GDPR Jargon Buster Top Ten
1. The Information Commissioner's Office (ICO) is an independent authority in the UK that promotes openness of official information and protection of private information. According to its Web site, the ICO does this "by promoting good practice, ruling on eligible complaints, providing information to individuals and organisations, and taking appropriate action when the law is broken."
The ICO oversees:
· The Data Protection Act
· The Freedom of Information Act.
· The Environmental Information Regulations.
· The Privacy and Electronic Communications Regulations.
Margaret Rouse, WhatIs.com
2. EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence. The Directive is based on the 1980 OECD "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data."
These recommendations are founded on seven principles, since enshrined in EU Directive 94/46/EC:
· Notice: subjects whose data is being collected should be given notice of such collection.
· Purpose: data collected should be used only for stated purpose(s) and for no other purposes.
· Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).
· Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.
· Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data.
· Access: subjects should be granted access to their personal data and allowed to correct any inaccuracies.
· Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.
In the context of the Directive, personal data means "any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity" (Article 2a). Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link. Examples of such data include address, bank statements, credit card numbers, and so forth. Processing is also broadly defined and involves any manual or automatic operation on personal data, including its collection, recording, organization, storage, modification, retrieval, use, transmission, dissemination or publication, and even blocking, erasure or destruction (paraphrased from Article 2b).
These data protection rules apply not only when responsible parties (called the controller in this EU directive) is established or operates within the EU, but whenever the controller uses equipment located inside the EU to process personal data. Thus, controllers from outside the EU who process personal data inside the EU must nevertheless comply with this directive. EU member states set up supervisory authorities whose job is to monitor data protection levels in that state, and to advise the government about related rules and regulations, and to initiate legal proceedings when data protection regulations are broken. All controllers must notify their governing authority before commencing any processing of personal information, and such notification prescribes in detail what kinds of notice is expected, including name and address of the controller or representative, purpose(s) of the processing, descriptions of the categories of data subjects and the data or categories of data to be collected, recipients to whom such data might be disclosed, any proposed transfers of data to third countries, and general description of protective measures taken to ensure safety and security of processing and related data.
Margaret Rouse, WhatIs.com
3. EU-US Privacy Shield is a framework for adherence to E.U. data protection laws for companies that deal with the private data of European Union citizens that is transferred to the United States. Privacy Shield replaces Safe Harbor within the U.S.
The legal privacy framework provides assistance with privacy policies for companies in either country handling private data of E.U. citizens. It also
US companies dealing with data from E.U. individuals must apply to the U.S. Department of Commerce for self-certification. Members of the EU-US privacy shield framework are required to state their adherence to the Privacy Shield Principles, making the commitment enforceable under law.
The members submitting to the framework must provide an independent system for complaint and dispute resolution and present links to Data Protection Authorities (DPA) and the U.S. Department of Commerce and include these complaint processes in their online privacy statements. The Privacy Shield framework includes mandated time frames for responses to individual and E.U. Data Protection Authority complaints.
Margaret Rouse, WhatIs.com
4. Privacy and Electronic Communications Regulations (PECR) is an implementation of the European Union (EU) e-Privacy Directive in the United Kingdom.
PECR regulations restrict the processing and sharing of personal traffic data and location data and provide for access to users' personal data in the interest of national security. The information commissioner has the power to audit the measures taken by a provider of public electronic communications services to comply with personal data breach notification and recording requirements.
The main changes for the 2012 revision relate to new rules for websites using cookies, or similar technologies, as well as new powers that allow the information commissioner to fine organizations up to ?£500,000 for serious breaches of the regulations. The PECR cookie rules now demand website owners get consent from visitors before using cookies. This is in addition to the existing requirement for websites to provide information about their cookie usage. The cookie rules apply to any means of storing information or gaining access to information stored on a user's device, except for where the storage or access is vital for a service requested by the user. The latest PECR rules also require communications providers to set up procedures for responding to requests for access to users' personal data for national security and law enforcement purposes.
Margaret Rouse, WhatIs.com
5. A privacy impact assessment (PIA) is a tool for identifying and assessing privacy risks throughout the development life cycle of a program or system.
A privacy impact assessment states what personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected and how it will be shared.
A PIA should identify:
· Whether the information being collected complies with privacy-related legal and regulatory compliance requirements.
· The risks and effects of collecting, maintaining and disseminating PII.
· Protections and processes for handling information to alleviate any potential privacy risks.
· Options and methods for individuals to provide consent for the collection of their PII.
