Privacy Compliance Glossary
Every term you need to know, explained without jargon.
A plain-language reference for privacy and data protection terms that tech company founders, CTOs, and product teams encounter when dealing with GDPR, CCPA, and enterprise compliance requirements.
Key terms
Data Protection Officer (DPO): A person responsible for overseeing an organization's data protection compliance. Required under GDPR in certain circumstances. Can be internal or outsourced. Do I Need a DPO? | What Does a DPO Do?
GDPR (General Data Protection Regulation): The EU's comprehensive data protection law, in effect since May 2018. Applies to organizations with an EU establishment processing personal data, or to organizations outside the EU that offer goods/services to or monitor the behavior of individuals in the EU. GDPR vs CCPA
UK GDPR: The UK's version of GDPR, retained after Brexit. Nearly identical to EU GDPR but enforced by the ICO.
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act): California's consumer privacy law. CPRA amended and expanded the original CCPA. GDPR vs CCPA
DPIA (Data Protection Impact Assessment): A formal assessment of the privacy risks of a processing activity. Required under GDPR where processing is likely to result in high risk, such as large-scale profiling, health data processing, or systematic monitoring.
RoPA (Records of Processing Activities): A documented record of all personal data processing activities. Required under GDPR Article 30, subject to limited exceptions.
DSAR (Data Subject Access Request): A request from an individual to access their personal data. Organizations must respond within one month under GDPR.
DPA (Data Processing Agreement): A contract between a data controller and a data processor setting out the terms of data processing. Required under GDPR. Enterprise Deal Privacy Readiness
SCCs (Standard Contractual Clauses): EU-approved contract clauses for transferring personal data outside the EU to countries without an adequacy decision. US to EU Compliance
TIA (Transfer Impact Assessment): An assessment of the risks of transferring personal data to a third country, often required alongside SCCs.
Supervisory Authority: The national data protection regulator (e.g., CNIL in France, ICO in UK, AP in Netherlands). Where a DPO is appointed, their contact details must be communicated to the relevant supervisory authority.
Data Controller: The entity that determines the purposes and means of processing personal data.
Data Processor: The entity that processes personal data on behalf of a controller.
Legal Basis: The lawful ground for processing personal data under GDPR. Six options: consent, contract, legitimate interest, legal obligation, vital interests, or public task.
Consent: One of six legal bases under GDPR. Must be freely given, specific, informed, and unambiguous. Required in some contexts (e.g., certain marketing, non-essential cookies).
Legitimate Interest: A legal basis under GDPR allowing processing where the organization has a legitimate reason and it doesn't override the individual's rights. Requires a balancing test.
Privacy by Design: Building data protection into products and systems from the start, rather than adding it later. Required under GDPR Article 25.
Data Breach: A security incident leading to unauthorized access, alteration, disclosure, or destruction of personal data. Must be reported to the supervisory authority within 72 hours under GDPR if it poses a risk to individuals.
EU Representative: A designated representative in the EU for organizations based outside the EU that process EU personal data. Required under GDPR Article 27 in most cases, subject to limited exceptions. This is a separate function from a DPO. US to EU Compliance | EU Representative Service
ePrivacy Directive: EU directive covering electronic communications, including cookie consent requirements. Often called the "cookie law."
NIS2 (Network and Information Security Directive 2): EU directive on cybersecurity for essential and important entities. Broader scope than the original NIS Directive.
DORA (Digital Operational Resilience Act): EU regulation on digital operational resilience for the financial sector. Entered into application 17 January 2025. DPO for Fintech
EU AI Act: EU regulation on artificial intelligence, establishing a risk-based framework for AI systems. Entered into force August 2024 with obligations phased in through 2027. AI Compliance
HIPAA (Health Insurance Portability and Accountability Act): US law governing the privacy and security of health information. DPO for HealthTech
GLBA (Gramm-Leach-Bliley Act): US law requiring financial institutions to explain how they share and protect customer data. DPO for Fintech
LGPD (Lei Geral de Protecao de Dados): Brazil's general data protection law, modeled on GDPR. Global Privacy Compliance
PIPEDA (Personal Information Protection and Electronic Documents Act): Canada's federal privacy law for private sector organizations. Note: federal reform proposals (including the proposed CPPA under Bill C-27) did not complete the legislative process; PIPEDA remains the current federal law. Global Privacy Compliance
PDPA (Personal Data Protection Act): Thailand's data protection law. Global Privacy Compliance
PIPL (Personal Information Protection Law): China's comprehensive data protection law. Global Privacy Compliance
DPDPA (Digital Personal Data Protection Act): India's data protection law, enacted in 2023. Global Privacy Compliance
SOC 2: A security certification framework focused on controls for service organizations. Not a privacy law but often required alongside privacy compliance. Engage vs Vanta
ISO 27001: International standard for information security management systems. Engage vs DataGuard
ISO 27701: Extension to ISO 27001 specifically for privacy information management.
Professional Indemnity Insurance: Insurance that covers a service provider against claims arising from professional negligence or errors. Relevant for outsourced DPO services because it provides financial recourse if advice is incorrect.
This page is general information, not legal advice. Definitions are simplified for accessibility. Consult a qualified professional for specific legal questions.
Related pages