Data protection concepts

Data protection sits at the intersection of two fields of knowledge: privacy and cybersecurity. Accordingly, it uses concepts that tend to originate from one of these domains.

Data protection concepts can be grouped into three broad categories:

• The risks that data protection aims to address. Concepts in this group answer the question, “What can go wrong if data is not adequately protected?”. Examples include “data exposure”, “data breach”, and “data leak”.
• Subject of protection. This category addresses the question, “What exactly needs to be protected, and why?”. Concepts here include “personal data”, “personal information”, and “personally identifiable information (PII)”.
• Methods of data protection. Once we understand what needs to be protected, the next question is, “How do we protect it, and what are our options?”. Concepts in this group include “pseudonymization”, “deidentification” and “anonymization”.

Not all concepts are equal in terms of formality. Some are informal terms originating from the cybersecurity industry, while others are well-defined in standards and legislation. In some cases, related concepts have little to no meaningful difference and can be used interchangeably. In others, the differences are significant and impactful.

Another factor to consider is that data protection is an evolving field. Its concepts are not necessarily fixed and continue to adapt over time.

This section collects various concepts commonly used in the field of data protection to help you navigate this non-trivial landscape more effectively.