Under the E-Government Act of 2002, federal agencies are required to conduct privacy impact assessments for government programs and systems that collect personal information online. Federal agency CIOs, or an equivalent official as determined by the head of the agency, are responsible for ensuring that the privacy impact assessments are conducted and reviewed for applicable IT systems. The Act also mandates a privacy impact assessment be conducted when an IT system is substantially revised. Federal agencies such as the U.S. Department of Homeland Security and the Department of Health and Human Services offer guidance for writing PIAs, such as providing blank privacy impact assessment templates to assist and facilitate their development.
Margaret Rouse, WhatIs.com
6. A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
The most common concept of a data breach is an attacker hacking into a corporate network to steal sensitive data. However, not all data breaches are so dramatic. If an unauthorized hospital employee views a patient's health information on a computer screen over the shoulder of an authorized employee, that also constitutes a data breach.
A number of industry guidelines and government compliance regulations mandate strict governance of sensitive or personal data to avoid data breaches. Within a corporate environment, for example, the Payment Card Industry Data Security Standard (PCI DSS) dictates who may handle and use sensitive PII such as credit card numbers, PINs and bank account numbers in conjunction with names and addresses. Within a healthcare environment, the Health Insurance Portability and Accountability Act
(HIPAA) regulates who may see and use PHI such as name, date of birth, Social Security number and health history information.
If anyone who is not specifically authorized to do so views such information, the corporation or healthcare organization charged with protecting that information is said to have suffered a data breach. If a data breach results in identity theft and/or a violation of government or industry compliance mandates, the offending organization may face fines or other civil or criminal prosecution.
Margaret Rouse, WhatIs.com
7. Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
PII can be sensitive or non-sensitive. Non-sensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. Non-sensitive PII can be easily gathered from public records, phone books, corporate directories and websites.
Sensitive PII is information which, when disclosed, could result in harm to the individual whose privacy has been breached. Sensitive PII should therefore be encrypted in transit and when data is at rest. Such information includes biometric information, medical information, personally identifiable financial information (PIFI) and unique identifiers such as passport or Social Security numbers.
Margaret Rouse, WhatIs.com
8. Express consent is permission for something that is given specifically, either verbally or in writing.
Express consent contrasts with implied consent, which is an assumption of permission that is inferred from actions on the part of the individual. The terms are often heard in relation to email marketing campaigns and antispam legislation. Express consent is generally valued more highly than implied consent, and marketers are often less restricted when email recipients have opted-in to receive their mailings.
Best practices for email marketing include asking recipients specifically to consent to mailings and requiring double opt-in procedures (such as replying to an email or signing up online and also clicking a follow-up link to confirm). Marketers should provide the name of the party requesting permission and the company's name, address website, phone number and physical / postal addresses. It's also crucial to include a functional unsubscribe link.
Margaret Rouse, WhatIs.com
9. Implied consent is an assumption of permission to do something that is inferred from an individual's actions rather than explicitly provided.
In the context of commercial email and text messages, for example, implied consent may be assumed by the senders because the recipient purchased a product from the sender's website or volunteered with the sender's charitable organization recently.
Implied consent is a fairly broadly-applied legal concept. Here are a few examples in other contexts:
· Drivers are assumed to consent to blood alcohol testing. The inference is that the driver understands that driving under the influence is illegal and that they may be subject to testing.
· If an individual rolls up their sleeve for an injection or to have their blood pressure tested, they are assumed to have given consent and have no legal grounds to claim it was done against their will.
· In court, if an individual fails to object to a line of questioning within a reasonable time span, implied consent is assumed and they will not be able to object to it in the future.
Implied consent contrasts with express consent, which is explicit verbal or written permission. Anti-spam regulations, such as CAN-SPAM and CASL, differentiate between implied consent and express consent. As a rule, email senders have much greater latitude if recipients have explicitly consented to receive their mailings.
Margaret Rouse, WhatIs.com
10. A privacy policy is a document that explains how an organization handles any customer, client or employee information gathered in its operations.
Most websites make their privacy policies available to site visitors. A privacy page should specify any personally identifiable information that is gathered, such as name, address and credit card number, as well as other things like order history, browsing habits, uploads and downloads. The policy should also explain if data may be left on a user's computer, such as cookies. According to best practices, the policy should disclose if data may be shared with or sold to third parties and if so, what the purpose is.
There is no consensus as to whether or not privacy policies are legally binding and no consistency in enforcement. In the United States, the Federal Trade Commission (FTC) promotes enforcement of existing laws and industry self-regulation. Generally, for the FTC, data breaches are not sufficient for legal action if there is no loss of money associated with the breach.
The European Union's Data Protection Directive has confronted companies such as Google about privacy changes that went contrary to E.U. law, threatening sanctions on the massive company.
Often, the first statement found in an online privacy policy is one to the effect that, by visiting the web page (which you are doing if you're reading the policy), you agree to the details of the site's privacy policy.
Margaret Rouse, WhatIs.com