Glossary Privalex

A security mechanism that regulates who can access specific resources within an IT system. Based on the user’s verified identity and pre-defined permissions, it enforces the principle of least privilege to prevent unauthorized access.

A core GDPR principle requiring data controllers not only to comply with data protection regulations but to demonstrate that compliance. Demonstrated through documented policies, training records, DPIAs, and auditable technical and organizational measures.

A landmark European regulation establishing a harmonized legal framework for AI systems in the EU. It classifies AI systems by risk level,  from minimal to unacceptable,  and sets obligations proportionate to each risk category.

The set of policies, regulatory frameworks, organizational practices and oversight mechanisms ensuring AI systems are developed and used ethically and responsibly. Increasingly mandated by ISO 42001 and the EU AI Act.

A structured framework defined by ISO 42001 for managing the responsible development and use of artificial intelligence. Addresses governance, ethics, risk management, transparency requirements and continuous improvement.

An irreversible process transforming personal data so that individuals can no longer be identified, directly or indirectly. Once correctly anonymized, data falls outside the scope of the GDPR and other data protection regulations.

A systematic and up-to-date register of all information assets within an organization, including hardware, software, data and services. Each asset must have an assigned owner, classification level and assessed business criticality.

Records, statements of fact or other verifiable information used to determine the extent to which audit criteria are fulfilled. Essential for substantiating auditor findings and conclusions in ISO 27001 and other certifications.

A chronological record of events, transactions and activities performed on an IT system. Enables tracing of user actions, detection of anomalies, incident investigation and demonstration of regulatory compliance to authorities.

The process of verifying the identity of a user, device or system before granting access to protected resources. Uses factors such as passwords, security tokens, biometrics or digital certificates, increasingly combined as MFA.

A core information security principle ensuring that systems, data and services remain accessible and operational when needed by authorized users. Underpins business continuity planning and is one leg of the CIA Triad.

The measurement and statistical analysis of unique physical or behavioral characteristics of individuals, such as fingerprints or facial recognition. Used as an authentication or identification method, classified as special category data under the GDPR.

The set of strategies, legal tools and proactive actions designed to safeguard a company’s identity, reputation and intellectual assets. Guards against unauthorized use, counterfeiting, piracy and infringement of trademarks or copyright.

A strategic document defining how an organization will continue operating during and after an unplanned disruption. Includes documented procedures, responsibilities and resources needed to maintain critical business functions.

A California state law granting consumers rights over their personal data. Includes the right to know what data is collected, the right to delete it, the right to opt out of its sale and protection from discrimination for exercising these rights.

The foundational model of information security comprising Confidentiality, Integrity and Availability. Serves as the primary reference framework for evaluating risks and designing security controls in any organization.

The set of policies, technologies, applications and controls used to protect virtualized data, applications, services and infrastructure in cloud environments. Addresses cloud-specific threats such as multi-tenancy risks and loss of physical control.

A company that delivers computing resources such as storage, processing or applications over the internet on demand. Frequently acts as a data processor in relation to personal data managed on behalf of business customers.

A self-regulatory instrument approved by a representative association that specifies GDPR application within a particular sector. Allows adherent organizations to demonstrate compliance and may reduce audit burden for certified members.

The adherence to applicable laws, regulations, standards and internal policies, together with the systematic processes an organization implements to achieve and demonstrate that adherence. Increasingly strategic rather than purely administrative.

An information security principle ensuring that data is accessible only to authorized persons, entities or processes. Prevents unauthorized disclosure of sensitive or personal information and forms the first leg of the CIA Triad.

An explicit expression of free, specific, informed, and unambiguous intent by which the data subject agrees to the processing of their personal data. It must be possible to withdraw it at any time with the same ease with which it was given.

A legal right granting creators of original works exclusive rights to reproduce, distribute and create derivative works. Protects both economic interests and moral rights of the author for a defined period after creation.

A public reference system providing unique identifiers for known security vulnerabilities in software and hardware. Enables standardized exchange of threat information and supports vulnerability management programs across organizations.

The ability of an organization to anticipate, resist, recover from and adapt to adverse conditions and cyber attacks. Goes beyond cybersecurity by incorporating operational continuity as a central objective alongside technical protection.

The practice of protecting networks, devices, systems, programs and data from attack, damage or unauthorized access. Applies a combination of technologies, processes and human practices to preserve the CIA Triad.

A security incident resulting in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data. Triggers a mandatory 72-hour notification obligation to the supervisory authority under the GDPR.

The process of organizing data into categories based on its sensitivity, value and criticality. Enables organizations to apply security controls and access restrictions proportionate to the risk associated with each data type.

