Adequate Country |
A country outside of the EU (or EEA) who has data protection regulation deemed at least equal to the GDPR |
AI |
Artificial Intelligence |
Article 29 Working Party (WP 29) |
An advisory body made up of a representative from the data protection authority of each EU Member State |
B2B |
Business to Business |
B2C |
Business to Consumer |
BCP |
Business Continuity Plan |
BCR |
Binding Corporate Rules - rules to allow multinational corporations to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. |
BS 10012:2017 |
A British standard to enable organisations to put in place a personal information management system (PIMS) |
CIPP |
Certified Information Privacy Professional (CIPP/E - for Europe) |
CISP |
Cyber Security Information Sharing Partnership |
COBIT |
Control Objectives for Information and Related Technologies. A framework for the governance and management of enterprise IT created by ISACA |
Consent |
An indication of the data subject's wishes, which affirmatively and clearly indicates consensual acceptance by the Data Subject of the processing of their personal data |
Data Processing |
Obtaining, recording, or holding the information or data or carrying out any operation or set of operations on the information or data |
Data Protection Act (1998) |
Current law on Data Protection in the UK |
Data Protection Bill |
Proposed to repeal the Data Protection Act (1998) in the UK although not yet ratified through Parliament |
Data Protection Directive 95/46/EC |
EU directive on Data Protection that preceeded GDPR |
DC |
Data Controller |
Derogation |
Modifications permitted by the GDPR for the member states |
DFD |
Data Flow Diagram |
DP |
Data Processor |
DPIA |
Data Protection Impact Assessment |
DPO |
Data Protection Officer |
DS |
Data Subject |
EDPB |
European Data Protection Board - Will replace the Article 29 Working Party |
EEA |
European Economic Area. Defines the European Single Market and comprises members from the EU and the EFTA. |
EFTA |
European Free Trade Assocation. A free trade area consisting of four member states: Iceland, Lichtenstein, Norway and Switzerland. |
EU |
European Union. Political and economical union of 28 member states (prior to Brexit) |
FOI |
Freedom of Information |
GCHQ |
Government Communications Headquarters |
GDPR |
General Data Protection Regulation |
IAPP |
International Association of Privacy Professionals |
ICO |
Information Commissioner’s Office |
IDS |
Intrusion Detection System |
IoT |
The Internet of Things |
IPS |
Intrusion Protection System |
IS |
Information Systems. Systems that are designed to create, modify, store and distribute information |
ISACA |
Information Systems Audit and Control Association |
ISO |
International Organization for Standardization |
ISO 14001 |
An environmental management system (EMS) (included for information, not related directly to GDPR) |
ISO 27001 |
The international standard that describes best practice for an ISMS (information security management system) |
ISO 31000 |
A risk management system. |
ISO 9001 |
A quality management system (included for information, not related directly to GDPR) |
IT |
Information Technology. A subset of IS dealing with hardware, servers, operating systems and software etc. |
ITIL |
Information Technology Infrastructure Library, is a set of detailed practices for IT service management that focuses on aligning IT services with the needs of business |
Lawful Processing |
Conditions under which data must be processed |
NCSC |
National Cyber Security Centre (a part of GCHQ) |
NIST |
National Institute of Standards and Technology (US) |
One Stop Shop |
Only one Supervisory Authority is required when dealing across multiple EU states |
PDA |
Personal Data Audit |
PECR |
Privacy and Electronic Communications Regulations |
Personal Data Breach |
Data breach that results in the loss, destruction, alteration, unauthorised disclosure of, or access to, personal data |
PIA |
Privacy Impact Assessment |
PII |
Personally Identifiable Information |
PIMS |
Personal Information Management System |
PRINCE2 |
A structured project management method and practitioner certification programme. |
Privacy by Design |
Technological and organisational components, which apply privacy and data protection principles in systems and services |
Privacy Shield |
A mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States |
Profiling |
Any form of automated processing intended to evaluate certain personal aspects of an individual |
Pseudonymisation |
Replacing any potentially identifiable information, concerning an individual’s characteristics, with a pseudonym |
RACI |
Responsible, Accountable, Consulted, Informed. Forms a responsibility matrix |
RCA |
Root Cause Analysis |
SA |
Supervisory Authority |
SAR |
Subject Access Request |
Sensitive Data |
PII that is particularly sensitive to the person concerned |
Third Country |
A country outside of the EU (or EEA) which has not been deemed adequate |