Glossary
This Glossary serves as a quick‑reference resource for key terms used in data privacy, artificial intelligence, and responsible technology, and is maintained as a living document with regular updates and links for further research.
Legal Disclaimer: This glossary includes definitions drawn from a range of sources and legal frameworks; however, additional laws and requirements may apply depending on your region and industry. All terms, definitions, and referenced sources are provided for general informational purposes only and do not constitute legal advice.
Term | Meaning | Sources |
|---|---|---|
Accountability | The expectation that an organization can explain and justify how it collects uses shares and protects personal data and can demonstrate compliance with relevant laws and internal policies. | |
AI | Artificial Intelligence. A machine-based system that can, based on a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. | (NIST Glossary_AI Model); (CA SB 53); (CO SB24-205); (EU AI Act); (NIST SP 800-218A)* |
AI Model | A machine-based system, with varying levels of autonomy that may exhibit adaptiveness, which is trained on input data it receives to identify patterns, make predictions, make inferences or generate outputs such as text, images, content, decisions or recommendations. | (NIST Glossary_AI Model); (CA SB 53); (CO SB24-205); (EU AI Act); (NIST SP 800-218A)* |
AI Model Producers | Organizations that are developing their own generative AI and dual-use foundation models. | |
AI System | Any data system, software, hardware, application, tool, or utility that operates in whole or in part using AI. | |
AI System Acquirers | Organizations that are acquiring a product or service that utilizes one or more AI systems. | |
AI System Producers | Organizations that are developing software that leverages a generative AI or dual-use foundation model. | |
Algorithmic Discrimination | Any condition in which the use of an artificial intelligence system results in an unlawful impact that disfavors an individual or group on the basis of any classification protected under state or federal law. See CO SB24-205 for definition and caveats. See also "Bias in AI". | |
Anonymization / De-Identification | A process that removes or alters personal data so that an individual cannot be identified and is generally irreversible. The GDPR refers to this as "pseudonymisation". | |
Application Programming Interface, API | A software contract, or intermediary interface, between the application and client, expressed as a collection of methods or functions, which defines the available functions you can execute. | |
Automated Decision Making or ADM | Decisions made by technology without human involvement often using algorithms or AI models. This may include "profiling" which the GDPR defines as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;" Per Article 22 of the GDPR, "data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her". | |
Bias in AI | A systematic error in the context of fairness that places privileged groups at systematic advantage and unprivileged groups at systematic disadvantage. See also "Algorithmic Discrimination". | |
Biometric Data | Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. | |
CA SB 53 | California Senate Bill 53 Transparency in Frontier Artificial Intelligence Act. | (CA SB 53) |
CCPA | The California Consumer Privacy Act of 2018 gives consumers certain rights over the personal information businesses collect about them and requires businesses to inform consumers about how they collect, use, and retain their personal information. This landmark legislation was the first comprehensive consumer privacy law passed in the United States. | |
CO SB24-205 | Colorado Senate Bill 24-205 Consumer Protections for Artificial Intelligence. | |
COPPA | The Children's Online Privacy Protection Act is a U.S. federal law the sets rules for how websites and online service providers collect, use and share personal inofmration from children. | (COPPA) |
CPRA | The California Privacy Rights Act of 2020, amended the CCPA by adding additional consumer privacy rights and obligations for businesses, effective January 1, 2023. The CPRA also established the California Privacy Protection Agency. | |
Catastrophic Risk | Per CA SB 53, a foreseeable risk that a frontier model could materially contribute to mass casualties or billions in property damage by enabling CBRN weapon creation, serious crimes or cyberattacks without meaningful human oversight, or evading developer control. Excludes risks from publicly available information, lawful federal activity, or harms not materially caused by the model. | (CA SB 53) |
Consent | A person’s clear and informed agreement to the collection or use of their data. | |
Controller | An organization or individual that decides why and how personal data is processed. | |
Cross-Border Data Transfer | The movement of personal data from one country to another (or to an international organization like the UN or WHO) subject to regional rules. | |
Cybersecurity | Protection of an IT-system from attacks or damage to its hardware, software or information, as well as from disruption or misdirection of the services. | |
Cybersecurity Risk | An effect of uncertainty on or within information and technology. Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other organizations, and countries. | |
