GDPR Terminology & Acronyms
A Quick Reference Guide
| Adequate Country | A country outside of the EU (or EEA) who has data protection regulation deemed at least equal to the GDPR |
| AI | Artificial Intelligence |
| Article 29 Working Party (WP 29) | An advisory body made up of a representative from the data protection authority of each EU Member State |
| B2B | Business to Business |
| B2C | Business to Consumer |
| BCP | Business Continuity Plan |
| BCR | Binding Corporate Rules - rules to allow multinational corporations to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. |
| BS 10012:2017 | A British standard to enable organisations to put in place a personal information management system (PIMS) |
| CIPP | Certified Information Privacy Professional (CIPP/E - for Europe) |
| CISP | Cyber Security Information Sharing Partnership |
| COBIT | Control Objectives for Information and Related Technologies. A framework for the governance and management of enterprise IT created by ISACA |
| Consent | An indication of the data subject's wishes, which affirmatively and clearly indicates consensual acceptance by the Data Subject of the processing of their personal data |
| Data Processing | Obtaining, recording, or holding the information or data or carrying out any operation or set of operations on the information or data |
| Data Protection Act (1998) | Current law on Data Protection in the UK |
| Data Protection Bill | Proposed to repeal the Data Protection Act (1998) in the UK although not yet ratified through Parliament |
| Data Protection Directive 95/46/EC | EU directive on Data Protection that preceeded GDPR |
| DC | Data Controller |
| Derogation | Modifications permitted by the GDPR for the member states |
| DFD | Data Flow Diagram |
| DP | Data Processor |
| DPIA | Data Protection Impact Assessment |
| DPO | Data Protection Officer |
| DS | Data Subject |
| EDPB | European Data Protection Board - Will replace the Article 29 Working Party |
| EEA | European Economic Area. Defines the European Single Market and comprises members from the EU and the EFTA. |
| EFTA | European Free Trade Assocation. A free trade area consisting of four member states: Iceland, Lichtenstein, Norway and Switzerland. |
| EU | European Union. Political and economical union of 28 member states (prior to Brexit) |
| FOI | Freedom of Information |
| GCHQ | Government Communications Headquarters |
| GDPR | General Data Protection Regulation |
| IAPP | International Association of Privacy Professionals |
| ICO | Information Commissioner’s Office |
| IDS | Intrusion Detection System |
| IoT | The Internet of Things |
| IPS | Intrusion Protection System |
| IS | Information Systems. Systems that are designed to create, modify, store and distribute information |
| ISACA | Information Systems Audit and Control Association |
| ISO | International Organization for Standardization |
| ISO 14001 | An environmental management system (EMS) (included for information, not related directly to GDPR) |
| ISO 27001 | The international standard that describes best practice for an ISMS (information security management system) |
| ISO 31000 | A risk management system. |
| ISO 9001 | A quality management system (included for information, not related directly to GDPR) |
| IT | Information Technology. A subset of IS dealing with hardware, servers, operating systems and software etc. |
| ITIL | Information Technology Infrastructure Library, is a set of detailed practices for IT service management that focuses on aligning IT services with the needs of business |
| Lawful Processing | Conditions under which data must be processed |
| NCSC | National Cyber Security Centre (a part of GCHQ) |
| NIST | National Institute of Standards and Technology (US) |
| One Stop Shop | Only one Supervisory Authority is required when dealing across multiple EU states |
| PDA | Personal Data Audit |
| PECR | Privacy and Electronic Communications Regulations |
| Personal Data Breach | Data breach that results in the loss, destruction, alteration, unauthorised disclosure of, or access to, personal data |
| PIA | Privacy Impact Assessment |
| PII | Personally Identifiable Information |
| PIMS | Personal Information Management System |
| PRINCE2 | A structured project management method and practitioner certification programme. |
| Privacy by Design | Technological and organisational components, which apply privacy and data protection principles in systems and services |
| Privacy Shield | A mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States |
| Profiling | Any form of automated processing intended to evaluate certain personal aspects of an individual |
| Pseudonymisation | Replacing any potentially identifiable information, concerning an individual’s characteristics, with a pseudonym |
| RACI | Responsible, Accountable, Consulted, Informed. Forms a responsibility matrix |
| RCA | Root Cause Analysis |
| SA | Supervisory Authority |
| SAR | Subject Access Request |
| Sensitive Data | PII that is particularly sensitive to the person concerned |
| Third Country | A country outside of the EU (or EEA) which has not been deemed adequate |
If you have any further terms that should be added to this list, please email us