GDPR Terms and definitions you need to know

33 key terms matched with easy-to-understand definitions.

GDPR Terms and definitions you need to know
GDPR Terms and definitions you need to know
Clive Mackintosh
November 29, 2022

Data protection is a complex area when it comes to understanding the many terms found in the EU and UK General Data Protection Regulation (GDPR). From GDPR Representation to lawful processing, in this article, we have gathered some of the most commonly used terms and matched them with easy-to-understand definitions. 

We plan to update this article as and when revisions are made to the GDPR legislation so make sure to save it to your favourites or subscribe to the GDPR Rep newsletter to get updates as soon as they become available.

GDPR Terms and definitions you need to know


Is the legal requirement for an organisation to be able to evidence its compliance with GDPR. This is usually achieved by showing the implementation of policies and processes that have been embedded into an organisations business operations.

Accuracy Principle

Is the requirement of a data controller to keep personal data up to date and accurate at all times ensuring inaccurate data is corrected.

Anonymous data

Is personal data that cannot be traced back to an identifiable individual and is outside the scope of the GDPR.

Biometric Data

Refers to any data relating to an individual’s biology or physical body and includes information regarding the physiological, behavioural, or physical characteristics of a natural person, including iris scans, fingerprints, and facial images.

Consent of Data Subject

Consent is about giving people genuine ongoing choice, transparency and control over how their data is processed. Consent should be obvious and require a positive action to opt-in. 

Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.

Cross Border Processing

Cross-border processing refers to a situation in which a data controller or processor operates within the UK or EU but transfers personal data to countries outside of the EU or UK.

Data Controller

Is any organisation which, by itself or jointly with another organisation, determines the purposes and means of the processing of personal data in compliance with EU and or UK GDPR. If you are an organisation that makes the decision on what personal data you need to process for your business purposes you will be a Data Controller under GDPR.

Data Privacy Impact Assessment (DPIA)

Data Privacy Impact Assessment (DPIA) Is a process that is undertaken by an organisation when it is either implementing new technical measures such as new software or security strategies or is involved in processing which is considered high risk. 

A DPIA describes the data processing in place and the purpose for doing it, assesses whether the processing is necessary, identifies and assesses the risk to an individual and determines any measures that can be put in place to mitigate risk and help to protect data from breaches.

Data Processing Agreement

Is a legally binding contract that a data controller must enter into with a data processor when both are involved in the processing of personal data and which records the rights and obligations of both the controller and processor concerning the protection of personal data.

Data Processor

Is any organisation which processes personal data on behalf of a controller.

Data Protection Authority

Each member state of the EU has a data protection authority or supervisory authority. The role of a DPA is to ensure that member states of the EU enforce data protection laws. The DPA in the UK with these powers is the ICO.

Data Protection Officer

Data Protection Officer (DPO) Is an organisation's fully trained and independent expert on data protection compliance. Every organisation that is involved in the processing of large-scale personal data including special categories of personal data is required to appoint a DPO to oversee and advise on GDPR compliance.

Data Protection Principles

Are legal requirements that an organisation must follow when processing personal data such as the lawfulness, fairness, and transparency of the processing activity. The purpose limitation, data minimisation, and accuracy of the processing and the storage limitation, integrity and confidentiality and accountability of the same.

Data Security

Data security is the term used for how an organisation’s digital data is protected from the unwanted actions of unauthorised users, including cyber-attacks and data breaches.

Data Subject

Is the person whose personal data is processed by a controller or processor.

Data Subject Rights

An individual’s access to and ability to control the processing of their data is a fundamental requirement of GDPR. GDPR gives an individual the right to: 

  • Information on who is processing their data 
  • Access to what is being processed about them
  • Rectify any inaccurate processed data
  • Ask for the deletion and permanent erasure of their data
  • Restrict the further processing of data
  • Portability of data
  • Object to the processing of their data
  • Oppose automated Decision-Making about them.


Encryption is a process that encodes personal data in such a way that it can only be accessed by authorised users.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation came into force on 25th May 2018. The GDPR harmonises data protection rules across EU member states. It applies to data processing carried out by individuals and organisations operating within the EU, but also applies to organisations outside the EU that offer goods and services to EU citizens. The UK Data Protection Act 2018 implemented GDPR into UK law.

