This page lists all core governance, technical, and risk terms alphabetically for fast reference.
Term | Definition (for Implementor) |
Data Minimization | The principle that you must collect the least amount of data necessary to achieve a specific, stated purpose. In practice: If a field is optional to product functionality, do not collect it. |
DPIA (Data Protection Impact Assessment) | A formal privacy risk assessment required under GDPR Article 35 when processing is likely to result in high risk to individuals (e.g., biometrics, large-scale profiling). In practice: A structured review documenting purpose, risks, mitigations, and residual risk before launch. Jurisdictional note: Not universally mandated in the U.S., but functionally analogous to privacy risk assessments expected by regulators (FTC, state AGs) in high-risk processing. |
Governance by Absence | The state where governance documentation exists (Level 1) but is not translated into operational logic, resulting in teams checking boxes while the system quietly contradicts the policy. |
Governance by Default | The state of organizational chaos where basic controls are absent, and security is based on trust and good intentions rather than documented policy. |
Lawful Basis | The required legal justification for processing personal data (e.g., Contract, Consent, Legitimate Interest). In practice: This must be a documented metadata tag associated with the data field in the schema. |
Least Privilege | The principle that users, systems, or accounts are only granted the minimal level of access required to perform their specific function. In practice: Why does an intern need Superadmin access? They don't. |
MFA (Multi-Factor Authentication) | An added layer of security requiring two forms of verification (e.g., password + code from phone). In practice: The minimum viable control against stolen passwords. |
Retention Job Spec | The detailed, automated code or query that executes the Retention Rule (e.g., DELETE FROM table WHERE date_collected < 90 days). |
Retention Rule | The specific, auditable instruction for when data must be deleted. |
RoPA (Record of Processing Activities) | A mandated inventory under GDPR Article 30 for organizations established in the EU, or processing EU personal data at scale, documenting what data you have, why you have it (purpose), and where it lives. In practice: Your master spreadsheet or data catalog listing every data flow. Jurisdictional note: Not explicitly required under U.S. federal law, but commonly adopted as a baseline governance artifact in global and enterprise privacy programs. |
Superadmin / Privileged Access | Accounts with the power to modify system security, accounts, or configurations. In practice: These are the primary targets of attackers and require the most stringent controls. |
Ā© Privacy Atelier | CC BY-NC 4.0 | Examples are composites.