The natural or legal person that determines the purposes and means of personal data processing. Bears primary responsibility for GDPR compliance and must ensure processors act only on documented instructions.

An organizational framework defining the policies, processes, standards and responsibilities for ensuring data quality, integrity, security and appropriate use. Provides the structure for managing data as a strategic organizational asset.

The stages through which information passes from collection to deletion, including storage, use, sharing and archiving. Appropriate security and privacy measures must be applied at each phase of the lifecycle.

The process of identifying and documenting all personal data flows within an organization. Specifies what data is collected, how it is processed, where it is stored, with whom it is shared and how long it is retained.

A GDPR principle establishing that only personal data that is adequate, relevant and limited to what is necessary for declared purposes should be collected. Prevents excessive or unjustified collection of personal information.

A mandatory contract under the GDPR between a data controller and a data processor. Establishes the subject matter, duration, nature and purpose of processing, the type of data involved and the respective obligations of each party.

An independent public body established by EU member states to supervise GDPR application. Has powers to investigate complaints, conduct audits, issue warnings and impose administrative fines of up to €20 million or 4% of global annual turnover.

A professional designated by the controller or processor to oversee GDPR compliance and advise on data protection obligations. Acts as the point of contact with supervisory authorities and must report directly to the highest management level.

The period during which personal data is kept in an organization’s systems in accordance with applicable legal obligations or declared purposes. After expiry, data must be securely deleted or anonymized in a verifiable manner.

The set of rights granted by the GDPR to individuals regarding their personal data. Includes the right of access, rectification, erasure, data portability, restriction of processing, objection and rights related to automated decision-making.

A documented set of policies, tools and procedures for recovering critical IT infrastructure following a serious disruption. Defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to minimize operational impact.

A European regulation establishing digital operational resilience requirements for financial entities. Mandates ICT risk management, resilience testing, incident management and oversight of critical third-party ICT service providers.

An approach and toolset providing continuous visibility into where sensitive data resides and how it is protected. Enables risk management related to data across cloud and on-premise environments from a single unified platform.

A thorough investigation conducted by an organization regarding a third party before establishing a contractual relationship. Evaluates legal, financial, operational and compliance risks of the vendor or partner systematically.

The protection of end-user devices connected to a network, such as computers, smartphones and servers. Implemented through antivirus, EDR solutions, patch management and security policies to prevent threats at the network edge.

A Spanish regulatory framework establishing security principles and requirements for Public Administrations and their suppliers. Protects electronic information and public services through mandatory baseline controls and certification.

A network security system, either hardware or software, that monitors and controls network traffic according to predefined security rules. Establishes a controlled barrier between trusted internal networks and untrusted external networks.

A systematic comparison of an organization’s current state against the requirements of a target standard or regulation. Identifies gaps that must be addressed to achieve compliance or certification, forming the basis of the remediation roadmap.

EU Regulation 2016/679 establishing the legal framework for protecting personal data of EU citizens. Applies to any organization processing data of EU residents regardless of location, with fines up to 4% of global annual turnover.

The process of strengthening IT system security by reducing its attack surface. Includes eliminating unnecessary services, applying secure configurations, disabling default credentials and limiting potential entry points for attackers.

A US federal law establishing national standards to protect patients’ sensitive health information (PHI). Regulates how healthcare providers, insurers and their business associates handle, store and transmit protected health data.

A framework of policies and technologies ensuring the right people have appropriate access to technology resources. Manages the full lifecycle of digital identities and their permissions, enforcing least-privilege access principles.

A structured process for identifying, analyzing, containing, eradicating and recovering from security incidents. Minimizes impact and prevents recurrence through documented response procedures and systematic lessons learned.

A document or system recording all security incidents that have occurred, including description, date, impact, actions taken and lessons learned. Essential for continuous improvement, regulatory compliance and trend analysis.

The practice of protecting information from unauthorized access, use, disclosure, disruption, modification or destruction. Encompasses technical, organizational and physical measures to safeguard data assets throughout their lifecycle.

A core information security principle ensuring that data is accurate, complete and has not been modified in an unauthorized manner. Maintaining trustworthiness of information during storage, processing and transmission is fundamental to secure systems.

Legal rights protecting creations of the human mind, including inventions, literary and artistic works, designs, symbols and names used in commerce. Encompasses patents, trademarks, copyright and industrial design rights.

A documented framework of policies, processes, procedures and controls that an organization implements to systematically manage information security risks. Certification against ISO 27001 provides internationally recognized third-party assurance.

The international standard specifying requirements for establishing, implementing, maintaining and continually improving an ISMS. The world’s most recognized information security certification, demonstrating systematic risk management to customers and partners.

