When it comes to protecting your sensitive personal data, or your organization’s data, the different terminology and jargon can often be an issue. This is why we’ve compiled this A-Z data privacy glossary s in the hopes that it might help you improve your data security.
A
Access Control – The process of restricting access to certain resources and systems such as computers or files to authorized people only. Accountability – An organization’s ability to demonstrate they can handle private data in compliance with the law and accept responsibility for their actions.Accuracy – Personal data must be accurate and up-to-date and this is also stated in the GDPR’s 4th Principle as well as many other data protection laws. Active Data Collection – Any data that is openly collected from the user and with their knowledge. Activity Monitors – Software tools that monitor and track end-user behavior on company-owned resources, networks, and computers and help detect insider threats.Adequate Level of Protection – The level of data protection required by the European Commission that a 3rd country or organization not in the EU must have before data transfer to that country or organization can be approved.AES (Advanced Encryption Standard) – Encryption standard created as a replacement for DES, 3DES, and similar standards in 2001. Uses symmetric encryption (one key to encrypt and decrypt data) and fixed block size (128, 192, or 256-bit key length), making it easy to implement and fast.Anonymization – Altering personal information in such a way that it can no longer be identifiable to that individual.Anonymous Data – Any data not related to an identifiable individual that can’t be used to identify them, even in conjunction with other data.API (Application Processing Interface) – API is a software standard that enables computer-to-computer communication and further specifies how different software components should communicate and interact with each other. Appropriate Safeguards – Refers to the application of GDPR data protection principles to data processing. Asset – A system, hardware, software, etc. owned by an organization that can be used to store and process data.Auditing – The process of inspecting an organization’s assets to ensure that it complies with and meets certain security standards.Audit Trail – Files, logs, or paperwork used to record some activity for auditing.Authentication – The process of verifying an individual attempting to access a resource and proving that they are who they claim to be.Authenticity – In the context of data protection, “authentic” data is one that has not been altered and is accurate.Authorization – The process of deciding whether a user has access rights to a resource such as a file.Automated Processing – Any process completed by the machine without human involvement.Autonomy Privacy – An individual’s right to behave in a way they want online without worrying that they will be tracked or otherwise observed.
B
Backdoor – A tool installed without the user’s knowledge of the system or hardware that gives a third-party access to a system and allows them to bypass any security on it.BCR (Binding Corporate Rules) – For corporations with components in different countries, BCR represents safeguards they must follow for secure cross-border data transfer.Big Data – Large sets of data that require special applications for processing.Biometric Data – Physical characteristics of an individual such as voiceprint, fingerprint, facial characteristics, etc. that can be used to identify them.Breach Disclosure – The act of informing victims and regulators that a data breach has occurred in the company.
C
CCPA (California Consumer Privacy Act) – A privacy law in the state of California that provides the right to access their personal data and request the company collecting it its deletion. The California Consumer Privacy Act applies to any company that collects and processes the personal data of residents of this state. Certification – An affirmation that a product, service, or organization meets the security standards. Issued by the certifying body.Certificate-Based Authentication – The use of an SSL-based Digital Certificate to identify a user or device before allowing access to a resource.CFPB (Consumer Financial Protection Bureau) – A US Federal Reserve Bureau created by the Dodd-Frank Act and tasked with regulating and overseeing the financial industry Cipher – An algorithm used to encrypt and decrypt data.CISO (Chief Information Security Officer) – An individual in the organization responsible for information security.Cloud Computing – The delivery of IT services and resources through a network (cloud) and online, rather than via on-premise resources.CMP (Content Management Platform) – Software used to document and manage user consent choices before collecting personal data, sharing, or selling it.Collecting Limit – A principle that states that there needs to be a limit as to how much can one organization collect personal information.Confidentiality – A set of rules that limit access to certain types of information.Consent – An agreement given by the data subject to the organization to process personal