Global data protection glossary

///Global data protection glossary
Global data protection glossary2018-08-22T14:38:27+02:00
  • plain language and glossary, plain legal documents

We have compiled a global data protection glossary to try to help develop a common global lexicon for data protection. One that is not specific to any one jurisdiction but one that everyone anywhere in the world can use. It is important to ensure that we all use the same language – it makes communications much easier and avoid misunderstandings. We believe that these terms form the basis of the global conversation on data protection law. We use these terms in our data protection compliance programme.

Key concepts and important definitions


Is the vehicle by which a user, system or service can access an IT system.

Business continuity management

The on-going management and governance process to:

  • identify potential events and their impact on business processes, and
  • to maintain recovery plans to ensure continuity of services if these events occur.

Big data

Extremely large data sets that may be analysed computationally to reveal patterns, trends and associations, especially relating to human behaviour and interactions.


The rating given to information (or data) based on value, sensitivity, privacy, criticality, legal, regulatory, risk and business requirements.


A person who consumes products or services from a supplier. A consumer is defined in terms of consumer protection law and can be different to what is considered a customer for the purposes of data protection law. Consumers are often all natural persons and small to medium-sized entities.


The person or organisation that is doing the processing. The controller determines the purpose (why) and means (how) the personal data is processed. In other jurisdictions, a data controller is also referred to as a responsible party.


Is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


A customer of a specific controller who receives a service or product. Essentially, this is someone whose details a controller has obtained in the context of a product or a service.

Customer data

Any personal information that relates to a customer, such as their identity number, telephone number, address, account number and other information.

Data subject

The person whose personal data or information being processed. In South Africa (unlike the rest of the world), this right also extends to juristic persons such as trusts and companies.

Direct marketing

Promoting products or services directly or indirectly to anyone, or asking for a donation. Direct marketing typically occurs via post, telephone, SMS, email, fax and AVR’s.


Anyone employed permanently and non-permanently. They are an important group of data subjects.


The process of hiding information or making it secret. The process involves transforming information (plaintext) using an algorithm (cipher) to make it unreadable to anyone except those with special knowledge or the code (a “key”). The result of the process is encrypted information (ciphertext). Decryption is the reverse process of encryption.


The sharing of information on a computer, mobile device or network. The files can include everything from music and movies, to business documents.


The General Data Protection Regulation. The GDPR is a new data protection law that the European Union has enacted that will apply to the whole of the EU, and to anyone marketing to EU citizens.


Our information in any form, including physical and electronic. It includes:

  • the communication of our information in data messages or emails,
  • confidential, sensitive, personal, and special personal information, and
  • the information of our customers or clients


A data protection officer (DPO) or an information officer (IO). The GDPR requires some controllers to have a DPO. All bodies in South Africa have an information officer, who is usually the chief executive officer or head of the organisation. Everyone has one by default. It is PAIA that determines who this person is. POPIA simply makes the same person responsible. The DPO and IO are similar but slightly different roles.


Agreement to receive direct marketing. Opt-out is a request to not receive direct marketing.


The Promotion of Access to Information Act.


Privacy and Electonic Communications Regulation or ePrivacy Regulation. The PECR is the Privacy and Electonic Communications Directive.


The Protection of Personal Information Act. Some call it POPI or the POPI Act but the Information Regulator has asked us to call it POPIA.


It is basically doing anything with personal information. Processing is defined in POPIA.


A processor is a person or organisation who processes personal data on behalf of a controller in terms of a written contract or mandate. It is called an operator in some countries. In some jurisdictions, this person is known as the operator.

Products or services

Some laws refer to goods rather than products. Products include all forms of products or goods, including digital goods.

Personal data

Data relating to an identifiable, living, natural person. Any data that identifies a person. In South Africa, it includes, where it is applicable, an identifiable, existing juristic person. It includes race, gender, sex, age, medical information, financial information, criminal or employment history, email address, physical address, telephone number, biometric information and more. In some countries, it is called personal information, but globally personal data is the more used term.


Includes to create, collect, capture, record, store, transmit, display, disclose, analyse and dispose of.


A person who is not a customer of (or is not known by) a specific marketer. A person with whom a controller does not have a relationship.

Regulatory authority

Is a body created by the government to regulate a specific sector. They are also called data protection authorities, commissioners or regulators.


Is a person or organisation who processes personal information on behalf of the controller’s processor.


Any information or communications technology (facilities, systems, networks, computers and applications) we (or you) use to process information and send communications.

Other glossaries

The European Data Protection Supervisor has provided a comprehensive data protection glossary relevant to the GDPR and the Universtiy of Bath provides us with one for the Data Protection Act.