security standards are met.


The process of verifying a claimed identity and proving that someone is who they claim to be when attempting to access a resource.

Automated Processing

Data processing that is performed without human interaction.

Brazil General Data Protection Law

Brazil passed a new legal framework in mid-August of 2018 aimed at governing the use and processing of personal data in Brazil: the General Data Protection Law. The law replaces approximately 40 or so laws that currently deal with the protection of privacy and personal data, and is aimed at guaranteeing individual rights, and encouraging economic growth by creating clear and transparent rules for data collection.


An acronym for Cloud Access Security Broker. This is a type of security that monitors and controls the cloud applications that an organization's employees might use. Typically, the control is enforced by routing web traffic through a forward- or reverse-proxy. CASBs are good for managing Shadow IT and limiting employee's use of certain SaaS or the activity within those SaaS but do not monitor third-party activity in the cloud–i.e. shared documents or email.


An acronym of the California Consumer Privacy Act.


An acronym for Chief Data Officer. This is the executive within an organization who is the head of information security.


An acronym of Cybersecurity Maturity Model Certification is a security framework for Defense Industrial Base contractors to follow.


An acronym for Chief Privacy Officer. This is an executive within an organization responsible for managing compliance with privacy laws and policies.


An acronym for Cloud Service Provider. This is any company that sells a cloud computing service, be it PaaS, IaaS, or SaaS.


A certification is a declaration by a certifying body that an organization or product meets certain security or compliance requirements.

Chief Information Security Officer (CISO)

An acronym for Chief Information Security Officer. This is an executive within an organization responsible for managing compliance with privacy laws and policies.

Cloud Native Database

A database service which is deployed and delivered through a cloud service provider (CSP) platform.


The guarantee that information is only available to those who are authorized to use it.


In the context of privacy, consent is the ability of a data subject to decline or consent to the collection and processing of their personal data. Consent can be explicit, such as opting-in via a form, or implied, such as agreeing to an End-User License Agreement, or not opting out. Under many data protection laws, consent must always be explicit.

Controlled Unclassified Information (CUI)

An acronym of Controlled Unclassified Information.

Cross-border Data Transfer

The transfer of personal data from one legal jurisdiction, such as the EU, to another, such as the US. Many data protection laws place major restrictions on cross-border data transfers.


The protection of information and communications against damage, exploitation, or unauthorized use.


An acronym for Data Detection and Response


An acronym for Data Leak Prevention or Data Loss Prevention. A type of security that prevents sensitive data, usually files, from being shared outside the organization or to unauthorized individuals within the organization. This is done usually through policies that encrypt data or control sharing settings.


An acronym for Data Protection Officer. This is an individual within an organization who is tasked with advising the organization on GPDR compliance and communicating with their Data Protection Authority. Organizations that process personal data as part of their business model are required to appoint a DPO.


Digital Rights Management: a set of access control technologies for restricting the use of confidential information, proprietary hardware and copyrighted works, typically using encryption and key management.

Data Breach

A data breach is a security incident during which sensitive, protected, or confidential data has been accessed or exposed to unauthorized entities. These incidents may expose protected or personal health information (PHI), personally identifiable information (PII), intellectual property, classified information, or other confidential data.

Data Breach Notification

The act of notifying regulators as well as victims of data breaches that an incident has occurred. Under Article 34 of the GDPR, an organization must notify affected users within 72 hours of the incident.

Data Broker

According to the GDPR, a Data Broker is any entity that collects and sells individuals’ personal data.

Data Catalog

An organized inventory of data assets in the organization. Data catalogs use metadata to help organizations manage their data. They also help data professionals collect, organize, access, and enrich metadata to support data discovery and governance.

Data Categorization

The process of dividing the data into groups of entities whose members are in some way similar to each other. Data privacy and security professionals can then categorize that data as high, medium, and low sensitivity data.

Data Class

A definition that allows each type of data in a data store to be programmatically detected, typically using a test or algorithm. Data privacy and security professionals associate data classes with rules that define actions that should be taken when a given data class is detected. For example, sensitive information or PII should be tagged with a business term or classification, and further for some sensitive data classes a specific data quality constraint should be applied.

Data Classification

Data classification is the process of organizing data into relevant categories to make it simpler to retrieve, sort, use, store, and protect.

