Glossary

    D

    A B C D E F G H I L M N O P R S U V W

    DDR (Data Detection and Response)

    • Description: A security approach and set of tools designed to automatically detect, investigate, and respond to threats or suspicious activities related to sensitive data across an organization’s environment.
    • Origin: Emerged as an evolution of EDR/XDR solutions, focused specifically on data security.
    • Impacts Data Types: Sensitive data, personal data, regulated information (PII, PHI, financial data, etc.).
    • Examples: Alerting and blocking when sensitive files are accessed or exfiltrated by unauthorized users.
    • Potential Fines: Not directly fined, but failure to detect and respond to data threats can result in regulatory penalties for breaches.

    Delaware HB 116

    • Description: Delaware’s data breach notification law requiring prompt notification to affected individuals and the Attorney General in the event of a security breach involving personal information.
    • Origin: Enacted and enforced in Delaware since 2017.
    • Impacts Data Types: Personal information, including Social Security numbers, driver’s license numbers, financial account data, and medical information.
    • Examples: A business must notify Delaware residents within 60 days if their personal data is breached.
    • Potential Fines: Civil penalties up to $10,000 per violation; enforcement by the Delaware Attorney General.

    District of Columbia 28-3852

    • Description: The District of Columbia’s data breach notification law, requiring organizations to notify residents and the Attorney General of breaches involving personal information.
    • Origin: Enacted in Washington D.C.; enforced since 2007, with major amendments in 2020.
    • Impacts Data Types: Personal information such as names with Social Security numbers, driver’s license numbers, medical information, and biometric data.
    • Examples: Healthcare provider must notify affected D.C. residents if patient records are hacked.
    • Potential Fines: Civil penalties and enforcement actions by the D.C. Attorney General.

    DLP (Data Loss Prevention)

    • Description: Technologies and processes that detect and prevent the unauthorized transmission, sharing, or leakage of sensitive data outside an organization’s boundaries.
    • Origin: Commercial DLP solutions emerged in the mid-2000s as regulatory requirements for data protection increased.
    • Impacts Data Types: Sensitive data, including PII, PHI, financial records, intellectual property.
    • Examples: Blocking emails containing unencrypted Social Security numbers from leaving the corporate network.
    • Potential Fines: Not directly fined, but ineffective DLP can lead to breaches and regulatory penalties.

    DPO (Data Protection Officer)

    • Description: An independent expert responsible for overseeing data protection strategy, compliance, and monitoring within an organization, as required by laws like the GDPR.
    • Origin: Mandated by the EU General Data Protection Regulation (GDPR) for certain organizations since 2018.
    • Impacts Data Types: Personal data processed by the organization.
    • Examples: Advises on privacy impact assessments, acts as a contact for data subjects and regulators.
    • Potential Fines: Not personally fined, but organization faces penalties for non-compliance (up to €20 million or 4% of global turnover under GDPR).

    DRM (Digital Rights Management)

    • Description: Technologies and policies that control the use, modification, and distribution of digital content and data to prevent unauthorized access or piracy.
    • Origin: Developed in the late 1990s and early 2000s to protect digital media and intellectual property.
    • Impacts Data Types: Digital media, documents, software, and intellectual property.
    • Examples: Limiting the number of devices that can play a purchased movie file.
    • Potential Fines: Not directly fined, but circumvention can result in civil and criminal penalties under copyright law.

    Data Access Governance

    • Description: The policies, processes, and technologies used to ensure that only authorized users have access to sensitive data, and that access is appropriate and auditable.
    • Origin: Developed as a response to increasing regulatory requirements and insider threat risks.
    • Impacts Data Types: All sensitive and regulated data (PII, PHI, financial, proprietary).
    • Examples: Regular access reviews and removal of unnecessary permissions to critical data repositories.
    • Potential Fines: Non-compliance may lead to regulatory penalties for data breaches or unauthorized access.

