Understanding and complying with knowledge safety and privateness laws is tough sufficient. With all the jargon and acronyms thrown round, it could typically really feel like legal professionals and regulators don’t need you to know. Worry not, we have put collectively a complete knowledge safety and privateness glossary that will help you type all of it out.
A B C D E F G H I J Okay L M N O P Q R S T U V W X Y Z
Entry management is the method of proscribing entry to assets, reminiscent of computer systems, information, or providers, to approved customers solely.
The dictionary definition of accountability, in accordance with Webster’s is “an obligation or willingness to simply accept duty or to account for one’s actions.” The definition utilized by the GDPR and different knowledge safety frameworks is builds on that precept by requiring that organizations have the ability to reveal that their dealing with of private knowledge is completed in compliance with the regulation.
Accuracy is a knowledge safety precept that mandates that private knowledge is correct and up-to-date. In accordance with the fourth precept of GDPR, any private knowledge collected or processed have to be “correct and, the place vital, stored updated.” Moreover, GDPR mandates that “each affordable step have to be taken to make sure that private knowledge which might be inaccurate,” regarding the functions for which they’re processed, “are erased or rectified at once.”
Lively Knowledge Assortment
Lively knowledge assortment refers to knowledge that’s collected knowingly and transparently from the consumer, comparable to via an internet type, examine field, or survey.
Exercise screens determine suspicious conduct by monitoring exercise on machines and networks.
Enough Degree of Safety
Underneath the GDPR, “Enough Degree of Safety” refers back to the degree of knowledge safety that the European Fee requires from a 3rd nation or worldwide group earlier than approving cross-border knowledge transfers to that third nation or worldwide group.
In making their judgement, the European Fee considers not solely the info safety guidelines, and safety measures of the third nation or worldwide org., but in addition the rule of regulation, respect for human rights, and the enforcement of compliance and knowledge safety guidelines.
Superior Encryption Normal (AES)
The Superior Encryption Commonplace (AES), also referred to as RijnDael is an encryption commonplace chosen by NIST in 2001 as a alternative for the Knowledge Encryption Normal (DES). The AES is a symmetric-key algorithm, which suggests the identical key’s used for encrypting and decrypting knowledge.
Knowledge Anonymization is a course of that alters personally identifiable knowledge (PII) in such a fashion that it may well not be used to determine a person. This may be carried out by eradicating sure figuring out values from knowledge units, or by generalizing figuring out values.
Nameless knowledge is knowledge that isn’t associated to an identifiable particular person and can’t be utilized in mixture with different knowledge to determine people. Nameless knowledge is just not protected by the GDPR.
Within the context of the GDPR, “Applicable Safeguards” refers back to the software of the GDPR’s knowledge safety rules to knowledge processing. The GDPR’s Knowledge safety rules embrace transparency, knowledge minimization, storage limitation, knowledge high quality, authorized foundation for processing, and objective limitation.
Article 29 Working Get together
The Article 29 Working Celebration (WP29) was the previous EU unbiased advisory physique on knowledge safety and privateness. It was changed by the European Knowledge Safety Board (EDPB) when the GDPR went into impact.
Auditing is the act of systematically analyzing, evaluating, and analyzing a corporation’s belongings to make sure compliance and safety requirements are met.
An audit path is a path of information, logs, or paperwork used to document an exercise for auditing functions.
Authentication is the method of verifying a claimed id and proving that somebody is who they declare to be when trying to entry a useful resource.
Authenticity is the standard of validity of a bit of data; that it’s correct and has not been modified.
Knowledge processing that’s carried out with out human interplay.
Availability, or accessibility, is the property of getting knowledge accessible on demand when it’s wanted by the group or requested by the info topic. The GDPR requires that private knowledge be out there to the info topic upon request.
A backdoor is a device put in by an attacker in an effort to give themselves quick access to a compromised system, with out alerting safety mechanisms.
Binding Company Guidelines (BCRs)
Underneath the GDPR, Binding Company Guidelines (BCRs) are an applicable safeguard that permits for cross-border knowledge transfers between multinational elements of a worldwide company or group. BCRs be sure that the whole group follows the identical set of binding knowledge safety requirements.
