GDPR Acronyms Rundown


Tom Wozniak (pictured left) gives the rundown of what GDPR acronyms you need to know. 



FYI – The ABCs of GDPR Acronyms

With the official launch of GDPR on May 25, 2018, the regulation is bringing a host of changes to the digital marketing and ad tech industries. Along with all the impacts on how companies collect, store, and process data, the regulation is also creating a variety of new terms for the industry. Considering how terminology and acronym-heavy the digital ecosystem already is, it’s no small feat to add a number of new terms to the mix. Here are descriptions of just a few of the more common acronyms that you’ve likely seen discussed since GDPR was announced.

GDPR – General Data Protection Regulation – We might as well start at the beginning, with the acronym for the new regulation itself. The acronym has become so ubiquitous that a lot of people probably now recognize GDPR, without actually knowing what it stands for. Much like the CAN-SPAM Act, the new regulation will likely become universally known simply by it’s acronym in the years ahead. Certainly few outside the EU are likely to ever use the regulation’s full name going forward.

DPO – Data Protection Officer – This isn’t technically a new term introduced by GDPR. But, it has certainly grown in prominence over the past year. As a part of GDPR, companies are encouraged to name a DPO (and in some instances, larger companies are required to name one), who has oversight into the way the company collects, stores, processes, and protects data (particularly the personal data of individuals). According to some statistics discussed at this year’s RSA Conference in April, only about 18% of surveyed companies in the UK had named a DPO. It was reported that in the UK alone, there could be as many as 62,000 job openings for this role. So, this is at least one area, where GDPR may actually be creating jobs.

ISA (Independent Supervisory Authority) – These are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. Under previous privacy legislation (like the General Data Protection Directive) each country in the EU currently has its own Data Protection Authority (DPA), charged with enforcing relevant privacy laws. Under GDPR, these organizations are being renamed as Independent Supervisory Authorities. So, the current DPA acronym will likely transition to ISA in the weeks and months ahead. However, don’t be surprised to see DPA used interchangeably since that is the legacy term. A recent survey of country DPAs suggests that many organizations are understaffed and may not be ready to take on full enforcement of GDPR initially.

DPA (again) – Data Processing Addendum – Wait, didn’t we just talk about DPAs? Yes, we did. However, this acronym gets a new definition under GDPR, as it now refers to contract addendums that cover how a data controller’s processing vendors will comply with GDPR. If your company is an ad tech vendor, you’ll likely either be creating these yourself or seeing a lot of them coming from your clients who are data controllers. As mentioned previously, DPA is already a commonly used term, referring to each country’s Data Protection Authority. So, you may expect some confusion about using DPA unless the context is very clear.

CMP – Consent Management Provider – This is a largely new type of ad tech platform that provides the technical infrastructure a business uses to collect and store information on the personal data customers have consented to be used, and for what purposes. Technically, these existed prior to GDPR, but suddenly they have become more prominent and vital to many companies in their efforts to comply with GDPR’s consent requirements. If there’s a not new type of ad tech platform to emerge from GDPR, it might just be the CMP.

DPIA – Data Protection Impact Assessment – DPIAs help organizations identify, assess and mitigate or minimize privacy risks within their data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced. But, many companies are undertaking these assessments on their current data practices, in preparation for GDPR.

ICO – Information Commissioner’s Office – This is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Their website also provides a lot of useful information around GDPR.

SCC – Standard Contractual Clause – SCCs, also known as “model clauses,” are standardized contract language (approved by the European Commission) that provide one method of permission for controllers/processors to send personal data to non-EU countries. They are related to Data Processing Agreements and are often a part of those agreements.

This is hardly an exhaustive list of the new acronyms generated by GDPR. But, it’s a good start to getting to know just a few of the latest terms and add them to your marketing and compliance vocabulary.


Note – The author is not a lawyer and no information in this article should be taken as actual legal advice. It is always recommended that companies obtain professional legal guidance on matters pertaining to industry regulation or legislation, like GDPR. 


Please enter your comment!
Please enter your name here