33 key terms matched with easy-to-understand definitions.
Data protection is a complex area when it comes to understanding the many terms found in the EU and UK General Data Protection Regulation (GDPR).
In this article, we have gathered some of the most commonly used terms and matched them with easy-to-understand definitions.
We plan to update this article as and when revisions are made to the GDPR legislation so make sure to save it to your favourites or subscribe to the GDPR Rep newsletter to get updates as soon as they become available.
Is the legal requirement for an organisation to be able to evidence its compliance with GDPR. This is usually achieved by showing the implementation of policies and processes that have been embedded into an organisations business operations.
Is the requirement of a data controller to keep personal data up to date and accurate at all times ensuring inaccurate data is corrected.
Is personal data that cannot be traced back to an identifiable individual and is outside the scope of the GDPR.
Refers to any data relating to an individual’s biology or physical body and includes information regarding the physiological, behavioural, or physical characteristics of a natural person, including iris scans, fingerprints, and facial images.
Consent is about giving people genuine ongoing choice, transparency and control over how their data is processed. Consent should be obvious and require a positive action to opt-in.
Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
Cross-border processing refers to a situation in which a data controller or processor operates within the UK or EU but transfers personal data to countries outside of the EU or UK.
Is any organisation which, by itself or jointly with another organisation, determines the purposes and means of the processing of personal data in compliance with EU and or UK GDPR. If you are an organisation that makes the decision on what personal data you need to process for your business purposes you will be a Data Controller under GDPR.
Is a process that is undertaken by an organisation when it is either implementing new technical measures such as new software or security strategies or is involved in processing which is considered high risk.
A DPIA describes the data processing in place and the purpose for doing it, assesses whether the processing is necessary, identifies and assesses the risk to an individual and determines any measures that can be put in place to mitigate risk and help to protect data from breaches.
Is a legally binding contract that a data controller must enter into with a data processor when both are involved in the processing of personal data and which records the rights and obligations of both the controller and processor concerning the protection of personal data.
Is any organisation which processes personal data on behalf of a controller.
Each member state of the EU has a data protection authority or supervisory authority. The role of a DPA is to ensure that member states of the EU enforce data protection laws. The DPA in the UK with these powers is the ICO.
Is an organisation's fully trained and independent expert on data protection compliance. Every organisation that is involved in the processing of large-scale personal data including special categories of personal data is required to appoint a DPO to oversee and advise on GDPR compliance.
Are legal requirements that an organisation must follow when processing personal data such as the lawfulness, fairness, and transparency of the processing activity. The purpose limitation, data minimisation, and accuracy of the processing and the storage limitation, integrity and confidentiality and accountability of the same.
Data security is the term used for how an organisation’s digital data is protected from the unwanted actions of unauthorised users, including cyber-attacks and data breaches.
Is the person whose personal data is processed by a controller or processor.
An individual’s access to and ability to control the processing of their data is a fundamental requirement of GDPR. GDPR gives an individual the right to:
Encryption is a process that encodes personal data in such a way that it can only be accessed by authorised users.
The General Data Protection Regulation came into force on 25th May 2018. The GDPR harmonises data protection rules across EU member states. It applies to data processing carried out by individuals and organisations operating within the EU, but also applies to organisations outside the EU that offer goods and services to EU citizens. The UK Data Protection Act 2018 implemented GDPR into UK law.
Is a specialist consultant that acts as a point of contact with data subjects and supervising authorities on behalf of any organisation outside of the UK and the EU which is involved in the processing of personal data on a large scale and does not have an establishment within the EU or UK.
An important function of a Representative is to keep and maintain their customer’s records of data processing activities.
GDPR requires a Data Controller to be able to identify a lawful basis for processing personal data. There are six legal bases for processing personal data:
An organisation must have a lawful reason for processing an individual’s data. The GDPR sets out a list of 6 lawful reasons for processing personal data.
An organisation may rely on one or more lawful bases depending upon its purpose for processing. These are:
Is any information that relates to an identified or identifiable living person. An individual can be identified by any number of data information sets including: name, contact details, location information, IP address, social media images, photographs, residential address, date of birth, tax and national insurance reference, job history and more.
Occurs when either or both a data controller or processor allow an individual’s personal data to become accidentally or unlawfully lost, destroyed, altered, disclosed, accessed, transferred, stored or otherwise processed. Most data breaches occur through human error but the more serious are through cyber hacking and network intrusion.
Is a concept whereby an organisation builds privacy into their processes from the outset reducing the likelihood of a data breach in the future. Privacy by design includes the development and implementation of technical policies, processes and systems that help protect subject data compared to existing protocols and not waiting for a data breach to make changes.
Is another term used for when an organisation must carry out a review of its processing activities. It is the same as a Data Protection Impact Assessment and is required whenever processing data that might present a privacy risk.
A privacy notice is a document in which a data controller tells people what they'll be doing with their personal data and with whom they'll share it with, including the lawful bases for processing and for how long data will be kept. It also includes a list of data subject rights and the name and contact information of the organisation’s DPO.
Simply, means any activity performed on an individual’s personal data by a controller or processor that involves the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the individual’s personal data.
Profiling is any kind of automated processing of personal data that involves analysing or predicting an individual’s behaviour, habits, or interests.
Is a process that enables a person’s data not to be traced back to them without the use of additional information.
A ROPA is a manual or electronic record of an organisation's processing activities carried out on its data subjects. It explains the categories of personal data processed, how and why, with whom the data is shared, where it is stored, for how long and the technical and security measures in place to keep the data confidential.
Are the rules any organisation wanting to transfer data outside of the EEA or UK must comply with. The rules define how and in what circumstances a transfer of a person’s data can be made out of the EU and UK to a third country including the security measures in place for protecting the confidentiality and security of such movement of data.
Special categories of personal data include reference to an individual’s racial or ethnic origin, political opinions, religious or philosophical views, trade union membership, sexual orientation, and health, genetic and biometric data where processed to uniquely identify an individual.
Is a request for access by a data subject to a controller or processor to see the data this is being processed about them, how and why.
Is there a phrase you would like the GDPR Rep team to explain? Or a question you have in regard to understanding GDPR terminology? Let us know, head over to the GDPR Rep contact page and send us a message.
If you are looking for advice or assistance in meeting your organisation’s GDPR compliance why not schedule a no-commitment call with the GDPR Rep team, experts in Data Protection, EU and UK GDPR representation. Our team are on hand to help you navigate GDPR.