Active data collection refers to data that is collected knowingly and transparently from the user, such as through a web form, check box, or survey.

Under the GDPR, "Adequate Level of Protection" refers to the level of data protection that the European Commission requires from a third country or international organization before approving cross-border data transfers to that third country or international organization.In making their judgement, the European Commission considers not only the data protection rules, and security measures of the third country or international org., but also the rule of law, respect for human rights, and the enforcement of compliance and data protection rules.

Anonymous data is data that is not related to an identifiable individual and cannot be used in combination with other data to identify individuals. Anonymous data is not protected by the GDPR.

In the context of the GDPR, "Appropriate Safeguards" refers to the application of the GDPR's data protection principles to data processing. The GDPR's data protection principles include transparency, data minimization, storage limitation, data quality, legal basis for processing, and purpose limitation.

Data processing that is performed without human interaction.

Brazil passed a new legal framework in mid-August of 2018 aimed at governing the use and processing of personal data in Brazil: the General Data Protection Law. The law replaces approximately 40 or so laws that currently deal with the protection of privacy and personal data, and is aimed at guaranteeing individual rights, and encouraging economic growth by creating clear and transparent rules for data collection.

An acronym for the California Consumer Privacy Act. This is a state-level privacy law for California, which comes into effect in 2020. The law, which is the first state-level privacy law passed in the US, applies to all businesses that collect personal data from Californians. The CCPA mirrors the requirements of the GDPR in many ways, such as establishing the right of users to access personal data and request deletion.

An acronym for Chief Privacy Officer. This is an executive within an organization responsible for managing compliance with privacy laws and policies.

A certification is a declaration by a certifying body that an organization or product meets certain security or compliance requirements.

The guarantee that information is only available to those who are authorized to use it.

In the context of privacy, consent is the ability of a data subject to decline or consent to the collection and processing of their personal data. Consent can be explicit, such as opting-in via a form, or implied, such as agreeing to an End-User License Agreement, or not opting out. Under many data protection laws, consent must always be explicit.

The transfer of personal data from one legal jurisdiction, such as the EU, to another, such as the US. Many data protection laws place major restrictions on cross-border data transfers.

An acronym for Data Protection Authority. This is an independent public authority set up to supervise and enforce data protection laws in the EU. Each EU member state has its own DPA.

An acronym for Data Protection Officer. This is an individual within an organization who is tasked with advising the organization on GPDR compliance and communicating with their Data Protection Authority. Organizations that process personal data as part of their business model are required to appoint a DPO.

Digital Rights Management: a set of access control technologies for restricting the use of confidential information, proprietary hardware and copyrighted works, typically using encryption and key management.

The act of notifying regulators as well as victims of data breaches that an incident has occurred. Under Article 34 of the GDPR, an organization must notify affected users within 72 hours of the incident.

According to the GDPR, a Data Broker is any entity that collects and sells individuals’ personal data.

According to the GDPR, a Data Controller is an organization, agency, public authority, or individual that determines the how and why of data processing. The data controller may also be a data processor, or they may employ a third-party data processor.

Also known as records of authority, data inventories identify personal data within systems and help in the mapping of how data is stored and shared. Data inventories are defined under privacy regulations including the GDPR, CCPA, and CPRA.

The requirement that data is physically stored in the same country or group of countries that it originated from. This is a common requirement in modern privacy and data protection bills, such as the GDPR, China’s CSL, and Brazil’s Security Law. For example, under the GDPR, a company collecting the data of an EU citizen would have to store that data on a server in the EU.

The accidental loss of data, whether via accidental deletion, destruction, or theft.

A privacy concept that states data collectors should only collect and retain the bare minimum of personal data that is necessary for the data processor to perform their duties, and should delete that data when it is no longer necessary.

Any action that is performed on personal data or sets of personal data, such as collecting, structuring, storing, or disseminating that data.

