Privacy Basics
"Adequacy" determination
decision on whether or not a country provides adequate data protection to receive data from the EU freely without additional mechanisms
Notice
description of an organization's information management practices that educates consumers and provides corporate accountability
FIPPs (Fair Information Practice Principles)
guidelines/framework that represent widely accepted concepts concerning fair information practice in an electronic marketplace - Notice/Awareness - Choice/Consent - Access/Participation - Integrity/Security - Enforcement/Redress
Data Mapping
identifies personal data as it moves across various systems and thus how data is shared and organized, and its location
Binding Corporate Rules (BCRs)
internal corporate privacy policy governing data transfer mechanisms for data leaving the EU for large multinationals
Directive
lay down certain results/guidelines that must be achieved, but each Member State is free to decide how to implement directives into national laws
Model Contracts
legal clauses for the protection of data leaving the EU
Statutes
local, state, and federal laws
Case Law
court decisions that interpret the obligations under a law or regulation (ex. Torts)
Special Categories of Personal Information
- Racial or ethnic origin - Political opinions - Religious or philosophical beliefs - Trade union memberships - Health or sex life - Biometric or genetic data
Personal Information
any and all data that relates to an identified or identifiable individual (an identifiable person is one who can be identified directly or indirectly)
Cookie
A small text file stored on a client machine that may later be retrieved by a web server; allow web servers to keep track of the end user's browser activities, and connect individual web requests into a session
Cookie Directive
Additions to the e-Privacy Directive where websites could allow users to opt out of cookies, such as by selecting a setting on their web browsers
APEC CBPRs
Asia-Pacific Economic Cooperation includes 21 economies (e.g., U.S., Canada, Mexico, Russia, all of Asia, and a few others); governs new data transfer mechanism for data transfers throughout Asia-Pacific
CPO
Chief Privacy Officer
CSA Enterprise Architecture
Cloud Security Alliance; helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices
DPA
Data Protection Authority
DPO
Data Protection Officer
Processing
any operation that is performed on personal data (ex. the collection, recording, organization, storage, retrieval, dissemination, destruction of personal data)
European Data Protection Board (EDPB)
EU body with power to determine disputes and give advice/guidance to approve EU-wide codes and certifications
GRC Software
Governance, Risk Management, Control; a risk management software that allows companies to integrate and manage operations that are subject to regulation
Regulation
binding legal force throughout every Member State
principles
Fundamental norms, rules, or values that represent what is desirable
GAPP
Generally Accepted Privacy Principles; a framework with 10 principles: management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement
HITRUST CSF
Health Information Trust Alliance; includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements
ISO/IEC 27001:2013
International Standard Organization for Standardization; a code of practice for information security with hundreds of potential controls and control mechanisms; intended to provide a guide for the development of a privacy program
Privacy Shield
Legal framework for EU to U.S. data transfers
Accountability
Obligation to demonstrate that all measures have been implemented in order to ensure compliance with the GDPR
HIPAA
U.S. law passed to create national standards for electronic healthcare transactions
Security
an organization's physical, technical and administrative safeguards
FTC
United States' primary consumer protection agency
General Data Protection Regulation (GDPR)
a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU, and address export of personal data outside the EU
EU (European Union)
a group of 28 countries that operates as a cohesive economic and political block
Controller
a person who determines the why and how any personal data is processed
Data Protection Impact Assessments (DPIA)
a systematic effort to identify privacy risks, foresee problems and bring forward solutions as outlined the the GDPR
e-Privacy Directive
aka Directive on Privacy and Electronic Communications; all websites using tracking cookies obtain user consent unless the cookie is "strictly necessary for the delivery of a service requested by the use"
Pre-PIA
alternative term for a threshold; a short assessment used to determine the need for a full PIA
NIST SP800-53
an agency within the Department of Commerce; responsibile for the development and issuance of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure
Privacy Impact Assessment (PIA)
an analysis of: - what information is being collected - why it is being collected - what the intended uses are - whom it will be shared with - what opportunities individuals will have to opt-out - how it will be secured etc.
Privacy by Design
an approach which takes privacy into account before implementing any new project/program
Processor
an individual or organization that processes data on behalf of the data controller; often third-party providers
Choice
an individual's ability to specify whether their personal information will be collected and/or how it will be used/disclosed
Access
an individual's ability to view/correct/update their personal information that's held by an organization
inherent risk
risk that an activity would pose if no controls or other mitigating factors were in place; gross risk
risidual risk
risk that remains after controls are taken into account
Regulation
rules declared in accordance with a law by a regulatory agency
Recital
text that sets out reasons for the provisions of an act
EEA (European Economic Area)
the area in which there is free movement of persons, goods, services and capital within the European Single Market
Data subjects
the individual the data relates to
Safe Harbor
the predecessor to Privacy Shield that was invalidated in 2015 as a data transfer mechanism for EU to U.S. data transfers
Anonymization
the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous
Encryption
the process of obscuring information in order to make the information unreadable without special knowledge
Enforcement
the punishment or consequences that provide "teeth" to a law or regulatory regime
Information Privacy
the right to have some control over how your personal information is collected and used
Data Breach
the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector
controls
things you do to mitigate risk
De-identification
to remove identifying characteristics from data; process used to prevent a person's identity from being connected with information in a data set
Threshold
tool used to determine whether a PIA should be conducted
Pseudonomization
when info is retained under a pseudonym such as unique numerical code for each person