data. Per GDPR, it must be freely given, specific, and unambiguous and the data subject must be able to withdraw their consent at any time once it is given. Consent String – A series of numbers added to an ad bid request identifying the ad vendor’s consent status. Also called “daisybit”.Cookie – A small piece of data generated by the web server upon the user’s connection that is used to identify their device on the network.COPPA (Children’s Online Privacy Protection Act) – A US Federal data protection law directed at websites that collect personal information from children under 13 age and children themselves. Requires parental consent and privacy notices for collecting children’s personal information.CPO (Chief Privacy Officer) – A person responsible for ensuring compliance with data privacy laws and regulations in an organization.CPRA (California Privacy Rights Act) – A privacy law enacted in November 2020 that ads several new amendments to the CCPA, including:
- Sensitive personally identifiable information – Expands the definition of personal information so that certain types must include special protection
- Right to restriction – Enables consumers to restrict how their personal information is used and processed by companies
- Right to rectification – Allows consumers to correct personal information that is inaccurate
Critical Infrastructure – A computer network or system whose failure would lead to major problems.Cross-border Data Transfer – The transportation of an individual’s personal data from one country to another, or in the case of General Data Protection Regulation, from the European Union to a 3rd country.Customer Access – Allowing the customer to access, review, edit, and delete their personal information.Cybersecurity – Different processes, practices, and technologies used to protect data, software, devices, and computer networks from theft, malicious attacks, and damage and to prevent unauthorized access.
D
Data Breach – Unauthorized access to personal, confidential, or otherwise sensitive data.Data Broker – A body that collects and sells individuals’ personal data.Data Classification – Giving users different levels of authorization to access data to build data protection.Data Controller – An entity such as an individual, organization, or authority, that determines “why” (purpose) and “how” (method) personal data can be processed.Data Governance – A set of rules, standards, and metrics that determine who, when, and how can someone take action upon the information to enable an organization to achieve its goals. Data Inventory – Specifies how personal data is organized and shared and where it is located. Data Localization – The demand for physically storing data in the same country or group of countries that it came from.Data Loss – Intentional or unintentional loss of data through theft, destruction, or deletion.Data Masking – The action of disguising identifiable personal data using anonymization, pseudo-anonymization, or another method.Data Minimization – An approach in data security that says that data collectors can only collect and hold the amount of data that is necessary for them to perform their duties and that they should also delete data once they no longer need it.Data Portability – The right of a data subject to receive their personal data in a commonly used machine-readable format and to request its transfer to another data controller.Data Privacy – A set of rules and guidelines that explain how data should be collected, handled, and stored depending on its importance and sensitivity.Data Processing – An action performed on personal data including collection, storage, etc.Data Processor – An organization that collects, stores, or transmits personal data.Data Protection – A set of actions and policies that an organization or individual can take to secure the data it stores and handles to prevent its loss or destruction.Data Subject – A person whose personal data is collected, stored, and/or processed by a data processor or controller.Data Quality – Qualitative and quantitative state of data and whether it can serve a certain purpose.Data Theft – The act of stealing data.Decryption – The process of converting encrypted text into plaintext using a decryption key.DES (Data Encryption Standard – Symmetric-key algorithm for data encryption published in 1975. Because of the short key length (only 56-bit), it is considered insecure by today’s standards and therefore rarely used in data protection. Digital Fingerprinting – A data security technology that allows content owners to convert their content into a digital asset using a fingerprint algorithm and that way identify, monitor, or monitor their content across various distribution channels.Digital Signature – A signature that can be used to identify and authenticate the sender of an electronic document such as an email.Disaster Recovery Plan – A documented set of guidelines and processes for the recovery of data and IT systems an organization can use in case of a data breach or disaster.DNT (Do Not Track) – An HTTP header field proposed in 2009 and implemented in most major browsers that allow the Internet user to opt out of website tracking.