Biometric knowledge is any knowledge that considerations bodily traits, similar to fingerprints, voice, or DNA. The GDPR doesn’t permit the processing of biometrics knowledge besides beneath particular circumstances.
Brazil Common Knowledge Safety Regulation
Impressed by the GDPR, in mid-August of 2018, Brazil handed a brand new authorized framework aimed toward governing the use and processing of private knowledge in Brazil: the Common Knowledge Safety Regulation. The regulation replaces roughly 40 or so legal guidelines that presently cope with the safety of privateness and private knowledge, and is aimed toward guaranteeing particular person rights, and inspiring financial progress by creating clear and clear guidelines for knowledge assortment. For extra info, take a look at our full protection of the invoice right here.
Breach disclosure, or breach notification is the act of notifying regulators in addition to victims of knowledge breaches that an incident has occurred. Underneath Article 34 of the GDPR, a corporation should notify affected customers inside 72 hours of the incident.
Bureau of Shopper Safety
A Bureau of the USA’ Federal Commerce Fee that’s tasked with stopping fraudulent enterprise practices.
California Shopper Privateness Act
The California Shopper Privateness Act (CCPA) is a state-level privateness regulation for California, which comes into impact in 2020. The regulation, which is the primary state-level privateness regulation handed within the US, applies to all companies that gather private knowledge from Californians. The CCPA mirrors the necessities of the GDPR in some ways, reminiscent of establishing the fitting of customers to entry private knowledge and request deletion.
A certification is a declaration by a certifying physique that a corporation or product meets sure safety or compliance necessities.
A type of authentication that makes use of SSL and certificates to authenticate and encrypt HTTP visitors.
Chief Info Safety Officer (CISO)
An government inside a corporation who’s the top of data safety.
Chief Privateness Officer
An government inside a corporation who’s liable for managing compliance with privateness legal guidelines and insurance policies.
Youngsters’s On-line Privateness Safety Act (COPPA) of 1998
A Federal regulation that applies to web sites and on-line providers directed at youngsters beneath the age of 13, in addition to web sites and providers that gather private info from youngsters beneath the age of 13. COPPA requires privateness notices and parental consent for knowledge assortment.
Chinese language Cybersecurity Regulation (CSL)
The Chinese language Cybersecurity Regulation is a sweeping cybersecurity and privateness regulation handed in 2016, and implement in 2017. The regulation mirrors the GDPR in some ways, together with knowledge localization necessities, and the inclusion of rights reminiscent of the best to erasure. Nevertheless, in contrast to the GDPR, the CSL provides enforcement businesses broad leeway to determine which corporations have to be compliant, and what, precisely, compliance appears like. For extra on the CSL, learn my submit on the regulation right here.
In a privateness context, selection is the power of knowledge topics to freely and genuinely select whether or not or to not consent to knowledge assortment. Implied consent just isn’t thought-about legitimate selection underneath the Common Knowledge Safety Regulation.
A cryptographic algorithm used for encryption and decryption.
Cloud computing is the supply of data know-how providers or assets by way of a community, fairly than from on-premise hardware and assets. There are 5 fundamental traits of cloud computing: on-demand self-service, broad community entry, useful resource pooling, speedy enlargement (sometimes known as elasticity), and measured service. Primarily, a cloud supplier works like a utility firm (assume electrical or water)—they host the assets or providers that you simply want, and ship them on-demand, scaling up or down to fit your wants. For extra info, take a look at our Cloud Computing Glossary.
Cloud Service Supplier (CSP)
A cloud service supplier is any firm that sells a cloud computing service, be it PaaS, IaaS, or SaaS.
Codes of Conduct
Codes of Conduct are a legitimate adequacy mechanism for the cross-border switch of private knowledge underneath the GDPR. Just like Binding Company Guidelines, Codes of Conduct are guidelines developed by teams representing knowledge controllers or processors, reminiscent of business commerce teams, so as to reveal compliance with knowledge safety guidelines. These guidelines are then accredited or disapproved by the European Knowledge Safety Board.
Confidentiality is the assure that info is simply obtainable to those that are approved to make use of it.
