GDPR Glossary of Key Terms
The introduction of the General Data Protection Regulation (GDPR) in May 2018 resulted in big changes to how companies can processes people’s data. By now, all businesses should be fully compliant with its requirements. However, if you still have ways to improve, this glossary might help you understand the key aspects of data protection law. It may also be useful if you’re adopting more responsibilities regarding data protection in your organisation and want to develop your knowledge.
Some of the terminology may feel a little overwhelming and confusing if you’ve never encountered them before, so we’ve created this GDPR glossary of key terms to help.
Accountability – the data controller is responsible for compliance with the data protection principles. They must be able to demonstrate the steps the business takes to ensure compliance.
Binding Corporate Rules (BCRs) – a set of rules that allow multinational organisations to transfer personal data from the EU to their affiliates outside of the EU.
Consent – consent is defined as receiving a data subject’s agreement to process their data. Agreement must be freely given, informed, specific and unambiguous. This consent could be given several ways, such as via a written statement (including by electronic means) or an oral statement. Gaining consent must be clear and unambiguous. The data subject must understand implicitly what they are providing their data for, how it will be processed, who will process it and how long it will be stored.
Data Breach – any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of a subject’s data.
Data Controller – ‘controller’ means the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
Data Erasure– (also known as the Right to be Forgotten) this entitles the data subject to request that the data controller erase their personal.
Data Minimisation – this means that you can only collect personal data if it’s needed to achieve the intended purpose. Personal data should be adequate, relevant and limited to what is necessary. Where appropriate, such data should also be kept up to date.
Data Processor – ‘processing’ means any operation, or set of operations, which is performed on personal data or on sets of personal data. It is considered processing whether these operations occur by automated or manual means. Processing includes the following activities: collecting, recording, organising, using, structuring, storing, adapting, retrieving, consulting, destroying and more. The data processor can be an organisation or third-party provider who manages and processes personal data on behalf of the controller. Data processors have specific legal obligations, such as maintaining personal records, and are liable in the event of a data breach.
Data Protection Authority – the national authority who protects data privacy.
Data Protection Officer – an appointed individual who works to ensure you implement and comply with the policies and procedures set by GDPR. If you want to learn more about data protection officers, have a read of our article on the roles and responsibilities of a data protection officer.
Data Subject – someone whose personal data is processed by a controller or processor.
Encrypted Data – personal data which has been translated into another form or code so that only people with specific access can read it.
EU-US Privacy Shield – this refers to a new set of GDPR standards that allow for the legal transfer of personal data between the EU and US for commercial reasons.
Fairness Principle – this is a principle that states the data subject should have the right to:
1. Access the data.
2. Rectify the data.
3. Request that the data be erased.
4. Restrict processing.
5. Data portability.
6. Object to the processing of data.
7. Not to be subject to a decision based solely on automated processing.
Integrity & Confidentiality Principle – personal data must be processed using appropriate technical, organisational and security measures.
Legality Principle – for any personal data processed, the organisation must be able to specify that it has been processed on one of the legal grounds specified by GDPR. These grounds are:
1. Individuals consent.
2. Contract with the individual.
3. Complying with an existing obligation.
4. Complying with an existing obligation.
5. Necessary for a task in public interest or authority.
6. Necessary in the legitimate interest of an organisation or third party.
Personal Data – any direct or indirect information relating to an identified person that could be used as a means of identifying them. This includes their name, ID number, location data or an online identifier.
Privacy Impact Assessment – a tool used to identify the privacy risks.
Profiling – the automated processing of personal data.
Processing – this refers to any activity relating to personal data, from initial collection through to the final destruction. It includes the organising, altering, consulting, using, disclosing, combining and holding of data, either electronically or manually.
Pseudonymisation – processing data so it can no longer be attributed to a data subject without the use of additional data.
Purpose Limitation Principle – this refers to using information only for the specified, explicit and legitimate purposes for which the data was collected and not for any other purpose.
Sensitive Personal Data – other factors specific to physical, physiological, genetic, mental, economic, cultural or social identity. This can include genetic data, biometric data, and criminal convictions and offences that, when processed, can uniquely identify a person.
Third Party – a legal body or authority other than the data subject, controller or processor who is authorised to process personal data under authority of the data controller or processor.
The terminology used when describing GDPR can be confusing, but it’s important that you understand them all. Knowing what responsibilities GDPR places on different individuals and what policies and procedures you must comply with is important if you want to avoid severe legal fines and a lost reputation. Use the information contained in this article to ensure you understand what is expected of you.