DDQ | A due diligence questionnaire is a vendor‑assessment tool used by legal, compliance, or procurement teams to evaluate a company’s risk profile, typically covering financials, governance, legal obligations, and data protection to confirm alignment with internal and regulatory requirements. | |
Data Action | A system/product/service data life cycle operation, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal. | |
Data Inventory and Mapping | A record of the systems tools and processes where personal data is collected stored or shared. | |
Data Minimization | Collecting and using only the data that is necessary for a specific purpose. | |
Data Processing | Any action performed on personal data throughout the complete data life cycle (including, but not limited to collecting, storing, retention, analyzing, logging, generation, transformation, use, disclosure, sharing, transmission, dispoal or deleting it). | |
Data Protection Impact Assessment | See "Privacy Impact Assessment". | |
Data Retention | The length of time an organization keeps personal data before deleting or anonymizing it. | |
Data Subject | A person whose personal data is being collected or processed. | |
Decryption | The process of changing ciphertext into plaintext using a cryptographic algorithm and key. | |
Deep Learning | Techniques for machine learning in which hypotheses are multi-layered, complex algebraic circuits with adjustable connection strengths, creating paths from inputs to outputs with many steps. These techniques underpin many applications for visual recognition, speech translation, image generation, etc. | |
Deletion Request | A request from an individual asking an organization to delete their personal data. See "Right to Erasure" in Article 17 of the GDPR. | |
Dual-Use AI Model | A Dual‑Use Foundation Model is a broadly trained, self‑supervised AI system with tens of billions of parameters that can operate across many contexts and exhibits, or can be modified to exhibit, capabilities that pose serious risks to national security, economic security, or public health and safety. These models qualify as dual‑use even when distributed with technical safeguards that attempt to prevent users from taking advantage of their unsafe capabilities. | |
Encryption | A security method that protects data by converting it into unreadable code unless a person has the correct key. | |
FLOPs | Floating-Point Operations Per Second is a measure of a computer’s performance based on how many arithmetic calculations on decimal numbers it can perform each second. | |
Foundation Model | An artificial intelligence model that is all of the following: (1) trained on a broad data set; (2) designed for generality of output; and (3) adaptable to a wide range of distinctive tasks. | (CA SB 53) |
Frontier Model | A foundation model trained using more than 10^26 individual calculations called floating-point operations (FLOPs), indicating an extremely large amount of computing power and complexity. | (CA SB 53) |
Generative AI | The class of AI models that emulate the structure and characteristics of input data in order to generate derived synthetic content. This can include images, videos, audio, text, and other digital content. | |
Gramm-Leach Bliley Act | The Gramm‑Leach‑Bliley Act is a U.S. federal law that requires financial institutions to explain how they share and protect consumers’ personal information and to safeguard that data. | (GLBA) |
HIPAA | The Health Insurance Portability and Accountability Act is a U.S. law that sets national rules for protecting the privacy and security of individuals’ health information and limits how that information can be used or shared. | (HIPAA) |
IEC | International Electrotechnical Commission. An organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as “electrotechnology”. | (IEC) |
ISO | International Organization for Standardization is a non-governmental, international organization that develops and publishes international standards across nearly all areas of technology and manufacturing with members drawn from national standards organizations around the world. | (ISO) |
ISO 27000 Series | ISO 27000 Series is a family of international standards that provides a structured framework and best practices for establishing, operating, and continually improving an information security and management system. ISO 27001, initially introduced in October 2005 is designed to certify an organization’s information security policies. ISO 27701, introducted in August 2019, focuses on data privacy. | |
ISO 31700-1:2023 | ISO 31700‑1:2023 sets out high‑level requirements for building privacy by design into consumer goods and services throughout their entire lifecycle. ISO 31700‑1:2023 is Part 1 of a series. | |
Inference Data | New information generated about a person based on existing data such as predictions or classifications. | |
LLM | Large language models use deep‑learning algorithms trained on massive text datasets, typically to generate text (generative LLMs that answer questions) or classify it (discriminative LLMs that determine whether AI drafted text), relying on unsupervised or semi‑supervised methods to predict responses to given tasks. | |
Machine Learning | A method of building AI models that learn patterns from data rather than being explicitly programmed. | |
