Certified Information Privacy Professional (CIPP): Common - Key Privacy Terms, PII, Sensitive Data, Controller, Processor, Data Subject

What This Is

The core concepts of personally identifiable information (PII), sensitive data, controller, processor, and data subject form the backbone of every privacy law—from the GDPR in the EU to the CCPA/CPRA in the U.S. They determine who can collect data, how it must be handled, and what rights individuals have. Example: A multinational retailer moves employee records from its German office to its U.S. headquarters. Whether the U.S. entity is a controller or a processor, and whether the employee data counts as PII or sensitive data, drives the legal steps the company must take (DPIA, SCCs, etc.).

Key Terms & Provisions

• Personally Identifiable Information (PII): Any information that can directly or indirectly identify an individual (e.g., name, email, IP address). In the U.S., the definition varies by statute (CCPA, HIPAA); under GDPR it is called “personal data.”
• Sensitive Data / Special Category Data: Data revealing racial or ethnic origin, political opinions, health, biometric, or sexual orientation (GDPR Art.?9; HIPAA PHI). Requires higher protection and often explicit consent.
• Data Controller: The entity that determines the why and how of processing personal data. Obligated to ensure compliance (GDPR Art.?4(7); CCPA “business”).
• Data Processor: A party that processes data on behalf of the controller, following the controller’s instructions (GDPR Art.?4(8)). Must have a written contract (Article?28).
• Data Subject: The natural person whose data is being processed. Holds rights such as access, rectification, erasure, and portability (GDPR Art.?12?23; CCPA §?1798.100?§?1798.115).
• Legitimate Interest (GDPR): A lawful basis allowing processing when the controller’s legitimate interest is not overridden by the data subject’s rights. Requires a balancing test and a transparency notice.
• Opt?in Consent (EU): Freely given, specific, informed, and unambiguous indication of agreement (GDPR Art.?7). Required for most special?category data.
• Opt?out/Right to Opt?out (CCPA/CPRA): Consumers may direct a business not to sell their personal information (CCPA §?1798.120). “Do Not Sell” signals must be clearly posted.
• Business Associate (HIPAA): A person or entity that performs functions on behalf of a HIPAA?covered entity that involve the use or disclosure of PHI. Must sign a Business Associate Agreement (BAA).
• Data Protection Impact Assessment (DPIA): A systematic risk?assessment required under GDPR Art.?35 when processing is likely to result in high risk (e.g., large?scale profiling).

Step?by?Step / Process Flow

1. Identify the role – Determine whether your organization is a controller or processor (or both) for the data set in question.
2. Classify the data – Tag each data element as PII, sensitive data, or non?personal; note any health?related data that may trigger HIPAA.
3. Map the flow – Document where the data originates, where it is stored, and any cross?border transfers (e.g., EU-US).
4. Assess legal basis – Choose a GDPR lawful basis (e.g., legitimate interest, consent) or a CCPA/CPRA justification (e.g., service provision, contractual necessity).
5. Execute required safeguards – Conduct a DPIA if needed, implement SCCs or BCRs for transfers, and secure a BAA for any HIPAA?related processing.
6. Maintain records & respond to rights – Keep a processing register, set up a data?subject?request workflow (verify identity-locate data-respond within statutory deadline-log the action).

Common Mistakes

• Mistake: Assuming “any data that can be linked to an individual is sensitive.”
  Correction: Only data that falls under GDPR Art.?9 or HIPAA PHI is special?category; ordinary PII (e.g., name, email) is not automatically sensitive.

• Mistake: Treating a processor as a controller because it stores data.
  Correction: A processor only follows the controller’s instructions; the controller retains ultimate responsibility for compliance.

• Mistake: Believing that “opt?out” under CCPA eliminates all obligations.
  Correction: Even when a consumer opts out of sale, the business must still protect the data, honor access requests, and comply with security requirements.

• Mistake: Ignoring the balancing test for legitimate interest and simply checking a box.
  Correction: Conduct a documented assessment that weighs the controller’s interest against the data subject’s rights and expectations.

• Mistake: Forgetting to update a BAA when a new HIPAA?covered entity is added.
  Correction: Every new partnership that handles PHI must be covered by a current BAA; failure can trigger HIPAA penalties.

CIPP Exam Insights

1. Controller vs. Processor duties – Exams love to ask which party must sign a contract (processor) and who bears the ultimate liability for a breach (controller).
2. Consent nuances – Remember that GDPR requires opt?in for most processing, while CCPA/CPRA uses opt?out for “sale” and opt?in for “selling” minors’ data.
3. Territorial scope traps – GDPR Art.?3 applies to any organization that offers goods/services to EU residents or monitors their behavior, even without a physical EU presence.
4. HIPAA vs. GDPR overlap – A question may present a U.S. hospital that also processes EU patient data; you must apply both HIPAA (PHI protection) and GDPR (controller obligations).

Quick Check Questions

1. Scenario: An EU citizen emails a U.S. SaaS provider asking for all data the company holds about them.
   Answer: The provider must comply with the right of access under GDPR Art.?15 (within one month) because the provider is a controller targeting EU data subjects.

2. Scenario: A California resident opts out of the sale of their personal information, but the company still uses the data for internal analytics.
   Answer: The company may continue using the data for non?sale purposes (e.g., internal analytics) as long as it does not “sell” the data; the opt?out only blocks sale, not all processing.

3. Scenario: A health?tech startup processes biometric data of EU employees for a wellness program.
   Answer: Because biometric data is special?category under GDPR Art.?9, the startup needs explicit consent (or another valid basis) and must conduct a DPIA.

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art.?3 – Applies to any entity targeting EU data subjects, not just those with an EU office.
2. CCPA/CPRA §?1798.100 – Grants consumers the right to know what personal information is collected, sold, or disclosed.
3. HIPAA 45 CFR?164.502 – Defines PHI as individually identifiable health information held by a covered entity or business associate.
4. GDPR Art.?35 – DPIA required when processing is “likely to result in a high risk to the rights and freedoms of natural persons.”
5. Fine ceiling: GDPR up to €20?million or 4?% of global annual turnover, whichever is higher.
6. Breach notification: GDPR – 72?hours after awareness; CCPA – within 60?days of discovery.
7. Legitimate interest – Must be documented with a balancing test and disclosed in a privacy notice.
8. Opt?in consent – Must be freely given, specific, informed, and unambiguous (GDPR Art.?7).
9. CCPA “Do Not Sell” – Must be a clear, conspicuous link on the homepage; failure can lead to $2,500 per violation (up to $7,500 for intentional).
10. Landmark case: Google Spain SL v. AEPD (C?131/12) – Established the right to be forgotten under GDPR Art.?17.