Within the context of privateness, consent is the power of a knowledge topic to say no or consent to the gathering and processing of their private knowledge. Consent could be specific, comparable to opting-in by way of a type, or implied, similar to agreeing to an Finish-Consumer License Settlement, or not opting out. Underneath many knowledge safety legal guidelines, consent should all the time be specific.
Shopper Monetary Safety Bureau (CFPB)
An unbiased bureau of the USA Federal Reserve meant to supervise and regulate the monetary business. The CFPB was created by the Dodd-Frank Act.
Credit score Freeze
A safety measure used to stop id theft that locks a person’s knowledge at shopper reporting businesses, thus stopping new strains of credit score from being opened.
Essential Infrastructure is any pc methods or networks which might be deemed essential sufficient that their incapacitation would end in main points.
Cross-border Knowledge Transfers
Cross-border Knowledge Transfers are the switch of private knowledge from one authorized jurisdiction, such because the EU, to a different, such because the US. Many knowledge safety legal guidelines place main restrictions on cross-border knowledge transfers.
The safety of data and communications towards injury, exploitation, or unauthorized use.
A knowledge breach is any unauthorized entry to, motion of, or disclosure of delicate or private knowledge.
Knowledge Breach Notification
See Breach Disclosure.
In accordance with the GDPR, a Knowledge Dealer is any entity that collects and sells people’ private knowledge.
In accordance with the GDPR, a Knowledge Controller is a corporation, company, public authority, or person who determines the how and why of knowledge processing. The info controller can also be a knowledge processor, or they could make use of a third-party knowledge processor.
Knowledge Encryption Normal (DES)
A well-liked knowledge encryption normal that makes use of a secret key randomly chosen from a set of 72 quadrillion values.
Knowledge localization is the requirement that knowledge is bodily saved in the identical nation or group of nations that it originated from. This can be a widespread requirement in trendy privateness and knowledge safety payments, such because the GDPR, China’s CSL, and Brazil’s Safety Regulation. For instance, underneath the GDPR, an organization accumulating the info of an EU citizen must retailer that knowledge on a server within the EU.
The unintentional lack of knowledge, whether or not by way of unintentional deletion, destruction, or theft.
Knowledge Loss Prevention (DLP)
A time period referring to procedures or instruments used to stop the lack of knowledge from a community.
Knowledge minimization is a privateness idea that states knowledge collectors ought to solely acquire and retain the naked minimal of private knowledge that’s crucial for the info processor to carry out their duties, and will delete that knowledge when it’s not needed.
Knowledge portability is a proper beneath the GDPR that ensures knowledge topics are allowed to obtain their private knowledge from a knowledge controller in a generally used and machine-readable format, and now have the correct to request that their knowledge is transferred to a different controller.
Knowledge processing is any motion that’s carried out on private knowledge or units of private knowledge, reminiscent of accumulating, structuring, storing, or disseminating that knowledge.
A knowledge processor in GDPR is outlined as any group that collects, processes, shops or transmits private knowledge of EU residents.
Within the EU, Knowledge Safety is a authorized time period referring to legal guidelines and laws aimed toward defending the private knowledge of people and figuring out that knowledge’s truthful use. Within the US, it’s a basic time period typically used interchangeably with phrases like “info safety” and “info privateness.”
Knowledge Safety Authority
A Knowledge Safety Authority (DPA) is an unbiased public authority set as much as supervise and implement knowledge safety legal guidelines within the EU. Every EU member state has its personal DPA.
Knowledge Safety Officer
A Knowledge Safety Officer (DPO) is a person inside a corporation who’s tasked with advising the group on GPDR compliance and speaking with their Knowledge Safety Authority. Organizations that course of private knowledge as a part of their enterprise mannequin are required to nominate a DPO.
Knowledge Safety Precept
A precept set forth in Article 5 of the GDPR. The rules listed in Article 5 are: Lawfulness, equity and transparency; Objective limitation; Knowledge minimization; Accuracy; Storage limitation; Integrity and confidentiality.
The person who a bit or set of knowledge pertains to.
The act of stealing of data.
Decryption is the transformation of an encrypted message into plaintext.
