Global data protection glossary

///Global data protection glossary
Global data protection glossary 2018-08-22T14:38:27+00:00

We have compiled a global data protection glossary to try to help develop a common global lexicon for data protection. One that is not specific to any one jurisdiction but one that everyone anywhere in the world can use. It is important to ensure that we all use the same language – it makes communications much easier and avoid misunderstandings. We believe that these terms form the basis of the global conversation on data protection law. We use these terms in our data protection compliance programme.

Key concepts and important definitions

Account

Is the vehicle by which a user, system or service can access an IT system.

Business continuity management

The on-going management and governance process to:

  • identify potential events and their impact on business processes, and
  • to maintain recovery plans to ensure continuity of services if these events occur.

Big data

Extremely large data sets that may be analysed computationally to reveal patterns, trends and associations, especially relating to human behaviour and interactions.

Classification

The rating given to information (or data) based on value, sensitivity, privacy, criticality, legal, regulatory, risk and business requirements.

Consumer

A person who consumes products or services from a supplier. A consumer is defined in terms of consumer protection law and can be different to what is considered a customer for the purposes of data protection law. Consumers are often all natural persons and small to medium-sized entities.

Controller

The person or organisation that is doing the processing. The controller determines the purpose (why) and means (how) the personal data is processed. In other jurisdictions, a data controller is also referred to as a responsible party.

Consent

Is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Customer

A customer of a specific controller who receives a service or product. Essentially, this is someone whose details a controller has obtained in the context of a product or a service.

Customer data

Any personal information that relates to a customer, such as their identity number, telephone number, address, account number and other information.

Data subject

The person whose personal data or information being processed. In South Africa (unlike the rest of the world), this right also extends to juristic persons such as trusts and companies.

Direct marketing

Promoting products or services directly or indirectly to anyone, or asking for a donation. Direct marketing typically occurs via post, telephone, SMS, email, fax and AVR’s.

Employees

Anyone employed permanently and non-permanently. They are an important group of data subjects.

Encryption

The process of hiding information or making it secret. The process involves transforming information (plaintext) using an algorithm (cipher) to make it unreadable to anyone except those with special knowledge or the code (a “key”). The result of the process is encrypted information (ciphertext). Decryption is the reverse process of encryption.

File-sharing

The sharing of information on a computer, mobile device or network. The files can include everything from music and movies, to business documents.

GDPR

The General Data Protection Regulation. The GDPR is a new data protection law that the European Union has enacted that will apply to the whole of the EU, and to anyone marketing to EU citizens.

Information

Our information in any form, including physical and electronic. It includes:

  • the communication of our information in data messages or emails,
  • confidential, sensitive, personal, and special personal information, and
  • the information of our customers or clients

Officer

A data protection officer (DPO) or an information officer (IO). The GDPR requires some controllers to have a DPO. All bodies in South Africa have an information officer, who is usually the chief executive officer or head of the organisation. Everyone has one by default. It is PAIA that determines who this person is. POPIA simply makes the same person responsible. The DPO and IO are similar but slightly different roles.

Opt-in

Agreement to receive direct marketing. Opt-out is a request to not receive direct marketing.

PAIA

The Promotion of Access to Information Act.

PECR

Privacy and Electonic Communications Regulation or ePrivacy Regulation. The PECR is the Privacy and Electonic Communications Directive.

POPIA

The Protection of Personal Information Act. Some call it POPI or the POPI Act but the Information Regulator has asked us to call it POPIA.

Processing

It is basically doing anything with personal information. Processing is defined in POPIA.

Processor

A processor is a person or organisation who processes personal data on behalf of a controller in terms of a written contract or mandate. It is called an operator in some countries. In some jurisdictions, this person is known as the operator.

Products or services

Some laws refer to goods rather than products. Products include all forms of products or goods, including digital goods.

Personal data

Data relating to an identifiable, living, natural person. Any data that identifies a person. In South Africa, it includes, where it is applicable, an identifiable, existing juristic person. It includes race, gender, sex, age, medical information, financial information, criminal or employment history, email address, physical address, telephone number, biometric information and more. In some countries, it is called personal information, but globally personal data is the more used term.

Processing

Includes to create, collect, capture, record, store, transmit, display, disclose, analyse and dispose of.

Prospect

A person who is not a customer of (or is not known by) a specific marketer. A person with whom a controller does not have a relationship.

Regulatory authority

Is a body created by the government to regulate a specific sector. They are also called data protection authorities, commissioners or regulators.

Sub-processor

Is a person or organisation who processes personal information on behalf of the controller’s processor.

Technology

Any information or communications technology (facilities, systems, networks, computers and applications) we (or you) use to process information and send communications.

Other glossaries

The European Data Protection Supervisor has provided a comprehensive data protection glossary relevant to the GDPR and the Universtiy of Bath provides us with one for the Data Protection Act.