    Data Breach

    • Description: The unauthorized acquisition, access, use, or disclosure of sensitive, protected, or confidential data, usually resulting in its compromise.
    • Origin: Defined in numerous privacy and security laws (e.g., GDPR, HIPAA, state breach notification statutes).
    • Impacts Data Types: Personal data, financial data, health records, trade secrets, and more.
    • Examples: Hackers steal customer payment information from an online retailer.
    • Potential Fines: Regulatory penalties, civil liability, and reputational damage; fines vary by jurisdiction.

    Data Breach Notification

    • Description: The legal requirement to inform affected individuals and/or authorities when a data breach involving personal information occurs.
    • Origin: Mandated by laws such as GDPR, HIPAA, and all U.S. state breach notification statutes.
    • Impacts Data Types: Personal data, sensitive data, and regulated information.
    • Examples: Notifying customers and regulators within 72 hours of discovering a breach under GDPR.
    • Potential Fines: Varies by jurisdiction; failure to notify can result in significant penalties (e.g., up to €10 million under GDPR).

    Data Broker

    • Description: A business that collects, processes, or sells personal information about individuals with whom it does not have a direct relationship.
    • Origin: Defined and regulated by laws such as the California Consumer Privacy Act (CCPA) and Vermont’s Data Broker Law.
    • Impacts Data Types: Personal information, consumer data, online activity, demographics.
    • Examples: Companies that aggregate and sell marketing lists or credit profiles.
    • Potential Fines: Civil penalties for non-compliance with disclosure and opt-out requirements.

    Data Catalog

    • Description: An organized inventory of data assets within an organization, providing metadata, classification, and context to facilitate data discovery and governance.
    • Origin: Developed as a data management best practice for large enterprises.
    • Impacts Data Types: All enterprise data assets, including structured and unstructured data.
    • Examples: A searchable portal listing databases, files, and data sets with descriptions and owners.
    • Potential Fines: Not directly fined, but lack of cataloging can lead to compliance failures and data loss.

    Data Categorization

    • Description: The process of organizing data into categories based on shared characteristics, sensitivity, or regulatory requirements to facilitate proper handling and protection.
    • Origin: Core element of information governance and data management frameworks.
    • Impacts Data Types: All organizational data, especially personal and sensitive data.
    • Examples: Labeling data as “Public,” “Internal,” or “Confidential.”
    • Potential Fines: Improper categorization can lead to data mishandling and regulatory penalties.

    Data Classification

    • Description: The process of assigning a level of sensitivity or criticality to data, dictating how it should be handled and protected.
    • Origin: Standard practice in security frameworks (e.g., NIST, ISO 27001).
    • Impacts Data Types: All types of data, especially those subject to regulatory controls.
    • Examples: Classifying records as “Restricted,” “Confidential,” “Internal Use,” or “Public.”
    • Potential Fines: Inadequate classification can result in non-compliance and regulatory fines.

    Data Controller

    • Description: The entity (person, organization, or agency) that determines the purposes and means of processing personal data.
    • Origin: Defined in GDPR and other data protection laws globally.
    • Impacts Data Types: All personal data under the controller’s purview.
    • Examples: A retailer collecting customer information for marketing purposes.
    • Potential Fines: Controllers are subject to regulatory fines for non-compliance (up to €20 million or 4% of annual turnover under GDPR).

    Data Flow

    • Description: The movement of data within or between systems, applications, or organizations, often mapped to understand risks and compliance requirements.
    • Origin: A foundational concept in data management and privacy impact assessments.
    • Impacts Data Types: Any data transferred, processed, or stored across environments.
    • Examples: Mapping the transfer of customer data from a web form to a CRM system.
    • Potential Fines: Inadequate understanding of data flows can lead to compliance failures and penalties.

    Data Flow Diagram

    • Description: A visual representation that illustrates how data moves through an information system, including sources, destinations, storage, and processes.
    • Origin: Used in systems analysis, privacy impact assessments, and security audits.
    • Impacts Data Types: Any data represented in the system (personal, sensitive, operational, etc.).
    • Examples: Diagrams showing data collection from users, processing by applications, and storage in databases.
    • Potential Fines: Not directly fined, but lack of documentation can contribute to compliance failures.

