Global data protection glossary

///Global data protection glossary
Global data protection glossary 2018-08-03T11:56:04+00:00

We have compiled a global data protection glossary to try to help develop a common global lexicon for data protection. One that is not specific to any one jurisdiction but one that everyone anywhere in the world can use.

Key concepts and important definitions


Is the vehicle by which a user, system or service can access an IT system.

Business continuity management

The on-going management and governance process to:

  • identify potential events and their impact on business processes, and
  • to maintain recovery plans to ensure continuity of services if these events occur.

Big data

Extremely large data sets that may be analysed computationally to reveal patterns, trends and associations, especially relating to human behaviour and interactions.


The rating given to information based on value, sensitivity, privacy, criticality, legal, regulatory, risk and business requirements.


A person who consumes products or services from a supplier.


The person or organisation that is doing the processing. The controller or responsible party determines the purpose (why) and means (how) the personal data is processed. In other jurisdictions, a data controller is also referred to as a responsible party.


Is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


A customer of a specific controller who receives a service or product. Essentially, this is someone whose details a controller has obtained in the context of a product or a service.

Customer data

Any personal information that relates to a customer, such as their identity number, telephone number, address, account number and other information.

Data subject

The person whose personal data or information being processed. In South Africa (unlike the rest of the world), this right also extends to juristic persons such as trusts and companies.


Reverse process of encryption.

Direct marketing

Promoting products or services directly or indirectly to anyone, or asking for a donation. Direct marketing typically occurs via post, telephone, SMS, email, fax and AVR’s.


Anyone we employee permanently and non-permanently (as defined by Group HC).


The process of hiding information or making it secret. The process involves transforming information (plaintext) using an algorithm (cipher) to make it unreadable to anyone except those with special knowledge or the code (a “key”). The result of the process is encrypted information (ciphertext).


The sharing of information on a computer, mobile device or network. The files can include everything from music and movies, to business documents.


The General Data Protection Regulation. The GDPR is a new data protection law that the European Union has enacted that will apply to the whole of the EU, and to anyone marketing to EU citizens.


Our information in any form, including physical and electronic. It includes:

  • the communication of our information in data messages or emails,
  • confidential, sensitive, personal, and special personal information, and
  • the information of our customers or clients


The Promotion of Access to Information Act.


Privacy and Electonic Communications Regulation or ePrivacy Regulation.


The Protection of Personal Information Act in South Africa.


A processor is a person or organisation who processes personal data on behalf of a controller in terms of a written contract or mandate. It is called an operator in some countries. In some jurisdictions, this person is known as the operator.

Personal data

Information relating to:

  • an identifiable, living, natural person, and
  • where it is applicable, an identifiable, existing juristic person.


Includes to create, collect, capture, record, store, transmit, display, disclose, analyse and dispose.


A person who is not a customer of (or is not known by) a specific marketer. A person with whom a marketer does not have a relationship.

Regulatory authority

Is a body created by government to regulate a specific sector.


Is a person or organisation who processes personal information on behalf of the controller’s processor.


Our information and communications technology (facilities, systems, networks, computers and applications) we (or you) use to process our information and send communications.

Other glossaries

The European Data Protection Supervisor has provided a comprehensive data protection glossary relevant to the GDPR and the Universtiy of Bath provides us with one for the Data Protection Act.