The 10 privacy acronyms you need to know

It’s easy to switch off when faced with technical terms that you don’t understand. Here’s a rundown of 10 commonly used privacy acronyms and what they really mean.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

February 2021

GDPR – General Data Protection Regulation

The GDPR came into force in all EU Member States on 25 May 2018. It is arguably the toughest privacy law in the world and covers organisations everywhere that target or process the personal data of EU citizens. Fines can be up to €20m or 4% of global revenue – whichever is higher. The UK has its own version, known as UK GDPR, with the same key principles, rights and regulations, applicable from 1 January 2021. 

DPA – Data Protection Authority

DPAs are independent public bodies which supervise and enforce the application of privacy laws including the GDPR. There is a DPA (also known as a supervisory authority) in each member state. 

ICO – Information Commissioner’s Office

The UK’s DPA or supervisory authority promotes good practice in handling personal data and providing advice on data protection. The ICO can help to resolve disputes about whether an organisation has complied with the GDPR and take action to enforce compliance where appropriate. 

DPO – Data Protection Officer

DPOs monitor internal compliance with the GDPR, advise on data protection obligations and act as a contact point for supervisory authorities. The GDPR requires certain organisations to appoint a DPO, but others can do so voluntarily as part of their commitment to good privacy compliance. 

Check out our short product walkthrough video for an understanding of how the hub works

Click here to watch

DPIA – Data Protection Impact Assessments

Data protection impact assessments are a requirement under the GDPR and essential in establishing ‘privacy by default and by design’. They help organisations identify and minimise the data protection risks associated with projects. Businesses are obliged to carry out DPIAs for processing that is high risk, but it’s good practice to use them for any major piece of work that requires the processing of personal data. You must consider the nature, scope and purposes of the data collection; the necessity and proportionality; the risks to individuals; and identify the additional measures to mitigate those risks. 

SCC – Standard Contractual Clauses

A means by which the transfer of personal information from an organisation in the European Economic Area (EEA) to an organisation outside the EEA may be approved under the GDPR.  It is a contract signed by both organisations that sets out their responsibilities in keeping personal data safe.

SAR – Subject Access Request

Individuals have eight separate rights under the GDPR in relation to their personal information, including the so-called ‘right to be forgotten’. Exercise of such rights is known as making a subject access request. The GDPR requires businesses to respond to an SAR within one calendar month. 

ISO 27001

While not technically an acronym (and not really a privacy term), you will often come across ISO 27001 in privacy compliance. It’s one of the main specifications for an information security management system, which covers all legal, physical and technical controls involved in an organisation’s data risk management process. Businesses that achieve accredited certification to ISO 27001 are judged to be following information security best practice. 

EDPB – the European Data Protection Board

This is the EU body in charge of the application of the GDPR. It is made up of the head of each DPA and of the European Data Protection Supervisor (EDPS) or their representatives. The EDPS is an independent authority whose primary objective is to ensure European institutions and bodies respect the right to privacy and data protection when they process personal data. 

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

CCPA – California Consumer Privacy Act

This regulation was passed in 2018 but came into force on 1 January 2020. Amongst other things, it gives Californian residents the right to know and access their personal information (collected in the past 12 months), the right to delete that information, the right to opt out of the sale of their personal information, and the right to non-discrimination following the exercise of these rights. For-profit businesses which meet certain thresholds and want to do business in California must comply with the CCPA. On 1 January 2023, the California Privacy Rights Act (CPRA), which extends these rights further, comes into force. 

A culture of continuous privacy compliance

We make privacy compliance easy for everyone to understand, care about and commit to. Our platform provides a structured programme, with training and reporting tools, giving you the confidence you’re keeping your customers, investors and the regulators happy on privacy.

More to watch and read