E
EHR (Electronic Health Records) – Electronically stored patient health records that can include the patient’s name, gender, ethnicity, and medical information (medicines, allergies, lab test results, billing info, etc.)EMR (Electronic Medical Records) – Patient’s medical and treatment history from one doctor in digital form. It is typically not shared and if the patient switches doctors, the new doctor will start a new EMR.Email – A method of exchanging messages over the Internet between two or more people using electronic devices Email Privacy – The processes and techniques of preventing unauthorized access, tracking, or inspection of someone’s email, usually with the help of encryption.Email Security – Different procedures and techniques used for protecting the integrity of email accounts, contents, and communication against loss, compromise, and different attacksEncryption – The process of converting or encoding plaintext data into ciphertext that can only be read by someone with the decryption key.End-to-End Encryption – An encryption method in which the data is encrypted on one end using a public key (sender) and can only be encrypted by the other side (recipient) with a private keyErasure – The act of erasing one’s personal data from an online record. Under the EU General Data Protection Regulation (GDPR), data subjects can request erasure if the data is no longer required for its original purpose, is processed unlawfully in the first place, or they have not given their consent in the first place EULA (End-User Licence Agreement) – A binding legal document that can act as a contract between the software company and its user that can include data collection consent, use restrictions, and more European Data Protection Board – The EU data protection board consists of the European Data Protection Supervisor (see below) and the EU member states heads of supervisory authorities and it is the highest supervisory data protection authority established by the GDPREuropean Data Protection Supervisor – An independent body whose task is to see to it that the EU member states and companies comply with the EU data protection laws and data privacy regulations.
F
FCC (Federal Communications Commission) – A federal agency of the United States government in charge of communications and telecommunicationsFirewall – A network security device or system that monitors incoming and outgoing traffic on the network and prevents unauthorized access based on a set of pre-determined security rulesFISMA (Federal Information Security Management Act) – One of the most important federal laws regarding data privacy compliance in the US. It states that federal agencies must put into action an agency-wide IT security program that will ensure agency data security First-Party Collection – Signifies that the data subject has directly given the controller access to collect their personal information FPA (Federal Privacy Act) – A federal Australian law from 1988 that regulates how personal information in this country should be regulatedFreely Given Consent – This is the consent or permission that the data subject has given where there are no consequences should the data subject not provide consent. Under the EU’s GDPR, consent must be freely given for it to be valid
G
GDPR (General Data Protection Regulation) – The GDPR is a collection of data privacy laws that apply to all 28 member states of the and that regulate how organizations that work with customers from the EU can collect their personal data. According to the General Data Protection Regulation, in order to process data belonging to the data subject, companies must follow the 7 data protection principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
The law also states when the data processor is allowed to process data:
- When the data subject has given free and unambiguous consent
- To prepare and/or enter into a contract of which the data subject is a part
- To comply with certain legal obligations
- To perform tasks of public interest
- Where there is a legal interest to process someone’s personal data
- When it’s needed to save someone’s life
GLBA (Gramm-Leach-Bliley Act) – A US federal law that requires financial institutions such as banks, that offer their customers any kind of financial products and services (loans, insurance, financial or investment advice, etc.) to fully and unambiguously explain their data-sharing practices to the customer and to keep sensitive data safe.
H
Hacker – A person who uses their computer skills to solve a technical problem or gain access to the network. Can be a:
- White-hat, or ethical hacker, which is often employed by companies to find security weak points;
- Black-hat hacker, which breaks into computer networks and systems without permission to gain unauthorized access for personal gain
- Gray-hat hackers, penetrate networks without explicit permission from their owners to look for vulnerabilities but report them to the owner for a fee, or make the exploit public online
HIPAA (Health Insurance Portability and Accountability Act) – The Health Insurance Portability and Accountability Act is a US federal law created by the Department of Health and Human Services that has the job of improving the security, integrity, availability, and confidentiality of protected health information (PHI) data at rest and in transit.HITECH (Health Information Technology for Economic and Clinical Health Act) – HITECH is a US law signed in 2009 that promotes data privacy and security of electronic communications of health information.
