Common Acronyms for Data Protection Officers (DPOs)
I have been working in data protection for just over a year now, it was quite an experience having to quickly find my feet and learn the ropes when I first joined Data Protection People. Adapting to a new role and wrapping my head around the GDPR and the countless acronyms that are used by privacy professionals.
You may feel out of your depth when having conversations and people start dropping in acronyms here, there, and everywhere. The worst thing is, some of the terms used have more than one name, for example, a Data Sharing Agreement (DSA) is sometimes referred to as a Data Protection Agreement (DPA), which funnily enough has the same acronym as a Data Processing Agreement and that is something that is completely different all together…confusing I know.
However, for your benefit, I have taken some time to pull together a list of all the acronyms that I have come across so far during my time at DPP and what they are most commonly referred to, including a short description of what they are…
UK GDPR (United Kingdom General Data Protection Regulations)
The UK GDPR is law currently applicable to us in the UK, it comes to us from the original EU law. It establishes rights, obligations and key principles of personal data processing.
There are instances in which an organisation or individual will have to comply with both the UK and EU GDPR. This is when they operate in both the UK and the EU.
DPA 18 (Data Protection Act 2018)
The DPA 2018 replaced the Data Protection Act 1998 on the 25th of May 2018. It sits alongside and works in tandem with the UK GDPR.
They are based on the EU GDPR however with a slight twist, this allows for them to be more effective within the UK.
Links to both pieces of legislation can be found at the bottom of this article.
CIO (Chief Information Officer)
The CIO is the title of the organisation’s executive responsible for the management, implementation and usability of information and computer technologies.
CISO (Chief Information Security Officer)
The Chief Information Security Officer is the executive responsible for an organisation’s information and data security.
DDQ (Due Diligence Questionnaire)
As with financial due diligence, an organisation appointing another to process data on its behalf should ensure that their data is in safe hands. They should ensure that the processor has appropriate measures in place to protect personal data. A common way of completing this process is via a questionnaire. Upon completion, the supplier should provide any supporting documentation. Once reviewed, the appointing organisation will have a clear view of the risks involved in outsourcing their processing.
DP (Data Protection)
Data Protection is often shortened to the abbreviation DP.
DSA (Data Sharing Agreement) / DPA (Data Processing Agreement).
DSAs and DPAs are very similar. They are both agreements that are put in place to ensure that sharing of personal data is managed correctly. A DPA is an agreement between a controller and a processor, the terms of which are specified under Article 28 of the UK GDPR, all of which must be included for the agreement to be compliant. A DSA is an agreement between two controllers, there are no specified terms, and the Regulation simply requires appropriate measures to be implemented between the parties.
DSARs (Data Subject Access Requests)
Data Subject Access requests, Subjects access requests, information requests, SARs, DSARs, whatever you want to call them, they mean the same thing. By law, every data subject (someone whose data is being processed) has the right to access their data. The process by which someone can do this is through a DSAR, whereby they contact the organisation for their information.
The organisation that is responsible for handling the information, by law has one month to provide a copy of all the data they hold on the person.
There are exemptions through which an organisation can reject or restrict the right to access the data, more information on this can be found in Schedule II of the DPA 18.
DPIA (Data Protection Impact Assessment)
DPIAs are what they say they are. They are a method of reviewing the risks associated with certain data processing activities. It is a legal requirement to carry out a DPIA in certain circumstances, details of which can be found in Article 36 of the UK GDPR.
Undertaking a DPIA requires objectivity, and a detachment from the data processing and often requires a methodical approach to get to the bottom of things both with colleagues and external suppliers/partners.
The person reviewing and approving the DPIA must be impartial with nothing to gain or lose on the outcome. They can have no vested interest; no pre-conceived ideas and they must be able to rise above internal or intra-company politics.
DPO (Data Protection Officer)
A Data Protection Officer or DPO is a person within an organisation who is responsible for monitoring internal compliance.
Not every organisation has to appoint a DPO under the UK GDPR.
Under the UK GDPR, you must appoint a DPO if:
- Your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Public bodies are also required to appoint a DPO.
Organisations can, if they wish, appoint a DPO voluntarily. Appointing a DPO allows for an organisation to have an expert in the field of data protection that will help monitor compliance.
DPOs also act as a point of contact for data subjects and the ICO.
ICO (Information Commissioner Officer)
The information commissioner’s office or the ICO is an independent body set up to uphold information rights. They report to the UK Government but are not affiliated.
