Key terms
Data Protection Officer (DPO)
A person responsible for overseeing an organization’s data protection compliance. Required under GDPR in certain circumstances. Can be internal or outsourced.
GDPR (General Data Protection Regulation)
The EU’s comprehensive data protection law, in effect since May 2018. Applies to organizations with an EU establishment processing personal data, or to organizations outside the EU that offer goods/services to or monitor the behavior of individuals in the EU.
UK GDPR
The UK’s version of GDPR, retained after Brexit. Nearly identical to EU GDPR but enforced by the ICO.
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
California’s consumer privacy law. CPRA amended and expanded the original CCPA.
DPIA (Data Protection Impact Assessment)
A formal assessment of the privacy risks of a processing activity. Required under GDPR where processing is likely to result in high risk, such as large-scale profiling, health data processing, or systematic monitoring.
RoPA (Records of Processing Activities)
A documented record of all personal data processing activities. Required under GDPR Article 30, subject to limited exceptions.
DSAR (Data Subject Access Request)
A request from an individual to access their personal data. Organizations must respond within one month under GDPR.
DPA (Data Processing Agreement)
A contract between a data controller and a data processor setting out the terms of data processing. Required under GDPR Article 28, and not GDPR-only: US state laws (CCPA and others) require processor or service-provider contracts, and HIPAA requires Business Associate Agreements.
SCCs (Standard Contractual Clauses)
EU-approved contract clauses for transferring personal data outside the EU to countries without an adequacy decision.
Supervisory Authority
The national data protection regulator (e.g., CNIL in France, ICO in UK, AP in Netherlands). Where a DPO is appointed, their contact details must be communicated to the relevant supervisory authority.
Data Controller
The entity that determines the purposes and means of processing personal data.
Data Processor
The entity that processes personal data on behalf of a controller.
Legal Basis
The lawful ground for processing personal data under GDPR. Six options: consent, contract, legitimate interest, legal obligation, vital interests, or public task.
Consent
One of six legal bases under GDPR. Must be freely given, specific, informed, and unambiguous. Required in some contexts (e.g., certain marketing, non-essential cookies).
Legitimate Interest
A legal basis under GDPR allowing processing where the organization has a legitimate reason and it doesn’t override the individual’s rights. Requires a balancing test.
Privacy by Design
Building data protection into products and systems from the start, rather than adding it later. Required under GDPR Article 25.
Data Breach
A security incident leading to unauthorized access, alteration, disclosure, or destruction of personal data. Must be reported to the supervisory authority within 72 hours under GDPR if it poses a risk to individuals.
EU Representative
A designated representative in the EU for organizations based outside the EU that process EU personal data. Required under GDPR Article 27 in most cases, subject to limited exceptions. This is a separate function from a DPO.
ePrivacy Directive
EU directive covering electronic communications, including cookie consent requirements. Often called the “cookie law.”
NIS2 (Network and Information Security Directive 2)
EU directive on cybersecurity for essential and important entities. Broader scope than the original NIS Directive.
DORA (Digital Operational Resilience Act)
EU regulation on digital operational resilience for the financial sector. Entered into application 17 January 2025.
EU AI Act
EU regulation on artificial intelligence, establishing a risk-based framework for AI systems. Entered into force August 2024 with obligations phased in through 2027.
HIPAA (Health Insurance Portability and Accountability Act)
US law governing the privacy and security of health information.
GLBA (Gramm-Leach-Bliley Act)
US law requiring financial institutions to explain how they share and protect customer data.
LGPD (Lei Geral de Protecao de Dados)
Brazil’s general data protection law, modeled on GDPR.
PIPEDA (Personal Information Protection and Electronic Documents Act)
Canada’s federal privacy law for private sector organizations. Note: federal reform proposals (including the proposed CPPA under Bill C-27) did not complete the legislative process; PIPEDA remains the current federal law.
PDPA (Personal Data Protection Act)
Thailand’s data protection law.
PIPL (Personal Information Protection Law)
China’s comprehensive data protection law.
DPDPA (Digital Personal Data Protection Act)
India’s data protection law, enacted in 2023.
SOC 2
A security certification framework focused on controls for service organizations. Not a privacy law but often required alongside privacy compliance.
ISO 27001
International standard for information security management systems.
ISO 27701
Extension to ISO 27001 specifically for privacy information management.
TIA (Transfer Impact Assessment)
A risk assessment required when transferring personal data from the EU/UK to a country without an adequacy decision. Required under Schrems II post-2020, often required alongside SCCs.
Adequacy Decision
A European Commission decision that a non-EU country provides adequate data protection, allowing transfers without additional safeguards. Examples: UK, Switzerland, Japan, South Korea.
DPF (Data Privacy Framework)
The EU-US Data Privacy Framework, adopted 2023 as successor to Privacy Shield. Provides adequacy for transfers to US organizations that self-certify.
Schrems II
The 2020 Court of Justice of the EU decision invalidating EU-US Privacy Shield. Established stricter requirements for international data transfers under SCCs.
Joint Controller
Two or more controllers who jointly determine the purposes and means of processing. Requires a written arrangement under GDPR Article 26.
Professional Indemnity Insurance
Insurance that covers a service provider against claims arising from professional negligence or errors. Relevant for outsourced DPO services because it provides financial recourse if advice is incorrect.
DPaaS (DPO as a Service)
See External DPO. Acronym form of the same service offering. A qualified Data Protection Officer provided by an external firm on a retainer basis under GDPR Article 37(6).
DPO externe
The French term for External DPO and the dominant search term in France. CNIL-registered service under GDPR Article 37(6) and the French Data Protection Act.
External DPO
A qualified Data Protection Officer provided by an external firm on a retainer basis, rather than a full-time employee, notified to the supervisory authority under GDPR Article 37(6). The dominant term in UK and EU markets. Also called outsourced DPO, fractional DPO, or DPaaS.
Externer Datenschutzbeauftragter
The German term for External DPO and the dominant search term for this service in Germany. Equivalent service offering under GDPR Article 37(6) and the German Bundesdatenschutzgesetz (BDSG). Functions identically to External DPO, Outsourced DPO, Fractional DPO, and DPaaS.
Fractional DPO
See External DPO. The same service is referred to as Fractional DPO in US startup parlance, External DPO in UK and EU markets, and Outsourced DPO in international contexts. Legal standing identical under GDPR Article 37(6).
Outsourced DPO
See External DPO. The same service is referred to as Outsourced DPO in international and US-EU contexts, External DPO in UK and EU markets, and Fractional DPO in US startup parlance. Legal standing and responsibilities identical under GDPR Article 37(6).
This page is general information, not legal advice. Definitions are simplified for accessibility. Consult a qualified professional for specific legal questions.