I
Information Security – The practice of securing data from unauthorized access, disruption, modification, disclosure, use, or destruction. InfoSec is commonly used as an umbrella term that includes areas such as cryptography, computer forensics, mobile computing, etc. Insider Threat – A current or former employee, or someone else within the target company that can pose a security risk either on purpose (by collecting and selling confidential data to a third party) or inadvertently (for instance, by opening a phishing email that leads to malware infection).IP (Internet Protocol) Address – A unique address that identifies a certain device on the network.ISP (Internet Service Provider) – An organization that provides access to the Internet for the end-user.
J
K
Key Pair – A pair of mathematically related keys (public and private key) where one can be used to encrypt data (public key), while the other can decrypt that same data (private key).Keylogger – A computer software that can secretly and without the user’s knowledge track and record their keystrokes.
L
Location-based Service – A service that is provided based on the user’s geographical location.
M
Malware – A malicious computer software that is designed to infiltrate and cause damage to a computer, server, or network.Metadata – Data that is used to describe other data or provide context about it.Multi-Factor Authentication (MFA) – An authentication process in which the user must provide more than one factor of authentication. For instance, MFA can require that the user provide an SMS code in addition to the username and password.
N
Network Resilience – The network’s ability to provide continuous operation even when impaired or damaged and recover in case of failure.NIST (National Institute of Standards and Technology) – A section of the US Commerce Department tasked with the development of cybersecurity standards and guidelines for the US federal government.NIST Cybersecurity Framework – A set of guidelines and best practices that help businesses develop and enhance their cybersecurity by giving recommendations that organizations can use to get better prepared for detecting and identifying cyber-attacks, as well as respond, mitigate, prevent, and finally recover from cyber threats. Non-Public Personal Information – According to GLBA, this is any identifiable financial information that the customer provides. Non-Repudiation – The ability of a computer system to verify that the message has been sent by a specific user and that the data it contains has not been changed in any way or form.
O
Obfuscation – In relation to data, obfuscation is the method of replacing sensitive information with other data in order to mask the real data and make it useless to hackers. The three primary obfuscation techniques are:
- Data masking – by modifying the value of the data, for instance, words, numbers, etc.
- Data encryption – by scrambling data using private/public keys
- Data tokenization – by replacing data with other values that then require a certain token to return to the original.
Opt-In – An active decision on the user’s part to share their personal information with a third party like a website.Opt-Out – Where it is assumed that a lack of action on the user’s part implies an affirmative choice to share their data, opt-out is a step that the user needs to take to disallow the 3rd party to share their personal information.
P
Password – In computing, a string of characters (letters, numbers, special characters) that allow access to a computer system or service.Patching – Updating software to the next version to address security flaws of the current version PbD (Privacy by Design) – An approach in computer science and systems engineering in which the privacy of the user is at the core of product development, business practices, and physical infrastructure from the beginning and not just immediately before launch.PCI DSS (PCI Data Security Standard) – A security standard for payment card data that requires third-party security assessment compliance.PII (Personal Identifiable Information) – Any information through which the identity of the user can be derived. This includes the email address, phone number, ID number, SSN, or any other data that can be used (solo or in combination with other data) to identify, locate, or contact an individual. Personal Information – Information associated with a natural personPhishing – A common method for cybercriminals to trick a user into taking a certain action that can reveal their personal data, such as clicking on a malicious link, downloading a file with malware, or entering their username and password to a fake website that looks like a real one.Privacy Policy – A disclaimer usually found in the footer of the website that explains how the site collects, stores, and uses personal information.Privacy Rule – A HIPAA rule that obligates organizations to protect the medical records and information of their usersProcessor – According to GDPR, the “Processor” is a “natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”.Pseudonymization – A method of replacing personal data fields within data records with artificial identifiers in order to anonymize the personal data of an individual. Unlike anonymization, pseudonymized data can be reversed by an authorized figure.
