Privacy glossary on personal data & compliance

Are you unsure about the concepts of GDPR? Learn more with this GDPR dictionary, which includes the most common GDPR terms.


Access control

The process of identifying and analyzing who has access permissions to sensitive data and PII data and taking steps to manage permissions to that data to reduce the risk of exposure.



The process of removing personal identifiers that may lead to an individual being identified. Once data is truly anonymized and individuals are no longer identifiable, the data will not fall within the scope of the GDPR.


Biometric and genetic data

A special category of personal data related to someone’s physical, physiological or behavioural characteristics that lets you identify or confirm the identity of that person. This includes facial/iris recognition, fingerprints, blood/DNA tests, etc.


BIN number

Refers to a set of four to six numbers that appear on a payment card and identify the institution issuing the card.



CCPA stands for the California Consumer Privacy Act and is a statewide data protection law in California that governs how companies around the world are allowed to handle the personal information (PI) of California residents.


CCPA information

Information defined as PI and protected under the California Consumer Privacy Act.


Classification of data

The process of organizing data into relevant categories so that it can be used and protected more effectively.



Cookies are short text files placed on people’s devices by a website.  Cookies can people’s browsing experience more personalized by remembering their history and user profile without the need to log in. Cookies can also be placed by third parties on devices for advertising purposes and used to track how people browse and behave on different websites. The GDPR requires websites to obtain prior and explicit consent before activating cookies.



Compliance is the state of being in accordance with or following established guidelines or specifications. When we use the term compliance on this website, we are usually talking about how companies follow the guidelines of the GDPR and other privacy laws.



According to the GDPR and other privacy laws, people should freely give their explicit permission before someone can collect their personal data. This is called consent. Companies should obtain and document consent before collecting personal data.


Danish Data Protection Act

The Danish Data Protection Act supplements the EU’s GDPR, by filling in sections of the regulation that are left to individual member states to interpret.


Data Breach

Accidental or unlawful destruction, loss, alteration, or disclosure of personal data.


Data Controller

A Data Controller is a person, company, or another legal entity responsible for the data held by it, including the personal data of employees, prospects/leads, customers or suppliers, and others.


Data cleanup

The act of securing sensitive data identified during the data discovery process by encrypting, hiding (masking), quarantining, or deleting obsolete data.


Data Inventory/Data Mapping

A data inventory identifies personal data across all your systems to map how the data is stored and shared.


Data intelligence

Refers to all the analytical tools, methods and processes companies use to form a better understanding of the information they collect.


Data privacy strategy

When we use the terms data strategy or privacy strategy, we are talking about your company’s plan to protect people’s data and privacy.


Data processing

Data processing includes anything your company does with personal data: collecting, storing, editing, using, sharing, transferring, restricting access, deleting, etc.


Data Processor

A Data Processor is a person, company, or any other third party that processes personal data on the data controller’s behalf.


Data Protection Agency

A Data Protection Agency acts as an independent, public authority that oversees the application of the relevant data protection laws through investigative and corrective powers. A DPA typically provides expert advice on data protection issues  and handles complaints about breaches of e.g. General Data Protection Regulation or other relevant national data legislation. Each EU member state has a data protection authority.


Data Protection Officer (DPO)

A Data Protection Officer (DPO) has the role as responsible for overseeing a company’s data protection strategy and enforcing compliance requirements for personal data regulations.


Data Subject

Any living individual whose personal data is collected, stored or processed by someone else.



A Data Processing Agreement is a agreement between a data controller (e.g. a company) and a data processor (e. g. a thirdparty service provider). The agreement stipulates all treatments of sensitive data that is used for commercial purposes.



A Data Protection Impact Assessment (DPIA) is performed by a company to identify risks related to the processing of personal data and minimize these risks as much as possible.



A data subject access request (DSAR) is a request by a user (data subject) to an organization (Data Controller) that has collected their data asking for details as to how the data is being collected, used, stored, and if it is being shared with third parties.



The General Data Protection Regulation is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Any company that has a website that may attract European visitors should follow GDPR guidelines, even if they are not based in the EU and do not specifically market goods or services to EU residents.



HIPAA stands for The Health Insurance Portability and Accountability Act and is a US congressional law. HIPAA deals with health information and stipulates how personally identifiable information must be protected from fraud and theft.


