CIPP Glossary Part 2 Flashcards Preview

CIPP-US > CIPP Glossary Part 2 > Flashcards

Flashcards in CIPP Glossary Part 2 Deck (309)
Loading flashcards...

Chapter 7 of the General Data Protection Regulation outlines the remedies available to data subjects and their right to compensation, the liability for damage caused by processing for both controllers and processors, and the penalties available to supervisory authorities for infringement of the law.

Remedies, Liability and Penalties


Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid.

Unfair Trade Practices


The minimum level at which privacy should be protected in all new projects, applications and services. This includes the expectations of privacy in the new programs and guidelines for adherence to those standards. The standard is set based on both internal organizational policy and external regulations etc.

Privacy Standard


A formula to calculate the impact of a new project on the privacy of the consumer base that will use the new systems. To evaluate the xxx, one must consider the likelihood of the threat occurring, multiplied by the potential impact if the threat occurs. It may be difficult to quantify, so a comparison between projects may be the best way to understand xxx.

Privacy Risk


It is a term with particular meaning under the California Consumer Privacy Act, which defines it as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.

Personal Information (PI)


Taking information collected for one purpose and using it for another purpose later on.



Governs the release of customer financial information to federal government authorities.
The act defines both the circumstances under which a financial institution can volunteer information about customers financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers financial information.

Right to Financial Privacy Act of 1978


Technically Directive 2016/680, or the Directive on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Law Enforcement,

this is the EU law governing the handling of personal data by competent law enforcement authorities. Each member state has a law that translates this directive into national law. The directive covers the cross-border and national processing of data by member states' competent authorities for the purpose of law enforcement.

This includes the prevention, investigation, detection and prosecution of criminal offences, as well as the safeguarding and prevention of threats to public security. It does not cover activities by EU institutions, bodies, offices and agencies, nor activities falling outside the scope of EU law.

Law Enforcement Directive


The degree to which identifiers used to track an individual user can be paired with outside information to identify that individual.

For example, public record can be paired with date of birth, gender and zip code to identify an individual.



The individual who is mandated by PIPEDA to enforce the act.
The commissioner has broad power to examine documents, but some documents may be shielded by solicitor-client privilege.
The xxx conducts investigations under a cloak of confidentiality, but public reports with non-binding recommendations are ultimately issued. This individual is mandated by PIPEDA to enforce PIPEDA.

Aggrieved individuals also have a right to complain to the xxx.

Privacy Commissioner of Canada


A U.S. federal agency that administers the National Labor Relations Act. The xxx conducts elections to determine if employees want union representation and investigates and remedies unfair labor practices by employers and unions.

The National Labor Relations Board


A body enacted pursuant to an act under which a professional or occupational group or discipline is organized and that provides for the membership in the regulation of the members of the professional or occupation group or discipline, including the registration, competence, conduct, practice and discipline of its members.

Professional Regulatory Body


A case in which the European Court of Justice (ECJ) ruled that a woman who identified and included information about fellow church volunteers on her website was in breach of the Data Protection Directive 95/46/EC.
The ECJ held that the creation of a personal website was not a personal activity allowing the woman to be exempted from the data protection rules.
Some observers wonder whether Recital 18 of the General Data Protection Regulation, which says the law does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity, might affect this precedential ruling.
Recital 18 says personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.

Lindqvist Judgement


The principle that personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organizational measures required to safeguard the rights and freedoms of the data subject.

Storage Limitation


The practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidence in a court proceeding.

Specifically, attorneys are required to xxx documents so that no more than the following information is included in court filings: (1) The last four digits of the Social Security number and taxpayer-identification number; (2) the year of the individual s birth; (3) if the individual is a minor, only the minor s initials, and (4) the last four digits of the financial account number.



These events constitute triggers for an organization to conduct a xxx: Conversion of records from paper-based to electronic form; Conversion of information from anonymous to identifiable form;

-System management changes involving significant new uses and/or application of new technologies;
- Significant merging, matching or other manipulation of multiple databases containing PII;
- Application of user-authenticatingtechnology to a system accessed by members of the public;
-Incorporation into existing databases of PII obtained from commercial or public sources;
-Significant new inter-agency exchanges or uses of PII;
-Alteration of a business process resulting in significant new collection, use and/or disclosure of PII;
-Alteration of the character of PII due to the addition of qualitatively new types of PII.

Privacy Impact Assessment (PIA) Triggers


An advertising strategy that leverages information learned from an initial consumer interaction to market to the same consumer multiple times in a digital or physical environment



A formal documentation of a software system or product to be developed that includes both functional and nonfunctional requirements.

These are used so that the individual tasked with creating the system or product is aware of the needs of the individual seeking the creation.

Software Requirements Specification


The 3rd of four phases of the privacy operational life cycle.

It provides privacy management through the monitoring, auditing, and communication aspects of the management framework



One of three requirements established by the General Data Protection Regulation for the processing of personal data.

Personal data shall be processed xxx, fairly and in a transparent manner in relation to the data subject.

Data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and to enable them to exercise their data protection rights. The GDPR outlines six bases for the xxx processing of personal data.



Under the General Data Protection Regulation, a processor may not engage another processor without xxx of the data controller. This authorization may be general or specific. If it is general, the processor is required to give the controller an opportunity to object to the addition or replacement of other processors.

Prior Authorization


The concept that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law.

Limiting Use


A telecommunications industry term for non-core services; i.e., services beyond voice calls and fax transmissions.

More broadly, the term is used in the service sector to refer to services, which are available at little or no cost, and promote their primary business. For mobile phones, while technologies like SMS, MMS and GPRS are usually considered xxx, a distinction may also be made between standard (peer-to-peer) content and premium-charged content. These are called mobile value-added services (MVAS), which are often simply referred to as VAS. Value-added services are supplied either in-house by the mobile network operator themselves or by a third-party value-added service provider (VASP), also known as a content provider (CP) such as Headline News or Reuters. VASPs typically connect to the operator using protocols like short message peer-to-peer protocol (SMPP), connecting either directly to the short message service centre (SMSC) or, increasingly, to a messaging gateway that gives the operator better control of the content.

Value-Added Services (VAS)


The set of rules which govern the use of a service and must be agreed to, either implicitly through the use of that service or explicitly, in order to make use of that service.

Terms of Service


Phishing targeted at a specific individual or individuals known to be wealthy.



A network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users an access to a central organizational network. xxx typically require remote users of the network to be authenticated and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.

Virtual Private Network (VPN)


The European Parliament, the European Council, the European Commission, the Court of Justice of the European Union, the European Central Bank and the Court of Auditors.

Six Major European Union Institutions, The


A cryptographic key used with a secret key cryptographic algorithm, uniquely associated with one or more entities and which shall not be made public.

The use of the term "xxx" in this context does not imply a classification level, rather the term implies the need to protect the key from disclosure or substitution.

Secret Key


UnderHIPAA, the standard that the level of information that may be disclosed by healthcare providers to third parties is the minimum amount necessary to accomplish the intended purpose.

Minimum Necessary Requirement


An executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept.

Privacy Champion