Data Privacy: Key Terms
Many people celebrate Merry Christmas on December 25th of each year but not the Eastern Orthodox. They celebrate on January 7th. The reason is discrepancies between the Julian (46 BC) and Gregorian (1582) calendars due to leap years and seasonal equinoxes being omitted. This difference is analogous for many businesses and service providers. As they differ on what all the various terms and conditions mean, such as, how privacy agreements define the rights of users and their responsibilities.
Data privacy is a form of cybersecurity concerned with the proper handling of data – consent, notice, and regulatory obligations, more specifically, involving:
- Whether or how data is managed and shared with third parties.
- How data is collected, stored and transferred.
- Compliance with legal mandates and regulatory restrictions such as, European Union’s (EU) General Data Protection Regulation GDPR or the California Consumer Privacy Act CCPA.
The importance of knowing the definition of some key data privacy terms is the first step to ensure all stakeholders understand what is meant by various global acronyms and terminology. We offer some key terms with shorthand definitions to help facilitate better business conversations.
Active Data Collection and Scanning– When consumers (persons/users) willfully submit data via online behaviors, such as, web forms, text boxes, radio buttons. This informed and freely given permission is known as consent. When users give up data relating to them to be processed in some manner.
Consent is obtained either by opting in or out. In other words, a user makes an affirmative choice by either checking a box or in some instances unchecking a box. To allow or prohibit their information from being shared.
Adequate Level of Protection-When organizations transfer personal data across any legal or jurisdictional boundary. They must ensure adequate level of protection ( encryption, non-disclosures to third parties and proper handling protocols) that encompasses other elements: legal safeguards, data protection rules and effective security measures.
Anonymized Data– Organizations engage in multiple processes or techniques to alter personally identifiable data in such a way that it no longer can be related back to a named person. Among these techniques, is suppression ( reduce identifiable characteristics), generalization (altering identifying values) or white noise ( aggregate datasets). These techniques are referred to as Pseudonymization, whereby data is no longer attributed to specific persons.
Biometric ( Personal) Data– Any information related to an identified or identifiable data subject (natural person). That includes physical and behavioral features of a person, such as, DNA, facial, fingerprint and Iris which allows the identification of that person.
Communication privacy– Encompasses protection of the means of correspondence, including postal mail, telephone conversations and electronic e-mail.
Binding Corporate Rules– Internal operating procedures agreed upon and adopted by multinational organizations to define and contain all data transfers within in same business groups to avoid multiple and differing data level protections from various nations.
Business (Case) Purpose– Defines ways to meet specific business goals to achieve the operational purpose for which personal data is being collected or processed. For example, the use of personal data is to be reasonably necessary and proportionate to achieve a business purpose and comply with privacy laws or regulations.
Controller ( Data)– The organizational authority or legal person or other body which establishes the purpose and method of data management, alone or together with other actors. A processor is some organizational authority or legal person or other body which processes data on behalf of the controller.
Data Brokers-Organizations that collect, aggregate and sell personal data, derivatives and inferences from disparate public or private sources.
DLP Strategy-Describes a strategy for ensuring organizations or their partners do not disseminate sensitive information, whether intentionally or unintentionally, to outside ineligible sources. This requires using auditable software tools to monitor and control all types of data transfers.
Privacy Impact assessments– Are outside assessments of an organization’s compliance with its privacy policies and procedures, applicable laws, regulations and service-level agreements.
Right to Correct, Delete or Be Forgotten– A person’s right to have their personal data to be corrected ( amended) or forgotten by a business or other organization possessing or controlling their data. This process is known as subject access request (SAR) .
Service Providers– Encompasses sole proprietorships, partnerships, limited liability companies, corporations, associations, or other legal entities that are organized or operated for the profit or financial benefit of its shareholders or other owners. Third parties are authorized by these service providers to manage and process personal data.
Definitions compiled from these authoritative sources: