Data protection is full of acronyms – here’s a guide on understanding which ones apply to your organisation.
Data protection is fundamental, but can be complicated. From shortened role titles, such as DPO (data protection officer), to legislation (UK GDPR) and even information governance related activities like C2C (corporate to corporate), the acronyms can be confusing for those starting in data protection or moving into a new role.
Below, you can find a ‘cheat sheet’ of the most common acronyms and their meanings.
Data Protection Laws, Regulations and Organisations
- EIR – Environmental Information Regulations
Allows information held by public authorities to be made available to the general public, either through proactive data sharing or through a submitted access request.
- PECR – Privacy and Electronic Communications Regulations
Covers areas such as marketing emails, cookies, and electronic communications and sits alongside the UK GDPR. - RIPA – Regulation of Investigatory Powers Act
Governs surveillance powers of local councils, limiting their use of covert surveillance and the use of CHIS informants.
Data Security & Privacy Concepts
- G-Cloud – UK government procurement framework for cloud services
- IAM – Identity and Access Management
- MFA – Multi-Factor Authentication
- RBAC – Role-Based Access Control
- UK SCCs – Standard Contractual Clauses (UK version)
Key Data Protection & Info Governance Roles (UK)
- DPO – Data Protection Officer
Mandatory for public authorities or if you process sensitive data on a large scale.
Independent advisor within the organisation, reports to senior management. - SIRO – Senior Information Risk Owner
Common in public sector (especially NHS and central/local government).
Senior executive responsible for information risk strategy and oversight, usually reporting to the Board. - Caldicott Guardian
Ensures personal info about health and care is used ethically and legally, named after Dame Fiona Caldicott (who led reviews into patient confidentiality).
Usually a management or senior level role, reporting to senior management or Board level depending on size of organisation. - IAO – Information Asset Owner
Accountable for specific data sets or systems (called “information assets”) and ensures appropriate use, sharing, and protection of those assets.
Often part of a role that manages data although can be independent, reporting in line with usual company procedures. - IG Lead / IG Manager – Information Governance
Often supports the DPO or works alongside them with day-to-day management of data protection compliance, records, FOI, etc.
Reporting to senior management or Board level dependent on the size of the organisation. - FOI Officer – Freedom of Information
Often sits in the same team as data protection roles.
Handles requests made under the Freedom of Information Act 2000 (or EIR for environmental info). - Cyber Security Lead / CISO
More technical, but increasingly overlaps with data protection.
Focus on protecting systems and data from cyber threats.
Other roles/titles often interchangeable within organisations
- Head of IG – Oversees information governance, typically at Trust level.
- DSP Lead – Responsible for NHS Data Security and Protection Toolkit submissions.
- Records Manager – Handles retention, archiving, and lawful disposal of data.
Whilst the number of acronyms are extensive and certainly not exhaustive in this list, the fundamental basics to data protection should apply to every individual within an organisation. For those working in specific roles, BLS Stay Compliant offers training and guidance should it be needed (links can be found above) and can also support businesses directly through our managed services. If any of the above options, or any additional services are of interest, please do get in touch.