Manageability | Providing the capability for granular administration of data, including alteration, deletion, and selective disclosure. | |
Metadata | Information describing the characteristics of data. This may include, for example, structural metadata describing data structures (i.e., data format, syntax, semantics) and descriptive metadata describing data contents. | |
Minimization | Ensuring that any personal data is adequate, relevant and limited to what is necessary for the purposes for which it is processed. Since the default approach of data scientists in designing and building AI systems will not necessarily take into account any data minimization constraints, organizations must thave in place risk management practices to ensure that data minimization is fully considered from the design phase, or, if AI systems are bought or operated by third parties, as part of the procurement process due diligence. | |
Model Weight | A numerical parameter in a frontier model that is adjusted through training and that helps determine how inputs are transformed into outputs. | (CA SB 53) |
NIST | The National Institute of Standards and Technology is a U.S. federal agency that develops standards, measurements and research across science and technology. | (NIST) |
NIST CSF 2.0 | The NIST CSF (Cybersecurity Framework), introduced in February 2014 and updated to 2.0 in February 2024, is a set of guidelines, best practices, and standards designed to help organizations manage and reduce cybersecurity risks. The NIST Privacy Framework, first introduced in January 2020, is a complementary framework focused on managing privacy risks. | (NIST CSF) |
NIST Privacy Framework | The NIST Privacy Framework, introduced in January 2020, is complementary to the CSF framework and is focused on managing privacy risks. | (NIST PF) |
PIMS | Privacy Information Management System is a framework that addresses the protection of privacy as potentially affected by the processing of personally identifiable information. | |
Personal Data (also called Personal Information and PII - Personally Identifiable Information) | Any information that identifies or can be linked to an individual. | |
Predictability | Enabling reliable assumptions by individuals, owners, and operators about data and their processing by a system, product, or service. | |
Privacy Breach | A situation where personal data is processed in violation of one or more relevant privacy safeguarding laws or requirements. | |
Privacy Impact Assessment, PIA, DPIA, Privacy Risk Assessment | A structured review conducted before launching a new tool, feature, or process to identify and reduce privacy risks by assessing how information is collected, used, stored, shared, and disposed of, ensuring compliance with legal and policy requirements and documenting the analysis and its outcomes. | |
Privacy by Design | A proactive data privacy framework that embeds privacy considerations into every stage of product, service, and process development; originally developed by Dr. Ann Cavoukian and later adopted by the ISO, GDPR, and other privacy regimes. | |
Processor | An organization or individual that processes personal data on behalf of a controller. | |
Provenance | Metadata pertaining to the origination or source of specified data. | |
Purpose Limitation | Using personal data only for the specific reason it was collected. | |
Security Questionnaire | A security questionnaire is part of a vendor assessment, but focuses specifically on an organization’s technical and procedural security measures. Usually sent by IT or security departments, these questionnaires dig into topics like encryption protocols, infrastructure security, access controls, and incident response processes. | |
Sensitive Personal Data / Information | Categories of data that require extra protection such as health information biometric data or information about protected characteristics. Sensitive personal information (SPI) can have differing levels of sensitivity protected by law (See Art. 9 of the GDPR). | |
Supervised Learning | A type of machine learning in which the algorithm compares its outputs with the correct outputs during training. In unsupervised learning, the algorithm merely looks for patterns in a set of data. | |
Synthetic Media | Synthetic media, also referred to as generative media, is visual, auditory, or multimodal content that has been artificially generated or modified (commonly through artificial intelligence). Such outputs are often highly realistic, would not be identifiable as synthetic to the average person, and may simulate artifacts, persons, or events. | |
TPM (Third Party Management) or TPRM (Third Party Risk Management) | See "Vendor Assessment". | |
TRAIGA | Texas H.B. 149 Responsible Artificial Intelligence Governance Act. | (TRAIGA) |
Training Data | The data used to teach an AI model how to perform a task. | |
Transparency | Providing clear, accessible information about how personal data is collected used shared and protected. | |
Vendor | A commercial supplier of software or hardware. | |
Vendor Assessment | A review of third-party tools or service providers to ensure they meet privacy and security expectations during vendor selection, onboarding, and ongoing monitoring. |
Have a suggestion for our Glossary? Email us at info@friartek.com.