English for Privacy Engineers: GDPR, Data Protection, and Privacy by Design Vocabulary
Master the English vocabulary privacy engineers use daily — from GDPR concepts and data subject rights to consent management and DPIAs.
Privacy engineering has moved from a legal afterthought to a core engineering discipline. Whether you are implementing consent flows, reviewing data processing agreements, or running a DPIA, you need precise English to collaborate with legal teams, product managers, and international partners. Misusing terms like “anonymisation” versus “pseudonymisation” can have real regulatory consequences — and can signal to colleagues that you are out of your depth.
Foundational Privacy Principles
The cornerstone concept is privacy by design — the principle that privacy protections are built into a system from the start, not bolted on later. You will hear engineers say: “We need to revisit this feature — it wasn’t designed with privacy by design in mind.”
Data minimisation means collecting only the data you actually need for a specific purpose. Its companion, purpose limitation, means you cannot use data for something other than what users consented to. A typical engineering discussion: “The analytics team wants to join this dataset, but that would violate purpose limitation — users consented to personalisation, not cross-product tracking.”
Pseudonymisation replaces direct identifiers with pseudonyms (a reversible process — a key still exists). Anonymisation removes all identifiers so re-identification is technically impossible. The distinction matters enormously: pseudonymised data is still personal data under GDPR; anonymised data is not. Engineers frequently confuse these, so mastering the difference gives you an immediate credibility boost.
Data Subject Rights and Consent
Data subject rights are the rights individuals have over their personal data. The key ones you will implement:
- Right of access — users can request a copy of their data (“We need an export endpoint for the SAR — subject access request — flow.”)
- Right to erasure (also called the right to be forgotten) — deleting user data on request
- Right to portability — exporting data in a machine-readable format
- Right to rectification — correcting inaccurate data
Consent management is the system that captures, stores, and enforces user consent choices. You will work with a consent management platform (CMP) and hear phrases like: “The CMP must record a timestamped consent event before we fire any analytics tags.”
Contracts and Assessments
A data processing agreement (DPA) is a contract between a data controller (the entity that decides why data is processed) and a data processor (the entity that processes data on the controller’s behalf). SaaS vendors are typically processors. You might say: “Before we integrate that third-party logging tool, legal needs to sign a DPA.”
A Privacy Impact Assessment (PIA) — or DPIA (Data Protection Impact Assessment) under GDPR — is a structured risk analysis performed before launching features that process sensitive data at scale. Engineers present findings to the Data Protection Officer (DPO). Typical framing: “The new biometric feature triggers a mandatory DPIA — let’s schedule the review.”
Legitimate interest is a legal basis for processing data without explicit consent, but it requires a balancing test proving the company’s interest outweighs the user’s privacy rights. Privacy engineers push back hard when product teams cite it loosely: “We can’t just claim legitimate interest here — we need to document the balancing test.”
In Privacy Review Meetings
Real phrases you will hear and use:
- “This field is out of scope for the stated purpose — we should drop it at ingestion.”
- “Can we achieve the same outcome with aggregated rather than individual-level data?”
- “The retention policy says 90 days, but this table has records from 2019 — we have a compliance gap.”
- “We need to surface the consent signal to the downstream pipeline, not just the API layer.”
Practice
Pick one feature you have worked on recently. Write three sentences describing it using at least four terms from this article — data minimisation, purpose limitation, consent, or data subject rights. Then ask a colleague (or language partner) to challenge your reasoning. Privacy vocabulary only sticks when you argue with it.