Catastrophe Restoration Plan
A Catastrophe Restoration Plan is a plan to implement the method of restoration of IT methods and knowledge within the occasion of a catastrophe.
See breach disclosure.
Due Diligence is the duty that organizations keep a plan to guard knowledge, forestall fraud, and detect knowledge breaches once they happen.
Digital Medical Data (EMR)
Data that include the usual medical and medical knowledge gathered in a single supplier’s workplace.
Digital Well being Data (EHRs)
Pc data that transcend the info collected within the supplier’s workplace and embrace a extra complete affected person historical past. EHRs could also be shared throughout a number of suppliers or healthcare organizations.
Encryption is the transformation of plaintext knowledge right into a protected type referred to as a cipher textual content, which hides the unique knowledge’s which means. Encryption is required as knowledge safety greatest apply by a number of knowledge safety legal guidelines, together with HIPAA and GDPR.
Finish-Consumer License Settlement (EULA)
An Finish-Consumer License Settlement is a binding authorized doc that acts as a contract between the proprietor of a software program software and the consumer(s) of that software. The EULA might embrace a cost contract, restrictions on use of the software program, and even consent to knowledge assortment.
Erasure is the act of erasing private knowledge. Underneath Article 17 of the GDPR, knowledge topics are granted the appropriate to request the erasure of their private knowledge beneath the next circumstances: If the authorized foundation for knowledge processing is the info topics’ consent, if the info is not wanted for its unique objective, or if the info has been processed unlawfully. Different omnibus knowledge safety legal guidelines, such because the Brazilian Common Knowledge Safety Regulation, have adopted the GDPR’s instance in establishing a proper to erasure.
EU-US Privateness Defend
An adequacy settlement created in 2016 to exchange the EU-U.S. Protected Harbor Settlement. The EU-U.S. Privateness Defend lets collaborating organizations beneath the jurisdiction of the US Federal Commerce Fee switch private knowledge from the EU to america.
European Knowledge Safety Board
The European Knowledge Safety board is the first supervisory authority established by the GDPR. The board consists of the heads of EU member states’ supervisory authorities in addition to the European Knowledge Safety Supervisor. The objective of the EDPB is to make sure constant software of the GDPR by member states.
European Knowledge Safety Supervisor
An unbiased authority that goals to make sure that European organizations and member states adjust to the privateness guidelines of the GDPR.
Any observable prevalence in a pc system or community.
The unauthorized switch of knowledge off of a pc or community.
A software or method used to breach a community. An exploit will sometimes “exploit” a flaw within the community or its safety.
A discontinuity in a community to stop unauthorized entry.
Federal Communications Fee (FCC)
The Federal Communications Fee (FCC) is an company of the USA Federal Authorities that regulates communications and telecommunications.
Federal Info Safety Administration Act of 2002 (FISMA)
The Federal Info Safety Administration Act of 2002, or FISMA, is a US federal regulation that requires federal businesses to implement agency-wide info safety packages designed to guard company operations and knowledge. Beneath FISMA, contractors working for an company should additionally adjust to the company’s safety program. FISMA requires businesses to conduct annual audits of their safety packages, and supply studies to the Workplace of Administration and Price range, which can then current these reviews to Congress. In 2014, the regulation was amended by The Federal Info Safety Modernization Act, generally referred to as FISMA Reform, which up to date the regulation to get rid of antiquated reporting necessities and changed them with steady monitoring necessities.
Federal Privateness Act 1988
The Federal Privateness Act 1988 is an Australian regulation that regulates how private info is dealt with. The regulation is a notable predecessor to trendy privateness legal guidelines just like the GDPR. To study extra, take a look at our full submit on the regulation right here.
A gateway is any community level that acts as an entrance to a separate community or the web.
Basic Knowledge Safety Regulation (GDPR)
The Basic Knowledge Safety Regulation (GDPR) is an omnibus knowledge safety regulation that applies to all 28 Member States of the European Union.
The purpose of the GDPR is to set a excessive normal for knowledge safety, and to offer one set of knowledge safety guidelines for all the EU. The 99 articles of the GDPR set forth a number of elementary rights of knowledge safety, together with the proper to be told, proper of entry, proper to rectification, proper to erasure/to be forgotten, proper to limit processing, proper to knowledge portability, proper to object and rights in relation to automated determination making and profiling.