Q
R
Ransomware – A type of malware that installs on the user’s computer and prevents access to files unless the user pays a recovery fee Recipient- The person or organization to which an email is being sent. Redundancy –A computer backup system capable of continuing operation in case the main system failsRe-identification – The process of making de-identified data with an individual the data belongs toRetention – The idea/concept that an organization can retain the user’s data for as long as it is necessary for a certain taskRight to Access – The right of an individual to request their personal data from an organization holding them and to receive themRight to Correct – Represents the user’s right to correct information about themselves that is not accurate Right to be Forgotten – Also known as “Right to Deletion”. Represents the individual’s right to have their personal data deleted by an organization that is keeping or processing that dataRootkit – A collection of malicious computer programs that serve to provide privileged access to a system and hide the existence of other software
S
Sensitive Information – Any information that, when compromised can negatively affect its owner, whether they’re an individual user, an organization, or a government bodySHA (Secure Hash Algorithm) – Secure hashing algorithm used for hashing data and certificates. Unlike encryption, which goes both ways (decrypted data can be encrypted), hashing is a one-way process and once the data is hashed, it is impossible to crack data without some brute-force attackThe two main types of SHA are SHA-1 and SHA-2, where SHA-1 has a more crackable hash digestSNMP (Simple Network Management Protocol – This protocol oversees network management as well as monitors network devicesSocial Engineering –Devious and manipulative techniques used by scammers in order to access the person’s or an organization’s sensitive informationSOX (Sarbanes-Oxley Act) – A US federal law that regulates the transparency of companies when it comes to fraud and whistleblowersSpam – Any kind of unsolicited email message sent to the user to their email addressSpear Phishing – A type of phishing attack that targets a particular person in order to trick them into revealing sensitive or confidential dataSpyware – A malicious software (malware) that is installed on the user’s device without his or her knowledge and that can monitor the user’s behavior and system and send that information to the hackerSQL Injection – The use of malicious code against the target system’s database in order to gain unauthorized access to non-public sensitive data.SSH (Secure Shell) – A computer program that can be used to log into another device or network, use it as a remote machine, execute programs, and transfer files from one device to the other SSL/TLS (Secure Socket Layer/Transport Layer Security – A cryptographic security protocol that enables secure communication over the Internet. For example, when used between a browser and server, it converts HTTP web addresses into more secure HTTPS.SSL (Secure Socket Layer) protocol is now depreciated (no longer used) and is replaced by TLS, although the technology is still referred to as such (SSL)SSO (Single Sign-On) – An authentication service that allows the user to use a single login to access multiple services Super Cookie – A type of cookie that stays on after all other cookies have been deletedSymmetric Cryptography – A type of cryptography that uses the same encryption key (public key) to both encrypt and decrypt data
T
Threat actor – An individual or a group that aims to use software vulnerabilities, or a lack of data security awareness in users to gain unauthorized access to sensitive data, systems, or networks Two-Factor Authentication – An additional layer of cybersecurity protection beyond the username and password and delivered to a different device. For example, a token is delivered to the user’s mobile device instead of their laptop when attempting to log on to a website Trojan – A type of malicious software or code that looks legitimate but can take control of the user’s computer and damage or steal sensitive data. Unlike a virus, a Trojan cannot replicate itself and must be executed by the user
U
Unauthorized Access – A situation when someone gains access to a system or network without prior authorization. Also known as “hacking” US-CERT – A partnership between the US Department of Homeland Security and public/private sector organizations to track security vulnerabilities and release security vulnerabilities together with vendors.
V
Virus – A malicious program or code that has the capability of replicating itself spreading from device to device and modifying other computer programs unknown to the users.
W
Worm – A malicious software that can spread itself between devices by replicating. Unlike a virus, a worm does not require the host file to be activated.
X
XSS (Cross-Site Scripting) – A type of cyber attack that targets the cookies to “hijack” a web session. It happens when a hacker manages to exploit the security vulnerabilities of an app or a website and injects malicious code into the user’s device
Y
Z
Zero-Day Vulnerability – A software vulnerability for which the developer has not yet made a security patch or is not aware of it.