By Dr. SK, CIPT, PMP
š Quick Reference Glossary (A-Z)This glossary provides simple, actionable definitions for the terms that are often mistranslated between Legal and Engineering. We have organized the terms by Domain to help you quickly find the definitions relevant to your current project stage. Keep this open to ensure your team is speaking the shared meaning required for effective governance.
1. Governance & Legal Foundation (The "Why")
Term | Domain | Definition for the Implementor |
Lawful Basis | Legal/Governance | The required legal justification for processing personal data (e.g., Contract, Consent, Legitimate Interest). In practice: This must be a documented metadata tag associated with the data field in the schema. |
RoPA (Record of Processing Activities) | Governance/Audit | A mandated inventory of what data you have, why you have it (purpose), and where it lives. In practice: Your master spreadsheet or data catalog listing every data flow. |
DPIA (Data Protection Impact Assessment) | Governance/Risk | A required, formal risk review conducted before launching a new project that involves high-risk data processing (e.g., biometrics, mass profiling). |
2. Technical & Operational Controls (The "How")
Term | Domain | Definition for the Implementor |
Data Minimization | Design/Technical | The principle that you must collect the least amount of data necessary to achieve a specific, stated purpose. In practice: If a field is optional to product functionality, do not collect it. |
Retention Rule | Governance/Operational | The specific, auditable instruction for when data must be deleted. |
Retention Job Spec | Operational/Technical | The detailed, automated code or query that executes the Retention Rule (e.g., DELETE FROM table WHERE date_collected < 90 days). |
3. Security & Access Risk (The "Protect")
Term | Domain | Definition for the Implementor |
MFA (Multi-Factor Authentication) | Security/Technical | An added layer of security requiring two forms of verification (e.g., password + code from phone). In practice: The minimum viable control against stolen passwords. |
Least Privilege | Security/Operational | The principle that users, systems, or accounts are only granted the minimal level of access required to perform their specific function. In practice: Why does an intern need Superadmin access? They don't. |
Superadmin / Privileged Access | Security/Operational | Accounts with the power to modify system security, accounts, or configurations. In practice: These are the primary targets of attackers and require the most stringent controls. |
4. Cultural & Maturity State (The "Culture")
Term | Domain | Definition for the Implementor |
Governance by Default | Culture/Risk | The state of organizational chaos where basic controls are absent, and security is based on trust and good intentions rather than documented policy. |
Governance by Absence | Culture/Risk | The state where governance documentation exists (Level 1) but is not translated into operational logic, resulting in teams checking boxes while the system quietly contradicts the policy. |
Ā© Privacy Atelier | CC BY-NC 4.0 | Examples are composites.