These guidelines set by the GDPR apply to any group that processes the private knowledge of EU residents, whether or not that group itself is predicated within the EU or not. The GDPR modernizes the rules from the EU’s 1995 Knowledge Safety Directive and applies to non-public knowledge of EU residents from that’s processed by what the regulation calls knowledge controller and knowledge processors. Monetary penalties for non-compliance attain as much as USD $24M, or four% % of worldwide annual turnover, whichever is larger. For a extra in depth view of the GDPR, take a look at our GDPR Overview submit.
A hacker is any person who violates pc safety by means of technical means.
Well being Breach Notification Rule
A rule beneath HITECH that requires distributors of private well being data to inform shoppers when the safety of their well being info has been breached.
Well being Info Know-how for Financial and Medical Well being Act (HITECH)
The Well being Info Know-how for Financial and Medical Well being Act (HITECH) is an American regulation enacted as a part of the American Restoration and Reinvestment Act of 2009. HITECH goals to construct on the healthcare safety and privateness necessities set forth by HIPAA. HITECH does so by including tiered financial penalties for noncompliance, in addition to the requirement for breach notifications.
Well being Insurance coverage Portability and Accountability Act (HIPAA)
The Well being Insurance coverage Portability and Accountability Act, or HIPAA, is an American regulation that units nationwide requirements and laws for the switch of digital healthcare data. Beneath HIPAA, sufferers should choose in earlier than their healthcare info might be shared with different organizations.
Who or what somebody or one thing is.
Theft of a person’s personally identifiable info, and the fraudulent use of that info for financial achieve.
An incident as an antagonistic community occasion.
The steps taken in response to a safety or knowledge loss incident.
Info Safety Coverage
The directives, guidelines, laws, and greatest practices that a corporation follows to handle and safe info.
Any particular person with insider entry to a corporation’s networks or assets that may permit them to take advantage of the vulnerabilities of that group’s safety or steal knowledge.
Knowledge Integrity assurance that info has not been modified and that it’s correct and full. The GDPR mandates that knowledge controllers and processors implement measures assure knowledge integrity.
Web Service Supplier (ISP)
A enterprise that gives entry to the web and associated providers.
Revealed initially in 2004, ISO 20022 is an open, worldwide normal that defines the ISO platform for the event of monetary message requirements. The usual isn’t managed by any single group. Anybody within the monetary business can take part, and the usual is free to implement. It options fully-established upkeep, governance and evolution processes that can be utilized to create requirements for monetary messaging. For extra info, take a look at our publish on ISO 20022.
Least Privilege is a safety precept which mandates that customers must be granted the least quantity of permissions essential to carry out their job.
Authorized Foundation for Processing
The GDPR mandates that knowledge controllers should exhibit a authorized foundation for knowledge processing. The six authorized bases for processing listed within the regulation are: consent, necessity, contract requirement, authorized obligation, safety of knowledge topic, public curiosity, or respectable curiosity of the controller.
A generic time period for quite a lot of several types of malicious software program that’s meant to infiltrate computer systems or pc community.
Markets in Monetary Devices Directive II (MiFID II)
Issued by the European Union, MiFID II is an up to date model of the Markets in Monetary Devices Directive, which went into impact in 2007. MiFID II broadens the scope of MiFID to incorporate elevated transparency at each stage of a transaction—from when orders are first positioned till they’re reconciled. Each commerce have to be intently monitored at each part. For extra info, take a look at our publish on the regulation right here.
Beneath HITECH, significant use is outlined as utilizing licensed digital well being document (EHR) know-how to: Enhance high quality, security, effectivity, and scale back well being disparities. Interact sufferers and household. Enhance care coordination, and inhabitants and public well being. Keep privateness and safety of affected person well being info.
Metadata is that describes different knowledge.
Multi-Issue Authentication (MFA)
An authentication course of that requires multiple issue of verification. An instance can be a login that requires a username and password mixture, in addition to an SMS-code verification.