Joint controller

When two controllers both determine the purposes and means of the processing of personal data, and both are jointly responsible for GDPR compliance.


Natural Person

Privacy regulations use this term to describe a persone who can be identified directly or indirectly by, e.g., a name, an identification number, location data, an online identifier or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.


Novel technology

In the context of data privacy risks, this usually refers to new and emerging technologies that have not been sufficiently studied for the world at large to agree on their impact on privacy and data security.


Norway’s Personal Data Act

The Personal Data Act incorporates the European Data Protection Regulation (GDPR) into Norwegian law. The Act also contains national special rules in certain areas where the GDPR allows it.


Personal data

Personal data is any information that relates to an identified or identifiable living individual. This is a broad category that starts with a person’s name and includes all their information (including their sensitive and confidential information). The terms “personal data” and “personally identifiable information” are sometimes used interchangeably.


Personal Identifiable Information (PII)

Personal Identifiable Information (PII) is defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred.



A data protection law in Singapore that was created to better protect the personal data of individuals in Singapore. Learn more about PDPA compliance.



An abbreviation for personal information, also known as personally identifiable information (PII). This is all data that can potentially be used to identify a specific person.


PI information

Refers to a wide range of personal information about a given individual, collected through a variety of structured and unstructured data stores.



Short for personally identifiable information, this is any data that can potentially be used to identify a specific individual.



PIPL stands for The China Personal Information Protection Law and is China’s law on the protection of personal information (PI), which is aimed at all the organizations and individuals that process personal data of Chinese citizens.



Also known as the Personal Information Protection and Electronic Documents Act, this is Canada’s main federal law regarding privacy in the private sector. Learn more about PIPEDA compliance.



Automated processing that makes predictions and decisions about an individual based on data collected about them. Profiling may be based on a person’s work performance, economic situation, health history, personal preferences, interests, behaviour, location, movements and more.


Privacy by design and privacy by default

The result of planning for privacy and data protection and building it into all of our processes right from the start when people’s personal data is involved. Especially when implementing new projects or new tools that could put privacy or data security at a high risk of breach.



Processing and separating personal data so that it can no longer be attributed to a specific data subject without the use of additional information.


Registration of personal data

A way to identify personal data information across files, work locations and servers, databases, emails, on-premise and cloud.


Right of access

People have the right to ask for a copy of their personal data.


Right to data portability

People have the right to ask your company to have their personal data returned to them in an electronic format or forwarded to another company. This makes it easier for people to change service providers


Right of insight

People have the right to ask for information about their data: How you use it, protect it, if it is shared, etc.


Right to be forgotten

People have the right to have their personal data erased on request.


Right of objection

People have the right to object to how their data is processed.


Right to opt out

A person’s right to object specifically to the sale of their data, under the California Consumer Privacy Act (CCPA).


Right of rectification

People have the right to ask for their data to be corrected if it is inaccurate.


Right of restriction

People have a right to limit the way companies process their data.


Sensitive data

Sensitive data or sensitive information refers to information that is of a sensitive nature because it can have a particularly negative impact on an individual or an organization if it is compromised or misused. Overall, it can be said that there are three types of sensitive information: 1. PII/Personally identifiable data (e.g. name, date of birth or social security number), 2. Sensitive personal data (e.g. trade union, health information or sexual orientation) and 3. Business-critical documents (e.g. contract, budget or IP document)


Sensitive personal data

Sensitive personal data is a specific category of personal data that should be treated with special care because its disclosure could cause harm. This includes a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.


Software for complying with rules for personal data

Tools used to identify sensitive data and ensure it is handled securely.


Special data categories/sensitive data

Data concerning the racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, or data concerning health, sex life or sexual orientation of an individual.


Supervisory authority/Data protection authority

An independent, local public authority that enforces the GDPR or another privacy law in a region.


The European Economic Area (EEA)

The European Economic Area (EEA) is a market extension of the European Union (EU). Part of EU law still applies within the EEA.


Transfer impact assessment (TIA)

A Transfer Impact Assessment (TIA) is a type of risk assessment that should be performed by a company to determine if the mechanism that they intend to use to transfer personal data outside The European Economic Area provides an adequate level of protection