    Data Inventory

    • Description: A comprehensive record of all data assets held by an organization, including details on type, location, ownership, and processing.
    • Origin: Required by many data protection regulations and frameworks (e.g., GDPR, CCPA).
    • Impacts Data Types: All organizational data, especially personal and sensitive information.
    • Examples: Spreadsheet or software listing all databases, file shares, and cloud storage locations.
    • Potential Fines: Non-compliance with inventory requirements can result in regulatory penalties.

    Data Localization

    • Description: The legal or policy requirement that certain types of data be stored and processed within a specific geographic location or country.
    • Origin: Mandated by laws in countries such as Russia, China, India, and sectoral rules (e.g., financial, health data).
    • Impacts Data Types: Personal data, financial records, health information, and more.
    • Examples: Requiring payment card data of citizens to be stored on servers physically located within the country.
    • Potential Fines: Non-compliance may result in regulatory penalties, blocking of services, or criminal liability.

    Data Loss

    • Description: The accidental or intentional destruction, deletion, or unavailability of data, leading to its inaccessibility or irrecoverability.
    • Origin: Recognized as a risk in information security and business continuity planning.
    • Impacts Data Types: Any data, including critical business, customer, or operational information.
    • Examples: System crash resulting in permanent loss of customer order records.
    • Potential Fines: Data loss can trigger regulatory reporting obligations and fines for non-compliance.

    Data Loss Prevention

    • Description: (See DLP above.) A strategy and set of tools to detect and prevent unauthorized data exfiltration or leakage.
    • Origin: See DLP above.
    • Impacts Data Types: Sensitive data, regulated information, intellectual property.
    • Examples: Preventing employees from uploading confidential files to personal cloud accounts.
    • Potential Fines: Not directly fined, but failure can result in regulatory penalties for breaches.

    Data Minimization

    • Description: The principle and practice of limiting the collection, processing, and retention of personal data to only what is strictly necessary for a specified purpose.
    • Origin: Mandated by GDPR, CCPA, and other privacy laws.
    • Impacts Data Types: Personal data, sensitive data.
    • Examples: Collecting only an email address, not a phone number, when signing up for a newsletter.
    • Potential Fines: Non-compliance can result in regulatory penalties (e.g., up to €20 million under GDPR).

    Data Processing

    • Description: Any operation or set of operations performed on data, such as collection, storage, use, disclosure, or deletion.
    • Origin: Defined in GDPR and other privacy regulations.
    • Impacts Data Types: All personal data and other regulated information.
    • Examples: Storing customer contact information in a CRM system.
    • Potential Fines: Improper processing can result in regulatory fines and liability.

    Data Processor

    • Description: An entity that processes personal data on behalf of a data controller, as defined in GDPR and other privacy laws.
    • Origin: GDPR and similar data protection regulations globally.
    • Impacts Data Types: Personal data handled by the processor under the controller’s instructions.
    • Examples: A cloud service provider storing and managing customer data for a retailer.
    • Potential Fines: Processors can be liable for non-compliance (up to €20 million or 4% of annual turnover under GDPR).

    Data Protection

    • Description: The set of strategies, technologies, and processes used to secure personal and sensitive data from unauthorized access, loss, or misuse.
    • Origin: Core requirement in privacy laws (GDPR, HIPAA, CCPA, etc.).
    • Impacts Data Types: Personal data, sensitive data, regulated information.
    • Examples: Encrypting customer data at rest and in transit.
    • Potential Fines: Non-compliance can result in significant regulatory penalties.

    Data Protection Authority (DPA)

    • Description: An independent public authority established to monitor and enforce compliance with data protection laws.
    • Origin: Required by GDPR and similar privacy laws worldwide.
    • Impacts Data Types: All personal data under the authority’s jurisdiction.
    • Examples: The UK Information Commissioner’s Office (ICO) or France’s CNIL.
    • Potential Fines: DPAs can impose fines up to €20 million or 4% of annual turnover for violations under GDPR.