An extension of ISO 27001 and 27002 for privacy information management. Establishes requirements for implementing a Privacy Information Management System (PIMS) aligned with the GDPR and other privacy regulations.

The first international management standard specifically for artificial intelligence systems. Establishes requirements for an AI Management System addressing governance, ethics, transparency, risk management and responsible AI practices.

The international standard specifying requirements for a quality management system. Helps organizations demonstrate their ability to consistently provide products and services that meet customer and applicable regulatory requirements.

A legal basis for processing that allows organisations to process personal data without explicit consent, provided it is necessary for their legitimate interests or those of a third party and does not override the fundamental rights and freedoms of the data subject. It requires a prior documented balancing assessment and must pass a proportionality test.

A lawful basis for data processing applicable when the controller pursues a legitimate purpose not overridden by the data subject’s rights. Requires conducting and documenting a prior balancing test to demonstrate proportionality.

A generic term for any malicious software designed to infiltrate, damage or gain unauthorized access to IT systems. Includes viruses, trojans, ransomware, spyware and other harmful code, typically delivered via phishing or exploitation.

A security mechanism requiring users to provide two or more verification factors to access a protected resource. Combines something they know (password), something they have (token) and something they are (biometric).

The division of a computer network into smaller, isolated segments to limit the spread of attacks and reduce the attack surface. Improves control of traffic between security zones and contains the blast radius of any breach.

A European directive that strengthens cybersecurity requirements for operators of essential services. It expands the scope of the original NIS Directive and introduces stricter obligations regarding risk management and incident notification.

A framework developed by the US National Institute of Standards and Technology for managing cybersecurity risk. Organizes activities across five core functions: Identify, Protect, Detect, Respond and Recover.

A security property ensuring that the sender of a message or author of an action cannot later deny having sent or performed it. Provides verifiable evidence of authorship and integrity through digital signatures and audit logs.

The process of identifying, acquiring, testing and applying software and firmware updates to correct known security vulnerabilities. Reduces the risk of exploitation by attackers targeting unpatched systems in production environments.

A method of security assessment that simulates real attacks against an IT system or application to identify exploitable vulnerabilities. Enables organizations to discover and remediate weaknesses before malicious actors can leverage them.

Any information relating to an identified or identifiable natural person (the data subject). Includes names, identification numbers, location data, online identifiers and factors specific to physical, genetic, mental or economic identity.

A social engineering technique in which attackers deceive victims into revealing confidential information. Impersonates trusted entities through fraudulent emails, messages or websites, representing the most common initial attack vector.

A management system implementing the requirements of ISO 27701 to demonstrate structured, documented and auditable management of privacy risks. Complements an existing ISMS based on ISO 27001 with specific privacy controls.

A GDPR requirement stipulating that products and services must default to the most privacy-protective settings available. Users should not need to take action to achieve minimum data protection; restrictive defaults must be the baseline.

A GDPR principle requiring privacy to be embedded into the design of systems, products and services from the earliest stages. Privacy must be an inherent feature of the architecture, not an afterthought bolted on post-development.

A structured process for assessing privacy risks arising from a new processing activity or system before deployment. Identifies measures to mitigate risks and is mandatory under the GDPR when processing is likely to result in high risk.

A legal document informing users how an organization collects, uses, stores, shares and protects their personal data. Must describe data subject rights and how to exercise them; mandatory and publicly available under GDPR transparency requirements.

The likelihood that a data processing activity will cause harm to data subjects, such as discrimination, identity theft or financial loss. Must be assessed and mitigated with proportionate technical and organizational measures.

A natural or legal person that processes personal data on behalf of the data controller, acting under the controller’s documented instructions. Bound by a mandatory Data Processing Agreement and liable for its own compliance failures.

A legal principle requiring that measures adopted are adequate, necessary and balanced in relation to the legitimate aims pursued. Prevents excessive use of personal data or application of disproportionate security controls.

A technique replacing directly identifiable information with a pseudonym or code so that data cannot be attributed to a data subject without additional information. That additional information must be kept separately and protected by technical measures.

A GDPR principle establishing that personal data must be collected for specified, explicit and legitimate purposes. Further processing incompatible with those purposes requires a new lawful basis or the data subject’s consent.

A type of malware that encrypts the victim’s files or locks system access, demanding a ransom payment for restoration. One of the most prevalent and costly cybersecurity threats globally, often delivered via phishing or unpatched vulnerabilities.

A mandatory document for most controllers and processors under the GDPR describing all personal data processing activities. Must include purposes, data categories, recipients, retention periods and security measures for each processing activity.

