Strike Graph security compliance blog

A cheatsheet for common GDPR terms

Written by Michelle Strickler | Nov 16, 2022 8:00:00 AM

Ready to learn all about common GDPR terms like data portability, pseudonymization, icons, security of processing, and more? Then this cheat sheet will help! By understanding these terms, you’ll have a better handle on what’s expected of you and your organization while you’re on your path to GDPR compliance.

Compliance with the General Data Protection Regulation — or GDPR — is required of businesses that directly target, collect, and/or manipulate the personal data of EU residents.

Remember, your company is subject to the GDPR if it processes personal data as part of the activities of one of its branches established in the EU (regardless of where the data is processed) or was established outside the EU and is offering paid or free goods and/or services to or is monitoring the behavior of individuals in the EU.

Want to learn more about the GDPR basics? Check out our guide here.

So, why is it important to understand common GDPR terms? Your journey to GDPR compliance will be a thousand times easier if it doesn’t feel like you’re trying to speak a language you don’t know. Get a few of these terms learned, and you’ll feel like a pro as you journey toward GDPR compliance.

Without further ado, let’s jump into some of the most common GDPR terms and what they mean for you and your business.

Data portability

Data portability is a fundamental GDPR data subject right. It simply means that a data subject may receive and reuse information about them that they provided to a controller.

For example, if Jane provided her personal data to a social media company, then decides to shut down her account and move to a different social media company, the first social media company can't lock her in. In other words, they must give her the data she provided and do so in an easily readable format.

Data pseudonymization

Data pseudonymization refers to a method that switches a data set with an alias or pseudonym. When it comes to GDPR, this means taking personally identifiable information (PII) and replacing it with data that cannot be used to identify an individual without additional information.

While pseudonymization is not a GDPR requirement, it is one of many methods that can be used to protect PII. It’s used in the GDPR world to remove direct identifiers in order to mitigate the risk of the misuse of PII.

It’s important to note that pseudonymized data is still considered PII because, when used with other data, it can still point back to an individual. Examples include a customer ID Number used during processing but converted back to the customer's name when they view their data.

Data privacy by design (aka PbD)

This concept refers to protecting personal data through technological means throughout the entire engineering process. Encryption and pseudonymization are examples of privacy by design.

For GDPR, this means building in privacy checks and balances (or safeguards) when updating or creating new business processes. Many organizations will include a PbD check or stage in their change management processes. 

Data privacy by default

This concept refers to ensuring the highest level of privacy protections, such as collecting only what is necessary for the specified purpose, pre-configuring privacy settings for users, and limiting access to PII when it’s first provided. Any privacy-by-design methods identified by the organization should be enabled by default.

EU GDPR representative

The EU GDPR requires that a representative be identified to act as the contact point between the organization and the GDPR supervisory authorities. While this individual or representative is not a Data Protection Officer (or DPO), they need to be located in one of the EU Member states, as this is where the processing of personal data takes place. This is why many organizations turn to service providers. If you don't have an office in the EU, you’ll need to find an EU-based representative. Refer to Article 27(2) for exceptions to this requirement.

Data processing by design and default (DPbDaD) certification

The EU-GDPR mentions that there can be a certification for data processing by design and default, or DPbDaD. To date, this certification has not been created, which is why this regulation is not yet mapped to a control within Strike Graph.

GDPR code of conduct

The GDPR mentions that organizations may adhere to a GDPR code of conduct. These voluntary codes of conduct can be established by trade organizations, private entities, or governing bodies. For a fee, organizations can indicate they comply with a GDPR code of conduct and post a seal or badge on their websites. The GDPR code of conduct is generally self-assessed.

Icons

If an organization uses icons to describe privacy concepts, they must be clear, understandable, and machine-readable. A great example of a clear icon is the shield, as it has come to signify that something is protected or secure. There are no standardized icons for privacy, but a quick internet search for “data privacy icons” will bring up some common, popular examples. 

Security of processing

GDPR requires that organizations employ and document security measures to protect the processing of personal data. Based on a privacy risk assessment, appropriate measures should be adopted such as encryption, pseudonymization, data restoration, and testing of security measures.

Strike Graph’s easy-to-use platform helps you reach, maintain, and prove GDPR compliance quickly and easily. Your organization will be able to follow every detail of your GDPR compliance framework on Strike Graph’s dashboard and get automated notifications when something needs to be updated.

What’s more, our extensive library of pre-loaded GDPR controls lets you choose what you need and then plug it into your GDPR compliance framework — no writing from scratch required. And, as your company grows, Strike Graph’s versatile platform will let you leverage the work you’ve already done for GDPR to easily expand to SOC 2, ISO 27001, ISO 27701, HIPAA, PCI DSS, or CCPA compliance.