    Data Protection Impact Assessment (DPIA)

    • Description: A process to identify and minimize the data protection risks of a project, required for high-risk processing activities under GDPR.
    • Origin: Mandated by GDPR and other privacy laws for certain processing operations.
    • Impacts Data Types: Personal and sensitive data involved in the project/process.
    • Examples: Assessing privacy risks before deploying a new employee monitoring system.
    • Potential Fines: Failure to perform DPIAs can result in regulatory penalties under GDPR.

    Data Protection Principle

    • Description: Fundamental rules and standards for lawful, fair, and transparent processing of personal data, such as purpose limitation, data minimization, and accuracy.
    • Origin: Set out in GDPR, HIPAA, and other privacy laws.
    • Impacts Data Types: All personal data processed by organizations.
    • Examples: Only collecting data necessary for a specific purpose and keeping it accurate and up to date.
    • Potential Fines: Breaching principles can result in regulatory penalties.

    Data Residency

    • Description: The physical or geographic location where data is stored and processed, often subject to legal requirements.
    • Origin: Driven by privacy regulations and cross-border data transfer restrictions.
    • Impacts Data Types: Personal data, financial data, and other regulated information.
    • Examples: Hosting customer data on servers located in the EU to comply with GDPR.
    • Potential Fines: Non-compliance can result in regulatory penalties and service restrictions.

    Data Risk Assessment

    • Description: The process of identifying, evaluating, and prioritizing risks to data, including threats, vulnerabilities, and impacts.
    • Origin: Required by security and privacy frameworks (NIST, ISO 27001, GDPR).
    • Impacts Data Types: All critical, sensitive, and regulated data.
    • Examples: Assessing risks to customer data stored in a cloud application.
    • Potential Fines: Failure to assess and mitigate risks may lead to regulatory penalties after a breach.

    Data Security

    • Description: The protection of data from unauthorized access, use, disclosure, disruption, modification, or destruction.
    • Origin: Fundamental component of information security and privacy regulations.
    • Impacts Data Types: All organizational and personal data.
    • Examples: Using encryption, access controls, and monitoring to safeguard data.
    • Potential Fines: Regulatory penalties for data breaches and non-compliance.

    Data Security Posture Management (DSPM)

    • Description: The continuous process of discovering, classifying, assessing, and monitoring data security risks across cloud and hybrid environments.
    • Origin: Emerged as a category of security tools with the rise of cloud adoption and data sprawl.
    • Impacts Data Types: All data stored or processed in cloud and hybrid environments.
    • Examples: Automated tools that detect misconfigurations, excessive permissions, or exposed sensitive data in cloud storage.
    • Potential Fines: Not directly fined, but poor posture can lead to breaches and regulatory penalties.

    Data Sprawl

    • Description: The uncontrolled proliferation and distribution of data across multiple locations, systems, and cloud services, making management and protection difficult.
    • Origin: Result of cloud adoption, remote work, and increasing data volumes.
    • Impacts Data Types: All enterprise data, especially unstructured and shadow IT data.
    • Examples: Sensitive files scattered across employees’ devices, email, and cloud storage.
    • Potential Fines: Data sprawl increases risk of breaches and regulatory penalties.

    Data Store

    • Description: Any repository where data is held, such as databases, file systems, data lakes, or cloud storage.
    • Origin: Fundamental concept in IT and data management.
    • Impacts Data Types: All types of data stored by an organization.
    • Examples: SQL databases, Amazon S3 buckets, SharePoint document libraries.
    • Potential Fines: Inadequate security of data stores can result in breaches and regulatory penalties.

    Drivers License Numbers (all U.S. States)

    • Description: A unique identifier issued by state governments to licensed drivers, widely recognized as sensitive personal information under U.S. privacy and breach notification laws.
    • Origin: Enacted and enforced by all U.S. states as part of their motor vehicle and privacy regulations.
    • Impacts Data Types: Personal identifiers, often classified as sensitive or protected information.
    • Examples: Use in financial applications, employment background checks, or as a breach notification trigger.
    • Potential Fines: Breach of driver’s license numbers may lead to statutory penalties, civil liability, and regulatory enforcement.
    A B C D E F G H I L M N O P R S U V W