Privacy Terms Glossary

Only the data that is absolutely necessary for a given purpose should be collected and processed.

Personal data should only be retained for as long as is necessary to fulfill the intended purpose or any regulatory/legal obligations and not any longer.

Data must be processed lawfully, based on legal grounds such as consent, contract, legitimate interest or legal obligation.

Security measures must be in place to protect personal data against unauthorized access or loss.

Personal data must be collected for specific, explicit, and legitimate purposes and not used in ways incompatible with those purposes.

Individuals should be clearly informed about how their data is being used, typically through privacy notices or just in time notifications.

Limits who can view or interact with data based on roles, rules, or identities. Example: Only HR personnel can view employee salary data.

A framework for ensuring the ethical and responsible development and use of artificial intelligence, emphasizing transparency, accountability, fairness, and compliance with privacy laws.

The process in which personally identifiable data is altered in such a way that it can no longer be related back to a given individual under any circumstances. This high standard is extremely difficult to achieve, therefore data de-identification is a more accurate term for most use cases. Example: Removing all names, IDs, and unique responses from a dataset used for research.

A secure log that records all access and changes to sensitive data for accountability.

A freely given, specific, and informed agreement by a data subject to allow the processing of their personal data. Example: A data subject checks a box agreeing to receive email newsletters.

Unauthorized access, use, disclosure, or loss of any type of personal data. Example: Credit card and social security numbers being exposed to the public.

The entity that determines the purposes and means of processing personal data. Example: A university deciding how student records are collected and used.

Any operation which is performed on or using personal data. Example: Collecting, recording, storing, using, deleting data.

A third party that processes data on behalf of a data controller. Example: A cloud service provider hosting student data for the university.

Policies governing how long personal data is stored before it is deleted or anonymized. Example: Data subject data being removed from all systems after 3 years of inactivity.

An individual whose personal data is being collected or processed. Example: A university student filling out a financial aid application.

Data that has undergone a data de-identification method in order to remove or hide all direct and indirect identifiers. Example: Omitting specific information that would help identify an individual.

The process of converting data into a coded form to prevent unauthorized access. This is a form of de-identification.

A European Union (EU) law that provides guidelines for collecting and processing personal information about individuals in the EU. It has also become widely accepted by other countries to be "the gold standard" for privacy regulations.

Any information relating to an identified or identifiable natural person. Example: Name, phone number, email, survey responses.

Embedding privacy principles into systems and processes from the start. Example: When creating a shopping platform, minimizing the amount of information collected from customers to only what is specifically needed to place an order online.

A tool for identifying and mitigating privacy risks in projects or systems.

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Example: A random number generator creates a number known as a pseudonym, which is then assigned to an individual in place of their name.

Specific personal data requiring extra protection due to its sensitive nature. Example: Health records, race/ethnicity, sexual orientation.

Potential privacy or security risks from external vendors or partners handling data.