Privacy Glossary

Confirmed Opt-In – An email approach where email marketers send a confirmation email requiring a response from the subscriber before the subscriber receives the actual marketing e-mail.

Data ClassificationA scheme that provides the basis for managing access to, and protection of, data assets.

Data Controller – Controls what personal data is processed. Defined as a person or entity which determines the purposes, conditions, and means of the processing of personal data. Data controllers may create third-party agreements with data processors and sub-processors. The data controller is responsible for the conduct of its data processors.

Data Elements – A unit of data that cannot be broken down further or has a distinct meaning. This may be a date of birth, a numerical identifier, or location coordinates. In the context of data protection, it is essential to understand that data elements in isolation may not be personal data but, when combined, become personally identifiable and therefore personal data.

Data Processor – A person or entity which processes personal data on behalf of the controller. Data Processors may create sub-processor agreements as authorized by the data controller.

DPO or Data Protection Officer – A DPO oversees data protection strategies and implementation to ensure an entity’s compliance with GDPR requirements. A controller or processor must appoint a DPO if the entity’s data processing is carried out by a public authority or if the data processing involves regular and systematic monitoring of data subjects on a large scale, or if processing sensitive personal data on a large scale.

Data Recipient – A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. Public authorities that receive personal data in the framework of a particular inquiry by EU or member state law shall not be regarded as recipients, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Data Subject – An identified or identifiable person about whom information is being processed. An EU data subject is a natural person (not a legal entity like a company) physically within the EU, regardless of residence or nationality.

EU – The European Union is comprised of 28 members, including Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

Information Life Cycle – The information life cycle recognizes that data has a different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: collection, processing, use, disclosure, retention, and destruction.

Information Privacy – One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

Information Security – The protection of information to prevent loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity, and availability of information.

Personal data – Any information relating to a natural person (data subject), that can directly or indirectly identify that person. Examples include a name, an identification number, location data (e.g., mailing address or IP address), an online identifier (e.g., cookies) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR does not apply to data rendered anonymous (individuals cannot be identified from the data) or pseudonymous (provided that the “key” that enables re‑identification of individuals is kept separate and secure.)

Personal Information – A synonym for “personal data,” which is a term with particular meaning in the European Union, where the General Data Protection Regulation defines it as any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly — in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

Personally Identifiable Information – Any information about an individual, including any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and any other information that is linkable to an individual, such as medical, educational, financial, and employment information.

Opt-In – One of the two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Opt-Out – One of the two central concepts of choice. It means an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, their information will be shared with third parties.

Privacy Assessment – An assessment of an organization’s compliance with its privacy policies and procedures, applicable laws, regulations, service-level agreements, standards adopted by the entity and other contracts. The assessment or audit measures how closely the organization’s practices align with its legal obligations and stated practices and may rely on subjective information such as employee interviews/questionnaires and complaints received, or objective standards, such as information system logs or training and awareness attendance and test scores. Audits and assessments may be conducted internally by an audit function or by external third parties. It is also common in some jurisdictions for the privacy/data protection officer to conduct assessments. The results of the assessment or audit are documented for management sign-off and analyzed to develop recommendations for improvement and a remediation plan. Resolution of the issues and vulnerabilities noted are then monitored to ensure appropriate corrective action is taken on a timely basis. While assessments and audits may be conducted on a regular or scheduled basis, they may also arise ad hoc as the result of a privacy or security event or due to a request from an enforcement authority.

Privacy by Design –Generally regarded as a synonym for Data Protection by Design (see Data Protection by Design). However, Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with seven foundational principles.

Privacy Notice – A statement made to a data subject that describes how an organization collects, uses, retains and discloses personal information. A privacy notice may be referred to as a privacy statement, a fair processing statement or, sometimes, a privacy policy. Numerous global privacy and data protection laws require privacy notices.

Privacy Policy – An internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding the personal information, instructing them on the collection, use, storage and destruction of the data, as well as any specific rights the data subjects may have. May also be referred to as a data protection policy.

Re-identification – The process of using publicly available information to re-associate personally identifying information with data that has been anonymized.

Sedona Conference – An essential source of standards and best practices for managing electronic discovery compliance through data retention policies. Regarding email retention, the Sedona Conference offers four key guidelines:

  1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units;
  2. such groups should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice;
  3. interdisciplinary teams should reach consensus as to policies while looking to industry standards;
  4. technical solutions should meet and parallel the functional requirements of the organization.

Transparency – Taking appropriate measures to provide any information relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and understandable language.