The ABCs of GDPR Acronyms

For the professionals involved in GDPR application and compliance, there are no hidden obstacles in reading  GDPR articles. However, for the average person required to comply with the GDPR outside of the legal field some of the acronyms could be confusing and thus could use a breakdown for easier understanding.

Here are the basic acronyms of the GDPR:


1. GDPR – General Data Protection Regulation

Starting off with an easy one here, but you’d be surprised how many people are unaware of its existence.

2. DPO – Data Protection Officer

While the term was not introduced by the GDPR itself, it did become wide-used after the GDPR effective date. The DPO is the professional designated to ensure, in an independent manner, that an organization applies the laws protecting individuals’ personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the EU GDPR. 

3. ISA – Independent Supervisory Authority

This acronym represents the independent public authorities that supervise, investigate and impose fines. Under the Data Protection Directive, this authority was called Data Protection Authority (DPA), and this term stuck and is still widely used. However, the new correct technical term is ISA.

4. CMP – Consent Management Provider

This is a new technical term with which many of you may not be familiar. A Consent Management Provider refers to a type of ad tech platform that provides the technical infrastructure a business uses to collect and store information on the personal data customers have consented to be used, and the purpose for its use. They are typically built on top of the IAB’s GDPR Transparency & Consent Framework, but for those without the time or resources to create an in-house platform, the IAB recognises close to 100 different CMPs that are available for publishers to use.

5. DPIA – Data Protection Impact Assessment 

Data Protection Impact Assessments help organisations identify, assess and mitigate or minimise privacy risks within their data processing activities. Organisations are required to conduct a DPIA for any major project which requires the processing of personal data and is likely to result in a high risk to individuals.

6. ICO – Information Commissioner’s Office 

The UK’s independent authority for data protection. Their role is to uphold information rights in the public interest. A list of all national data protection authorities can be found HERE.

7. SCC – Standard Contractual Clause 

SCCs also known as “model clauses,” are a standardised contract language (approved by the European Commission) that provides one method of permission for controllers/processors to send personal data to non-EU countries.

Hope this clears up some of the confusion surrounding GDPR for some of you. Have more questions about these or other acronyms not mentioned, ask us in the comment section!

Leave a Reply

Your email address will not be published.