The ICO is made up of 500 staff who are headed by the Information Commissioner.
The Commissioner and their team are responsible for enforcing the UK GDPR. They have numerous responsibilities; these include but are not limited to:
- Providing advice to the public about their information rights.
- To promote best practices within organisations when it comes to rights
- To review and provide guidance on the legislation where necessary
- Deal with any complaints received
- Impose sanctions when organisations or individuals do not comply with the law
Note: The UK GDPR sets a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater, for the most serious breaches.
IDTA (International Data Transfer Agreement or Addendum)
The IDTA is the recently approved UK version of standard contractual clauses. It acts as a safeguard mechanism under Article 44 of the UK GDPR for international transfers of personal data.
IDTAs are used when a country is deemed to have inadequate data protection legislation, the agreement is used as an alternative to ensure data is transferred safely
IG (Information Governance)
Information governance, better known in the DP world as IG is the overall strategy for information within an organisation. In a nutshell, it balances the risks that information brings along with the value that it often provides. This will generally extend beyond the remit of just personal data and encompass all information.
ISO (International Organisation Standardisation)
ISO and more specifically in the world of information security ISO 27001 is an international standard, it is a member of the ISO series. Achieving accreditation demonstrates adequate assurance over a company’s information security management system (ISMS). It is not a legal requirement however it is becoming increasingly sought after as many organisations are being highly scrutinised with their security posture.
Accreditation includes a 2-stage audit, including an audit by one of many UKAS (United Kingdom Accreditation Service) approved accrediting bodies. Organisations must uphold the accreditation via annual surveillance audits. Every 3 years you must recertify against the standard.
PCI-DSS (Payment Card Industry – Data Security Standard)
The history of PCI-DSS started in 2004 due to an increase in payment fraud. The credit card industry leaders came together to form a council that constructed and implemented a set of standards, currently we are on version 4. The council consists of American Express, Discover Financial Services, JCB International, Mastercard and Visa.
In layman’s terms, it is a contractual agreement between the bank and the merchant. Although it is not law it is enforced by the council with compliance being detailed within 12 key areas, noncompliance can lead to financial fines. Every merchant is split into 4 categories (see below) based on transaction volume, with larger merchants being considered level 1 and smaller merchants’ level 4. The ‘merchant level’ determines the level of compliance obligations.
The 4 merchant levels:
- Level 1 – 6,000,000 card transactions annually
- Level 2 – 1,000,000 to 6,000,000 card transactions annually
- Level 3 – 20,000 to 1,000,000 card transactions annually
- Level 4 – Fewer than 20,000 card transactions annually
More information on PCI-DSS can be found at the bottom of the article.
PECR (Privacy, Electronic and Communication Regulations 2003)
PECR are a set of regulations that sit alongside the DPA and the UK GDPR. They create obligations in relation to electronic communications, examples of which can be found below:
- Marketing by electronic means
- Communication networks (Calls/ Emails etc.)
- Security of public electronic communications services
PECR applies to organisations that provide public electronic communications networks or services. However, if you are not a network or service provider, it still applies to you if you:
- Market by phone, email, text or fax.
- Compile a telephone directory (or a similar public directory)
- The above was taken from the ICO’s website. A link to the page can be found at the bottom of this article.
RoPA (Record/Register of Processing Activities)
An organisation must have records of processing activities. The responsibility of which sits with the DPO; however, it is good practice for the RoPA to be completed departmentally by data protection champions because it is difficult for a DPO to have a sufficiently granular understanding of what data processing activities occur in various departments of an organisation. They should be updated when any changes of data processing come about, this will be reflected within the RoPA.
Having a RoPA is a legal requirement, and they must contain specific categories of information about an organisation’s processing. These can be found in Article 30 of the UK GDPR. There are also exemptions under paragraph 5 of the same Article.
SCCs (Standard Contractual Clauses)
SCCs are a safeguarding measure under Article 44 of the EU GDPR for transferring personal data internationally, they are used when a country has not been deemed to have an adequate level of data protection legislation. SCCs are an appropriate alternative mechanism to implement between the parties to detail how they will protect the personal data, the rights and freedoms of data subjects.
SIRO (Senior Information Risk Officer)
A SIRO is a professional who has responsibility for implementing and managing information risks within the organisation. The role is mandatory for public sector organisations and organisations that are contracted to deliver services under the NHS standard contract.
If you think I have missed any off drop me a message on LinkedIn or email me [email protected] and I will get them added.