An intelligent system that grants and denies permissions to access data, and continuously reviews whether existing permissions are appropriate.

Collecting data about a person or organization with their knowledge, such as making them fill out a form emblazoned with your logo.

Compare with passive data collection, which happens without the entity’s knowledge.

An organization’s overall security posture, including its choices of security solutions, that demonstrate whether its commitment to security is commensurate with the risk and magnitude of harm resulting from loss, unauthorized access, or mutation of the data. Falling below an adequate level of protection might give grounds to a lawsuit alleging negligence.

The GDPR narrowly defines “adequate level of protection” as a European Commission decision that a non-EU country offers a similar level of protection for personal data as the EU for the purposes of cross-border data transfers.

A mismatch between routine and expected behavior of a user or organization, and the observed actual behavior. An anomaly could be a signature of an attack.

The process of removing personally identifiable information (PII) from data so that the data can no longer identify its source.

Data that does not contain any personally identifiable information (PII).

The GDPR does not apply to anonymous data.

The collection of security products, people, and techniques that reduce a system’s vulnerability to threats, which is commensurate with the risk and magnitude of harm resulting from loss, unauthorized access, or mutation of the data.

The GDPR narrowly defines “appropriate safeguards” as one of several written legal terms (such as standard contractual clauses) required to perform cross-border transfers of personal data.

A continuous record of events (such as API calls) that answers questions such as what data was attempted to be accessed when, and by whom.

A manual or automated examination of records for a specific purpose.

Examples of audits include access audits, which determine whether users and third parties have appropriate permissions, and certification audits, which determine whether an organization’s employees follow its written procedures.

The process of verifying the user is who they purport to be.

Compare with authorization, which is the process of verifying what data the user may access.

Using computers to analyze data and make decisions.

The GDPR restricts the use of purely automated processing from making important decisions about people’s rights and freedoms.

A common paradigm is having a “human in the loop” to review the results of automated processing.

Timely and reliable access to data by those authorized to access it.