We have compiled a global data protection glossary to try to help develop a common global lexicon for data protection. One that is not specific to any one jurisdiction but one that everyone anywhere in the world can use. It is important to ensure that we all use the same language – it makes communication much easier and avoids misunderstandings. We believe that these terms form the basis of the global conversation on data protection law. We use these terms in our data protection compliance programme.
Account
Is the vehicle by which a user, system or service can access an IT system.
Anonymisation
The process of putting data into a form that doesn’t identify individuals.
Business continuity management
The on-going management and governance process to:
- identify potential events and their impact on business processes, and
- to maintain recovery plans to ensure continuity of services if these events occur.
Big data
Extremely large data sets that may be analysed computationally to reveal patterns, trends and associations, especially relating to human behaviour and interactions.
Classification
The rating given to information (or data) based on value, sensitivity, privacy, criticality, legal, regulatory, risk and business requirements.
Consumer
A person who consumes products or services from a supplier. A consumer is defined in terms of consumer protection law and can be different to what is considered a customer for the purposes of data protection law. Consumers are often all natural persons and small to medium-sized entities.
Controller
The person or organisation that is doing the processing. The controller determines the purpose (why) and means (how) the personal data is processed. In other jurisdictions, a data controller is also referred to as a responsible party.
Consent
Is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Customer
A customer of a specific controller who receives a service or product. Essentially, this is someone whose details a controller has obtained in the context of a product or a service.
Customer data
Any personal information that relates to a customer, such as their identity number, telephone number, address, account number and other information.
Data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, data. Breaches may be the result of accidental or deliberate causes.
Data Processing Agreement
A data processing agreement (or data processing addendum or DPA) is a legally binding document that describes an arrangement between two organisations where one instructs the other to perform information operations on their behalf.
Data subject
The person whose personal data or information is being processed. In South Africa (unlike the rest of the world), this right also extends to juristic persons such as trusts and companies.
Direct marketing
Promoting products or services directly or indirectly to anyone, or asking for a donation. Direct marketing typically occurs via post, telephone, SMS, email, fax and AVR’s.
Employees
Anyone employed permanently and non-permanently. They are an important group of data subjects.
Encryption
The process of hiding information or making it secret. The process involves transforming information (plaintext) using an algorithm (cipher) to make it unreadable to anyone except those with special knowledge or the code (a “key”). The result of the process is encrypted information (ciphertext). Decryption is the reverse process of encryption.
File-sharing
The sharing of information on a computer, mobile device or network. The files can include everything from music and movies, to business documents.
Gap analysis
The process of comparing your organisation to an identified regulatory requirement (like POPIA or the GDPR) and find the gaps in compliance that you should correct.
GDPR
The General Data Protection Regulation. The GDPR is a new data protection law that the European Union has enacted that will apply to the whole of the EU, and to anyone marketing to EU citizens.
Information
Our information in any form, including physical and electronic. It includes:
- the communication of our information in data messages or emails,
- confidential, sensitive, personal, and special personal information, and
- the information of our customers or clients
Officer
A data protection officer (DPO) or an information officer (IO). The GDPR requires some controllers to have a DPO. All bodies in South Africa have an information officer, who is usually the chief executive officer or head of the organisation. Everyone has one by default. It is PAIA that determines who this person is. POPIA simply makes the same person responsible. The DPO and IO are similar but have slightly different roles.
Opt-in
Agreement to receive direct marketing. Opt-out is a request to not receive direct marketing.
PAIA
The Promotion of Access to Information Act.
PECR
Privacy and Electronic Communications Regulation or ePrivacy Regulation. The PECR is the Privacy and Electronic Communications Directive.
POPIA
The Protection of Personal Information Act. Some call it POPI or the POPI Act but the Information Regulator has asked us to call it POPIA.
Privacy policy
A legal document that discloses the ways that one collects, uses, discloses or manages a customer or clients data/information.
Processing
It is basically doing anything with personal information. Processing is defined in POPIA.
Processor
A processor is a person or organisation who processes personal data on behalf of a controller in terms of a written contract or mandate. It is called an operator in some countries. In some jurisdictions, this person is known as the operator.
Products or services
Some laws refer to goods rather than products. Products include all forms of products or goods, including digital goods.
Personal data
Data relating to an identifiable, living, natural person. Any data that identifies a person. In South Africa, it includes, where it is applicable, an identifiable, existing juristic person. It includes race, gender, sex, age, medical information, financial information, criminal or employment history, email address, physical address, telephone number, biometric information and more. In some countries, it is called personal information, but globally personal data is the more used term.
Processing
Includes to create, collect, capture, record, store, transmit, display, disclose, analyse and dispose of.
Prospect
A person who is not a customer of (or is not known by) a specific marketer. A person with whom a controller does not have a relationship.
Regulatory authority
Is a body created by the government to regulate a specific sector. They are also called data protection authorities, commissioners or regulators.
Sub-processor
Is a person or organisation who processes personal information on behalf of the controller’s processor.
Technology
Any information or communications technology (facilities, systems, networks, computers and applications) we (or you) use to process information and send communications.
Third party
A natural or legal person, public authority, agency or body other than the data subject, controller and processor who is allowed to process personal data.
Other glossaries
The European Data Protection Supervisor has provided a comprehensive data protection glossary relevant to the GDPR and the University of Bath provides us with one for the Data Protection Act.