GDPR defines a data processor in GDPR as any organization that collects, processes, stores or transmits personal data of EU citizens.

A legal term referring to laws and regulations aimed at protecting the personal data of individuals and determining that data’s fair use.

This is a principle set forth in Article 5 of the GDPR. The principles listed in Article 5 are: Lawfulness, fairness and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality.

A concept that refers to the physical or geographic location of an organization's data. Privacy and security professionals focus on the data laws or regulatory requirements imposed on data based on the data laws that govern a country or region in which it resides. When a businesses uses cloud services (IaaS, PaaS, or SaaS), they may not be aware of their data's physical location. This can create data residency concerns when, for example, data for a citizen of the European Union is stored in a US-based cloud datacenter.

The individual that a piece or set of data pertains to.

An adequacy agreement created in 2016 to replace the EU-U.S. Safe Harbor Agreement. The EU-U.S. Privacy Shield lets participating organizations under the jurisdiction of the US Federal Trade Commission transfer personal data from the EU to the United States.

The primary supervisory authority established by the GDPR. The board consists of the heads of EU member states’ supervisory authorities as well as the European Data Protection Supervisor. The goal of the EDPB is to ensure consistent application of the GDPR by member states.

An independent authority that aims to ensure that European organizations and member states comply with the privacy rules of the GDPR.

An acronym for the General Data Protection Regulation. This is a data protection law that applies to all 28 Member States of the European Union.The aim of the GDPR is to set a high standard for data protection, and to provide one set of data protection rules for the entire EU. The 99 articles of the GDPR set forth several fundamental rights of data protection, including the right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling.Those rules set by the GDPR apply to any organization that processes the personal data of EU residents, whether that organization itself is based in the EU or not. The GDPR modernizes the principles from the EU's 1995 Data Protection Directive and applies to personal data of EU citizens from that is processed by what the regulation calls data controller and data processors. Financial penalties for non-compliance reach up to USD $24M, or 4% percent of worldwide annual turnover, whichever is higher.

An acronym for the Health Insurance Portability and Accountability Act. This is an American law that sets national standards and regulations for the transfer of electronic healthcare records. Under HIPAA, patients must opt in before their healthcare information can be shared with other organizations.

An acronym for the Health Information Technology for Economic and Clinical Health Act. This is an American law enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH aims to build on the healthcare security and privacy requirements set forth by HIPAA. HITECH does so by adding tiered monetary penalties for noncompliance, as well as the requirement for breach notifications.

A Federal Trade Commission rule requiring vendors of personal health records to notify consumers following a breach involving unsecured information. And if a service provider to such a vendor is breached, they must notify the vendor. The rule also stipulates an exact timeline and method by which these public notifications must be made.

Information Rights Management is a subset of Digital Rights Management that protects corporate information from being viewed or edited by unwanted parties typically using encryption and permission management.

The assurance that information has not been changed and that it is accurate and complete. The GDPR mandates that data controllers and processors implement measures guarantee data integrity.

The GDPR mandates that data controllers must demonstrate a legal basis for data processing. The six legal bases for processing listed in the law are: consent, necessity, contract requirement, legal obligation, protection of data subject, public interest, or legitimate interest of the controller.

When an individual makes an active indication of choice, such as checking a box indicating willingness to share information with third parties.

Either an explicit request for a user to no longer share information or receive updates from an organization, or a lack of action that implies that the choice has been made, such as when a person does not uncheck a box indicating willingness to share information with third parties.

An acronym for Protected Health Information. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.

Any data collection technique that gathers information automatically, with or without the end user’s knowledge.

An individual’s right to request and receive their personal data from a business or other organization.

The right for individuals to correct or amend information about themselves that is inaccurate.

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.

Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. According to NIST, this represents information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.GDPR refers to this as sensitive personal data that represents a mixture of private opinions and health information that falls into specialized, legally protected categories. Businesses must treat this data with the highest security.