With the passing of the General Data Protection Regulation (GDPR), many technical terms and acronyms have been born out of the creation of the new European law.
To help you gain a better understanding of the language associated with GDPR, we have created a short glossary below:
Data Protection Impact Assessment (DPIA) – It should focus on the types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Failure to conduct a DPIA could lead to penalties of up to 10 million or 2% of worldwide turnover – whichever is greater! Time is running out to get this completed with companies expected to be complaint come May 2018.
Data Protection Officer (DPO) - Article 37 of GDPR created a statutory position called the Data Protection Officer (DPO) who’s main responsibility is to guarantee data security and that GDPR compliance is met. All organizations that either control data or process data are required to have a DPO, especially for the following circumstances: where the processing is carried out by a public authority or body; where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale.
Pseudonymized Data – means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Anonymized Data – data rendered anonymous in such a way that the data subject is not or no longer identifiable. The GDPR emphasizes that anonymized data must be stripped of any identifiable information, making it impossible to derive insights on a discreet individual, even by the party that is responsible for the anonymization. When done properly, anonymization places the processing and storage of personal data outside the scope of the GDPR.
Data Minimization – While not a new concept in data management, the GDPR does re-emphasize the importance of applying the concept in practice. This means that controllers must limit personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed. The concept being that companies should limit the data they collect and retain, and dispose of it once they no longer need it.
Data Breach Notification (DBN) – Notifying the data subject about a breach of information. A DBN is not required however if the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorized to access it, such as encryption. The data controller need not notify data subjects if data is encrypted and rendered unintelligible to any person accessing it, thereby removing DBN process and costs to the organizations.
If you would like to learn how your organization can become GDPR Data Protection compliant when using cloud services, tune in to the latest eperi webinar here.