Privacy Basics

"Adequacy" determination

decision on whether or not a country provides adequate data protection to receive data from the EU freely without additional mechanisms

Notice

description of an organization's information management practices that educates consumers and provides corporate accountability

FIPPs (Fair Information Practice Principles)

guidelines/framework that represent widely accepted concepts concerning fair information practice in an electronic marketplace - Notice/Awareness - Choice/Consent - Access/Participation - Integrity/Security - Enforcement/Redress

Data Mapping

identifies personal data as it moves across various systems and thus how data is shared and organized, and its location

Binding Corporate Rules (BCRs)

internal corporate privacy policy governing data transfer mechanisms for data leaving the EU for large multinationals

Directive

lay down certain results/guidelines that must be achieved, but each Member State is free to decide how to implement directives into national laws

Model Contracts

legal clauses for the protection of data leaving the EU

Statutes

local, state, and federal laws

Case Law

court decisions that interpret the obligations under a law or regulation (ex. Torts) ​

Special Categories of Personal Information

- Racial or ethnic origin - Political opinions - Religious or philosophical beliefs - Trade union memberships - Health or sex life - Biometric or genetic data

Personal Information

any and all data that relates to an identified or identifiable individual (an identifiable person is one who can be identified directly or indirectly)

Cookie

A small text file stored on a client machine that may later be retrieved by a web server; allow web servers to keep track of the end user's browser activities, and connect individual web requests into a session

Cookie Directive

Additions to the e-Privacy Directive where websites could allow users to opt out of cookies, such as by selecting a setting on their web browsers

APEC CBPRs

Asia-Pacific Economic Cooperation includes 21 economies (e.g., U.S., Canada, Mexico, Russia, all of Asia, and a few others); governs new data transfer mechanism for data transfers throughout Asia-Pacific

CPO

Chief Privacy Officer

CSA Enterprise Architecture

Cloud Security Alliance; helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices

DPA

Data Protection Authority

DPO

Data Protection Officer

Processing

any operation that is performed on personal data (ex. the collection, recording, organization, storage, retrieval, dissemination, destruction of personal data)

European Data Protection Board (EDPB)

EU body with power to determine disputes and give advice/guidance to approve EU-wide codes and certifications

GRC Software

Governance, Risk Management, Control; a risk management software that allows companies to integrate and manage operations that are subject to regulation

Regulation

binding legal force throughout every Member State

principles

Fundamental norms, rules, or values that represent what is desirable

GAPP

Generally Accepted Privacy Principles; a framework with 10 principles: management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring and enforcement

HITRUST CSF

Health Information Trust Alliance; includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements

ISO/IEC 27001:2013

International Standard Organization for Standardization; a code of practice for information security with hundreds of potential controls and control mechanisms; intended to provide a guide for the development of a privacy program

Privacy Shield

Legal framework for EU to U.S. data transfers

Accountability

Obligation to demonstrate that all measures have been implemented in order to ensure compliance with the GDPR

HIPAA

U.S. law passed to create national standards for electronic healthcare transactions

Security

an organization's physical, technical and administrative safeguards

FTC

United States' primary consumer protection agency

General Data Protection Regulation (GDPR)

a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU, and address export of personal data outside the EU

EU (European Union)

a group of 28 countries that operates as a cohesive economic and political block

Controller

a person who determines the why and how any personal data is processed

Data Protection Impact Assessments (DPIA)

a systematic effort to identify privacy risks, foresee problems and bring forward solutions as outlined the the GDPR

e-Privacy Directive

aka Directive on Privacy and Electronic Communications; all websites using tracking cookies obtain user consent unless the cookie is "strictly necessary for the delivery of a service requested by the use"

Pre-PIA

alternative term for a threshold; a short assessment used to determine the need for a full PIA

NIST SP800-53

an agency within the Department of Commerce; responsibile for the development and issuance of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure

Privacy Impact Assessment (PIA)

an analysis of: - what information is being collected - why it is being collected - what the intended uses are - whom it will be shared with - what opportunities individuals will have to opt-out - how it will be secured etc.

Privacy by Design

an approach which takes privacy into account before implementing any new project/program

Processor

an individual or organization that processes data on behalf of the data controller; often third-party providers

Choice

an individual's ability to specify whether their personal information will be collected and/or how it will be used/disclosed​

Access

an individual's ability to view/correct/update their personal information that's held by an organization ​

inherent risk

risk that an activity would pose if no controls or other mitigating factors were in place; gross risk

risidual risk

risk that remains after controls are taken into account

Regulation

rules declared in accordance with a law by a regulatory agency​

Recital

text that sets out reasons for the provisions of an act

EEA (European Economic Area)

the area in which there is free movement of persons, goods, services and capital within the European Single Market

Data subjects

the individual the data relates to

Safe Harbor

the predecessor to Privacy Shield that was invalidated in 2015 as a data transfer mechanism for EU to U.S. data transfers

Anonymization

the process of either encrypting or removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous

Encryption

the process of obscuring information in order to make the information unreadable without special knowledge

Enforcement

the punishment or consequences that provide "teeth" to a law or regulatory regime

Information Privacy

the right to have some control over how your personal information is collected and used

Data Breach

the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector

controls

things you do to mitigate risk

De-identification

to remove identifying characteristics from data; process used to prevent a person's identity from being connected with information in a data set

Threshold

tool used to determine whether a PIA should be conducted

Pseudonomization

when info is retained under a pseudonym such as unique numerical code for each person