Data Controller

According to the GDPR, a Data Controller is an organization, agency, public authority, or individual that determines the how and why of data processing. The data controller may also be a data processor, or they may employ a third-party data processor.

Data Flow

In communications, data flow is the path taken by a message from origination to destination that includes all nodes through which the data travels.

Data Flow Diagram

An illustration that shows the way information flows through a process or system. Data flow diagrams include data inputs and outputs, data stores, and the various subprocesses the data moves through.

Data Inventory

Also known as records of authority, data inventories identify personal data within systems and help in the mapping of how data is stored and shared. Data inventories are defined under privacy regulations including the GDPR, CCPA, and CPRA.

Data Localization

The requirement that data is physically stored in the same country or group of countries that it originated from. This is a common requirement in modern privacy and data protection bills, such as the GDPR, China’s CSL, and Brazil’s Security Law. For example, under the GDPR, a company collecting the data of an EU citizen would have to store that data on a server in the EU.

Data Loss

The accidental loss of data, whether via accidental deletion, destruction, or theft.

Data Minimization

A privacy concept that states data collectors should only collect and retain the bare minimum of personal data that is necessary for the data processor to perform their duties, and should delete that data when it is no longer necessary.

Data Processing

Any action that is performed on personal data or sets of personal data, such as collecting, structuring, storing, or disseminating that data.

Data Processor

GDPR defines a data processor in GDPR as any organization that collects, processes, stores or transmits personal data of EU citizens.

Data Protection

A legal term referring to laws and regulations aimed at protecting the personal data of individuals and determining that data’s fair use.

Data Protection Authority (DPA)

An acronym for Data Protection Authority. This is an independent public authority set up to supervise and enforce data protection laws in the EU. Each EU member state has its own DPA.

Data Protection Impact Assessment

Data Protection Impact Assessment (DPIA) is a requirement that compels businesses to assess the risk and impact of their processing activities.While the CCPA does not require businesses to conduct a DPIA, the California Consumer Privacy Act (CPRA) under Section 1798.185(a)(15) requires businesses to perform an assessment on processing activities that may expose personal data to significant risks.

Data Protection Principle

This is a principle set forth in Article 5 of the GDPR. The principles listed in Article 5 are: Lawfulness, fairness and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality.

Data Residency

A concept that refers to the physical or geographic location of an organization's data. Privacy and security professionals focus on the data laws or regulatory requirements imposed on data based on the data laws that govern a country or region in which it resides. When a businesses uses cloud services (IaaS, PaaS, or SaaS), they may not be aware of their data's physical location. This can create data residency concerns when, for example, data for a citizen of the European Union is stored in a US-based cloud datacenter.

Data Security Posture Management (DSPM)

Data security posture management (DSPM) provides the missing piece to complete most security teams' puzzles – a means of identifying, contextualizing, and protecting sensitive data.

Data Sprawl

A term that refers to the staggering amount and variety of data produced by businesses every day. This is largely due to the variety of enterprise software, mobile apps, storage systems, and data formats each company relies on.

Data Store

A repository for storing, managing and distributing data sets on an enterprise level.

Data Subject

The individual that a piece or set of data pertains to.

Data Theft

The act of stealing of information.

Defense Industrial Base

Defense Industrial Base (DIB) contractors are companies that conduct business with the US military and are part of the military industry complex responsible for research, production, delivery, and service.

EU-US Privacy Shield

An adequacy agreement created in 2016 to replace the EU-U.S. Safe Harbor Agreement. The EU-U.S. Privacy Shield lets participating organizations under the jurisdiction of the US Federal Trade Commission transfer personal data from the EU to the United States.

Electronic Lab Notebook (ELN)

Electronic Lab Notebooks (Electronic Laboratory Notebook or ELN) is the digital form of a paper lab notebook.

Encrypted Data

Encryption is the method of converting a plaintext into a cipher text so that only the authorized parties can decrypt the information and no third parties can tamper with the data. Unencrypted usually refers to data or information that is stored unprotected, without any encryption. Encryption is an important way for individuals and companies to protect sensitive information from hacking. For example, websites that transmit credit card and bank account numbers encrypt this information to prevent identity theft and fraud.