The comprehensive set of laws, regulations, directives, standards and guidelines establishing requirements organizations must comply with in a specific domain. Correct interpretation and implementation is key to avoiding sanctions.

The level of risk remaining after security controls and mitigation measures have been applied. The organization must decide to accept, transfer (e.g. through insurance) or further reduce residual risk through additional controls.

A structured evaluation of an organization’s ability to withstand and recover from disruptions. Includes penetration tests, red team exercises, business continuity simulations and technical stress tests; mandated by frameworks such as DORA.

A systematic process of identifying, analyzing and evaluating risks that may affect an organization’s information assets. Prerequisite for selecting and implementing appropriate security controls proportionate to the identified risk level.

A continuous and iterative process of identifying, evaluating, treating, monitoring and communicating risks that may affect organizational objectives. Aims to reduce risks to an acceptable level through proportionate and cost-effective controls.

The process of selecting and implementing measures to modify identified risks. Options include risk avoidance, risk reduction (applying controls), risk sharing (insurance or outsourcing) or risk acceptance with documented rationale.

A software development process that integrates security activities at every stage from requirements through deployment. Reduces the number and severity of vulnerabilities in the final product by addressing security systematically throughout development.

A continuous educational program directed at employees to ensure they understand security threats and their individual responsibilities in protecting information. Reduces the risk of human-error incidents, which remain the leading cause of breaches.

A design principle stating that products must be configured with the highest possible security levels from installation. Users should not need to perform additional configuration to achieve basic protection against foreseeable threats.

Technical, operational or management safeguards implemented to reduce information security risks to an acceptable level. Protect the confidentiality, integrity and availability of organizational information assets across all environments.

An event or series of events that compromises the confidentiality, integrity or availability of information, or infringes security policies. Requires immediate detection, containment, response and recovery actions following documented procedures.

A high-level document establishing an organization’s guidelines, objectives and rules on information security. Serves as the foundation for developing specific procedures, standards and controls throughout the ISMS.

A framework defining the division of security responsibilities between a cloud service provider and the customer. The split varies by service model: IaaS, PaaS or SaaS, and must be understood to avoid dangerous security gaps.

An auditing framework developed by the AICPA to evaluate security controls of technology service providers. Assesses five trust service categories: security, availability, processing integrity, confidentiality and privacy.

Personal data warranting heightened protection under the GDPR due to its particularly sensitive nature. Includes data revealing racial or ethnic origin, religious beliefs, health data, sex life, sexual orientation, genetic and biometric data.

A mandatory document required by ISO 27001 listing all Annex A controls with the status of each (applied or excluded) and justification. Forms the central evidence document of the ISMS and the primary deliverable for external auditors.

The set of processes, controls and contractual measures implemented to manage cybersecurity and compliance risks from third-party vendors and partners. Critical given that supply chain attacks have become one of the most common attack vectors.

Safeguards implemented by controllers and processors to ensure security appropriate to the risk of personal data processing. Encompasses technological controls such as encryption and management measures such as training, policies and access reviews.

Contextualized information about current and emerging cyber threats, including threat actors’ tactics, techniques and procedures (TTPs). Enables organizations to make proactive security decisions and prioritize defensive investments effectively.

A distinctive sign such as a name, logo, slogan or symbol that identifies the products or services of a business and differentiates them from competitors. Protected through registration with the relevant authority, granting exclusive territorial rights.

An evaluation carried out before transferring personal data to a third country to assess whether destination-country law provides essentially equivalent protection to EU/EEA standards. Mandatory when relying on Standard Contractual Clauses post-Schrems II.

A fundamental GDPR principle requiring data controllers to inform data subjects concisely, intelligibly and in an easily accessible way about personal data processing. Information must be provided proactively before or at the time of data collection.

A technology creating an encrypted and secure connection over an untrusted network such as the internet. Enables users to access network resources privately and protects data transmission from interception or eavesdropping.

A weakness or flaw in an IT system, its security safeguards or its procedures that could be exploited by a threat actor. Proactive identification and management through vulnerability scanning and penetration testing is essential to reducing cyber risk.

A continuous process of identifying, classifying, prioritizing, remediating and mitigating vulnerabilities in IT systems. Combines automated scanning tools with manual testing and risk-based prioritization to maintain a strong security posture.

A security model based on the principle of ‘never trust, always verify’. Eliminates implicit trust within the corporate network and requires continuous verification of identity and authorization for any resource access, regardless of user location.

A previously unknown software security flaw that has not yet been patched by the vendor. Can be exploited by attackers before a fix is available, representing one of the most dangerous and valuable categories of cybersecurity threat.