Glossary Flashcards
Accountability
The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.
Adequate Level of Protection
A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data.
Associated term(s): Adequacy
Adverse Action
Under the Fair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.
Associated law(s): FCRA
American Institute of Certified Public Accountants
A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program.
Acronym(s): AICPA
Associated term(s): Canadian Institute of Chartered Accountants, Seal Programs, WebTrust
Americans with Disabilities Act
A U.S. law that bars discrimination against qualified individuals with disabilities.
Link to text of law: Americans with Disabilities Act
Acronym(s): ADA
Anti-discrimination Laws
Anti-discrimination laws are indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise.
APEC Privacy Principles
A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs.
Background Screening/Checks
Organizations may want to verify an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity. Employee consent requirements for such check vary by member state and may be negotiated with local works councils.
Bank Secrecy Act, The
A U.S. federal law that requires U.S. financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasion, terrorist financing and various other domestic and international criminal activities.
Link to text of law: The Bank Secrecy Act (BSA)
Acronym(s): BSA
Associated term(s): Financial Record Keeping and Reporting Currency and Foreign Transactions Act of 1970
Behavioral Advertising
Advertising that is targeted at individuals based on the observation of their behaviour over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.
Acronym(s): OBA
Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising
Binding Corporate Rules
Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.
Acronym(s): BCR
Binding Safe Processor Rules
Previously, the EU distinguished between Binding Corporate Rules for controllers and Binding Safe Processor Rules for processors. With the General Data Protection Regulation, there is now no distinction made between the two in this context and Binding Corporate Rules are appropriate for both.
Acronym(s): BSPR
Associated term(s): Binding Corporate Rules
Breach Disclosure
The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure.
Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws
Associated term(s): Breach notification
Bring Your Own Device
Use of employees’ own personal computing devices for work purposes.
Acronym(s): BYOD
Associated term(s): Consumerization of information technology (COIT)
California Consumer Privacy Act
The first state-level comprehensive privacy law in the U.S. The CCPA applies broadly to businesses that collect personal information from California consumers, imposing extensive transparency and disclosure obligations. It also creates consumers’ rights to access their personal data and to request its deletion; to opt-out of the sale of their personal data; and to nondiscrimination on the basis of their exercising any of their CCPA rights. In Nov. 2020, California passed the California Privacy Rights Act, which amends the CCPA and includes additional consumer protections and business obligations. The majority of the CPRA’s provisions will enter into force Jan. 1. 2023, with a look back to Jan. 2022.
CCPA and CPRA Topic Page
This topic page contains a curation of the IAPP’s coverage, analysis and relevant resources covering the California Consumer Privacy Act and California Privacy Rights Act.