GDPR Representative

Is a specialist consultant that acts as a point of contact with data subjects and supervising authorities on behalf of any organisation outside of the UK and the EU which is involved in the processing of personal data on a large scale and does not have an establishment within the EU or UK. 

An important function of a Representative is to keep and maintain their customer’s records of data processing activities.

Lawful bases for processing personal data

GDPR requires a Data Controller to be able to identify a lawful basis for processing personal data. There are six legal bases for processing personal data:

  1. Consent
  2. Performance of a contract
  3. Legitimate interest.
  4. Vital interest
  5. A legal requirement
  6. Public interest.

Lawful processing

An organisation must have a lawful reason for processing an individual’s data. The GDPR sets out a list of 6 lawful reasons for processing personal data. 

An organisation may rely on one or more lawful bases depending upon its purpose for processing. These are:

  • Consent of the data subject
  • To carry out a contract
  • For an organisation to meet a legal obligation
  • Where the processing is necessary to protect the vital interests of a person
  • Where processing the personal data is necessary for the performance of a task carried out in the public interest
  • For the legitimate interests of a company/ organisation (except where those interests contradict or harm the interests or rights and freedoms of the individual).

Personal data

Is any information that relates to an identified or identifiable living person. An individual can be identified by any number of data information sets including: name, contact details, location information, IP address, social media images, photographs, residential address, date of birth, tax and national insurance reference, job history and more.

Personal data breach

Occurs when either or both a data controller or processor allow an individual’s personal data to become accidentally or unlawfully lost, destroyed, altered, disclosed, accessed, transferred, stored or otherwise processed. Most data breaches occur through human error but the more serious are through cyber hacking and network intrusion.

Privacy By Design

Is a concept whereby an organisation builds privacy into their processes from the outset reducing the likelihood of a data breach in the future. Privacy by design includes the development and implementation of technical policies, processes and systems that help protect subject data compared to existing protocols and not waiting for a data breach to make changes.

Privacy Impact Statement

Is another term used for when an organisation must carry out a review of its processing activities. It is the same as a Data Protection Impact Assessment and is required whenever processing data that might present a privacy risk.

Privacy Notice

A privacy notice is a document in which a data controller tells people what they'll be doing with their personal data and with whom they'll share it with, including the lawful bases for processing and for how long data will be kept. It also includes a list of data subject rights and the name and contact information of the organisation’s DPO.


Simply, means any activity performed on an individual’s personal data by a controller or processor that involves the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the individual’s personal data.


Profiling is any kind of automated processing of personal data that involves analysing or predicting an individual’s behaviour, habits, or interests.


Is a process that enables a person’s data not to be traced back to them without the use of additional information.

Record of Processing Activity (‘ROPA’)

A ROPA is a manual or electronic record of an organisation's processing activities carried out on its data subjects. It explains the categories of personal data processed, how and why, with whom the data is shared, where it is stored, for how long and the technical and security measures in place to keep the data confidential.

Restricted Transfers

Are the rules any organisation wanting to transfer data outside of the EEA or UK must comply with. The rules define how and in what circumstances a transfer of a person’s data can be made out of the EU and UK to a third country including the security measures in place for protecting the confidentiality and security of such movement of data.

Special Category Data

Special categories of personal data include reference to an individual’s racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual.

Subject Access Request

Is a request for access by a data subject to a controller or processor to see the data this is being processed about them, how and why.

Is there a phrase you would like the GDPR Rep team to explain? Or a question you have in regard to understanding GDPR terminology? Let us know, head over to the GDPR Rep contact page and send us a message. 

If you are looking for advice or assistance in meeting your organisation’s GDPR compliance why not schedule a no-commitment call with the GDPR Rep team, experts in Data Protection, EU and UK GDPR representation. Our team are on hand to help you navigate GDPR.

Get a GDPR Rep quote today
We use cookies on our site.
GDPREP.ORG would like to use performance and analytic cookies while you visit and browse our site to improve your experience. This means we may collect some of your data and you can read more about our use of cookies here. You can withdraw your consent at any time by emailing us at: View our Cookie Policy for more information.