Nationwide Institute of Requirements and Know-how (NIST)
The Nationwide Institute of Requirements and Know-how (NIST) is a unit of the US Commerce Division tasked with selling and sustaining measurement requirements. NIST leads the event and issuance of safety requirements and tips for the federal authorities.
Negligence is the breach of a authorized obligation to guard private info.
Non-repudiation is the power for a system to show that a particular consumer and solely that consumer despatched a message and that the message or knowledge hasn’t been modified in any means.
When a person makes an lively indication of selection, akin to checking a field indicating willingness to share info with third events.
The other of opt-in. Choose-out assumes that a lack of motion implies that a selection has been made, similar to when an individual doesn’t uncheck a field indicating willingness to share info with third events.
Passive Knowledge Assortment
Passive knowledge assortment is any knowledge assortment method that gathers info routinely, with or with out the top consumer’s information.
A singular code that authenticates a consumer’s id.
Patching is the method of updating software program to a unique model, typically to deal with safety flaws.
PCI Knowledge Safety Commonplace (PCI DSS)
The PCI Knowledge Safety Commonplace (PCI DSS) is a safety commonplace for cost card knowledge drafted by the Cost Card Business Safety Requirements Council. Compliance requires third-party safety assessments.
Any info referring to an recognized or identifiable pure individual.
Private Identifiable Info (PII)
Info from which the id of a person may be inferred.
Any try and trick a consumer into an motion corresponding to getting into credentials at a pretend web site, clicking a malicious hyperlink, or downloading a malicious file. Phishing assaults typically take the type of emails that seem to return from a trusted supply.
Atypical readable textual content.
Malware that encrypts a tool and denies the consumer entry to key information until they pay a charge to recuperate them.
Backup techniques that may keep performance within the occasion of the failure of the primary system.
Within the idea of privateness, retention is the concept organizations ought to solely retain info so long as it’s pertinent.
Proper of Entry
A person’s proper to request and obtain their private knowledge from a enterprise or different group.
Proper to be Forgotten
A person’s proper to have their private knowledge deleted by a enterprise or different group possessing or controlling that knowledge.
Proper to Right
The appropriate for people to right or amend details about themselves that’s inaccurate.
Proper to Deletion
A person’s proper to have their private knowledge deleted by a enterprise or different group possessing or controlling that knowledge.
Danger Evaluation is the method by which dangers are recognized and the impression of these dangers is decided.
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act, or SOX, is a US regulation that regulates the transparency of publicly held corporations in relation to fraud and whistleblowers.
Safe Shell (SSH)
A program used to log into one other pc over a community, execute duties on the distant machine, and switch information from one machine to a different.
Safe Sockets Layer (SSL)
A protocol developed to transmit personal knowledge and information by way of the Web. SSL makes use of a public key to encrypt knowledge, which is then transmitted by way of the SSL connection.
A boundary inside which safety controls are enforced.
Delicate info, as outlined by the federal authorities, is any unclassified info that, if compromised, might adversely have an effect on the nationwide curiosity or conduct of federal initiatives.
A one-way cryptographic hash perform.
Easy Community Administration Protocol (SNMP)
A protocol governing community administration and the monitoring of community units.
Single Signal-On (SSO)
An authentication device that lets a consumer use one set of credentials to log into a number of providers and instruments.
Utilizing manipulative methods, akin to lies, misdirection impersonation, blackmail, and threats to entry delicate info.
A phishing assault focused at a selected individual, often a person with delicate credentials.
Any potential for violation of safety.
The identification of the forms of threats that a corporation is uncovered to.
The tactic a menace makes use of to get to the goal.
Transport Layer Safety (TLS)
A protocol that secures the connection between a server and shopper. TLS is a successor to SSL.
Two-Issue Authentication (2FA)
See multi-factor authentication.
US-CERT is a partnership between america Division of Homeland Safety and private and non-private sector organizations. US-CERT tracks safety points and vulnerabilities and works with distributors to launch patches for vulnerabilities.
Any flaw or weak spot that can be utilized to assault a system or group.
(perform(d, s, id)
var js, fjs = d.getElementsByTagName(s);
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = “//join.fb.internet/en_US/all.js#xfbml=1&standing=zero”;
(doc, ‘script’, ‘facebook-jssdk’));