This page lists all core governance, technical, and risk terms alphabetically for fast reference.
Term | Definition (for Implementor) |
Data Minimization | The principle that you must collect the least amount of data necessary to achieve a specific, stated purpose. In practice: If a field is optional to product functionality, do not collect it. |
DPIA (Data Protection Impact Assessment) | A required, formal risk review conducted before launching a new project that involves high-risk data processing (e.g., biometrics, mass profiling). |
Governance by Absence | The state where governance documentation exists (Level 1) but is not translated into operational logic, resulting in teams checking boxes while the system quietly contradicts the policy. |
Governance by Default | The state of organizational chaos where basic controls are absent, and security is based on trust and good intentions rather than documented policy. |
Lawful Basis | The required legal justification for processing personal data (e.g., Contract, Consent, Legitimate Interest). In practice: This must be a documented metadata tag associated with the data field in the schema. |
Least Privilege | The principle that users, systems, or accounts are only granted the minimal level of access required to perform their specific function. In practice: Why does an intern need Superadmin access? They don't. |
MFA (Multi-Factor Authentication) | An added layer of security requiring two forms of verification (e.g., password + code from phone). In practice: The minimum viable control against stolen passwords. |
Retention Job Spec | The detailed, automated code or query that executes the Retention Rule (e.g., DELETE FROM table WHERE date_collected < 90 days). |
Retention Rule | The specific, auditable instruction for when data must be deleted. |
RoPA (Record of Processing Activities) | A mandated inventory of what data you have, why you have it (purpose), and where it lives. In practice: Your master spreadsheet or data catalog listing every data flow. |
Superadmin / Privileged Access | Accounts with the power to modify system security, accounts, or configurations. In practice: These are the primary targets of attackers and require the most stringent controls. |
Ā© Privacy Atelier | CC BY-NC 4.0 | Examples are composites.