📖 Glossary: Translating Privacy into Tech (and Vice Versa)

Compiled by the Privacy Atelier

This glossary provides simple, actionable definitions for the terms that are often mistranslated between Legal and Engineering. Terms are organized by where translation usually fails in real projects. Keep this open to ensure your team is speaking the shared meaning required for effective governance. Note: Terms labeled “required” reflect obligations under specific legal regimes (most commonly GDPR). U.S.-only programs often implement equivalent controls under different names.

1. Governance & Legal Foundation (The "Why")

Term	Domain	Definition for the Implementor
Lawful Basis	Legal/Governance	The required legal justification for processing personal data (e.g., Contract, Consent, Legitimate Interest). In practice: This must be a documented metadata tag associated with the data field in the schema.
RoPA (Record of Processing Activities)	Governance/Audit	A mandated inventory under GDPR Article 30 for organizations established in the EU, or processing EU personal data at scale, documenting what data you have, why you have it (purpose), and where it lives. In practice: Your master spreadsheet or data catalog listing every data flow. Jurisdictional note: Not explicitly required under U.S. federal law, but commonly adopted as a baseline governance artifact in global and enterprise privacy programs.
DPIA (Data Protection Impact Assessment)	Governance/Risk	A formal privacy risk assessment required under GDPR Article 35 when processing is likely to result in high risk to individuals (e.g., biometrics, large-scale profiling). In practice: A structured review documenting purpose, risks, mitigations, and residual risk before launch. Jurisdictional note: Not universally mandated in the U.S., but functionally analogous to privacy risk assessments expected by regulators (FTC, state AGs) in high-risk processing.

2. Technical & Operational Controls (The "How")

Term	Domain	Definition for the Implementor
Data Minimization	Design/Technical	The principle that you must collect the least amount of data necessary to achieve a specific, stated purpose. In practice: If a field is optional to product functionality, do not collect it.
Retention Rule	Governance/Operational	The specific, auditable instruction for when data must be deleted.
Retention Job Spec	Operational/Technical	The detailed, automated code or query that executes the Retention Rule (e.g., `DELETE FROM table WHERE date_collected < 90 days`).

3. Security & Access Risk (The "Protect")

Term	Domain	Definition for the Implementor
MFA (Multi-Factor Authentication)	Security/Technical	An added layer of security requiring two forms of verification (e.g., password + code from phone). In practice: The minimum viable control against stolen passwords.
Least Privilege	Security/Operational	The principle that users, systems, or accounts are only granted the minimal level of access required to perform their specific function. In practice: Why does an intern need Superadmin access? They don't.
Superadmin / Privileged Access	Security/Operational	Accounts with the power to modify system security, accounts, or configurations. In practice: These are the primary targets of attackers and require the most stringent controls.

4. Cultural & Maturity State (The "Culture")

Term	Domain	Definition for the Implementor
Governance by Default	Culture/Risk	The state of organizational chaos where basic controls are absent, and security is based on trust and good intentions rather than documented policy.
Governance by Absence	Culture/Risk	The state where governance documentation exists (Level 1) but is not translated into operational logic, resulting in teams checking boxes while the system quietly contradicts the policy.

1. Governance & Legal Foundation (The "Why")

Term	Domain	Definition for the Implementor
Lawful Basis	Legal/Governance	The required legal justification for processing personal data (e.g., Contract, Consent, Legitimate Interest). In practice: This must be a documented metadata tag associated with the data field in the schema.
RoPA (Record of Processing Activities)	Governance/Audit	A mandated inventory under GDPR Article 30 for organizations established in the EU, or processing EU personal data at scale, documenting what data you have, why you have it (purpose), and where it lives. In practice: Your master spreadsheet or data catalog listing every data flow. Jurisdictional note: Not explicitly required under U.S. federal law, but commonly adopted as a baseline governance artifact in global and enterprise privacy programs.
DPIA (Data Protection Impact Assessment)	Governance/Risk	A formal privacy risk assessment required under GDPR Article 35 when processing is likely to result in high risk to individuals (e.g., biometrics, large-scale profiling). In practice: A structured review documenting purpose, risks, mitigations, and residual risk before launch. Jurisdictional note: Not universally mandated in the U.S., but functionally analogous to privacy risk assessments expected by regulators (FTC, state AGs) in high-risk processing.

2. Technical & Operational Controls (The "How")

Term	Domain	Definition for the Implementor
Data Minimization	Design/Technical	The principle that you must collect the least amount of data necessary to achieve a specific, stated purpose. In practice: If a field is optional to product functionality, do not collect it.
Retention Rule	Governance/Operational	The specific, auditable instruction for when data must be deleted.
Retention Job Spec	Operational/Technical	The detailed, automated code or query that executes the Retention Rule (e.g., `DELETE FROM table WHERE date_collected < 90 days`).

3. Security & Access Risk (The "Protect")

Term	Domain	Definition for the Implementor
MFA (Multi-Factor Authentication)	Security/Technical	An added layer of security requiring two forms of verification (e.g., password + code from phone). In practice: The minimum viable control against stolen passwords.
Least Privilege	Security/Operational	The principle that users, systems, or accounts are only granted the minimal level of access required to perform their specific function. In practice: Why does an intern need Superadmin access? They don't.
Superadmin / Privileged Access	Security/Operational	Accounts with the power to modify system security, accounts, or configurations. In practice: These are the primary targets of attackers and require the most stringent controls.

4. Cultural & Maturity State (The "Culture")

Term	Domain	Definition for the Implementor
Governance by Default	Culture/Risk	The state of organizational chaos where basic controls are absent, and security is based on trust and good intentions rather than documented policy.
Governance by Absence	Culture/Risk	The state where governance documentation exists (Level 1) but is not translated into operational logic, resulting in teams checking boxes while the system quietly contradicts the policy.