Home » GDPR Glossary of Key Terms
The introduction of the General Data Protection Regulation (GDPR) on the 25th May 2018 will mean big changes to how your company processes people’s data. Do you know what these changes mean to your business? Are you ready for GDPR?
It’s important that you answer to these question ‘yes’. Not being prepared can result in substantial fines, reduced trust in your business and a poor reputation. Some of the terminology may feel a little overwhelming and confusing if you’ve never encountered them before, so we’ve created this GDPR glossary of key terms to help.
Accountability – the data controller is responsible for compliance with the data protection regulations. They must also be able to demonstrate the steps the business takes to ensure compliance.
Binding Corporate Rules (BCRs) – a set of rules that allow multinational organisations to transfer personal data from the EU to their affiliates outside of the EU.
Consent – consent is defined as receiving a data subject’s agreement to process their data. Agreement must be freely given, informed, specific and unambiguous. This consent could be given several ways, such as via a written statement (including by electronic means) or an oral statement. Gaining consent must be clear and unambiguous. The data subject must understand implicitly what they are providing their data for, how it will be processed, who will process it and how long it will be stored.
Data Breach – any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of a subject’s data.
Data Controller – ‘controller’ means the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
Data Erasure– (also known as the Right to be Forgotten) this entitles the data subject to request that the data controller erase their personal.
Data Minimisation – this means that you can only collect personal data if it’s needed to achieve the intended purpose. Personal data should be adequate, relevant and limited to what is necessary. Where appropriate, such data should also be kept up to date.
Data Processor – ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. ‘Processing’ means any operation, or set of operations, which is performed on personal data or on sets of personal data. It is considered processing whether these operations occur by automated or manual means. Processing includes the following activities: collecting, recording, organising, using, structuring, storing, adapting, retrieving, consulting, destroying and more. The data processor can be an organisation or third-party provider who manages and processes personal data on behalf of the controller. Data processors have specific legal obligations, such as maintaining personal records, and are liable in the event of a data breach.
Data Protection Authority – the national authority who protects data privacy. In the UK, this is the Office of the Information Commissioner.
Data Protection Officer – an appointed individual who works to ensure you implement and comply with the policies and procedures set by GDPR.
Data Subject – someone whose personal data is processed by a controller or processor.
Data Subject Rights – the data subject has the right to:
- Transparency (to be informed).
- Access the data.
- Rectify the data.
- Request that the data be erased.
- Restrict processing.
- Data portability.
- Object to the processing of data.
- Not to be subject to a decision based solely on automated processing.
Encrypted Data – personal data which has been translated into another form or code so that only people with specific access can read it.
EU-US and Swiss Privacy Shield – this refers to a framework which allows companies to comply with data protection requirements when data is transferred to, or via, the EU and Switzerland and the USA. If a company has the shield in place it allows for the legal transfer of personal data between the EU and US for commercial reasons.
Integrity & Confidentiality Security – personal data must be processed using appropriate technical, organisational and security measures.
Legal Processing – for any personal data processed, the organisation must be able to specify that it has been processed on one of the legal grounds specified by GDPR. These grounds are:
- Individuals consent.
- Contract with the individual (including pre-contract arrangements).
- Complying with a legal obligation.
- If it is in the vital interest of the data subject.
- Necessary for a task in public interest or authority.
- Necessary in the legitimate interest of an organisation or third party (balanced against interests of the data subject).
Personal Data – any direct or indirect information relating to an identified person that could be used as a means of identifying them. This includes their name, ID number, location data or an online identifier, photograph.
Privacy Impact Assessment – a tool used to identify the privacy risks.
Profiling – the automated processing of personal data.
Processing – this refers to any activity relating to personal data, from initial collection through to the final destruction. It includes the organising, altering, consulting, using, disclosing, combining and holding of data, either electronically or manually.
Pseudonymisation – the separation of data from direct identifiers so that linkage to an identity is not possible without additional informationthat is held separately.
Purpose Limitation – this refers to using information only for the specified, explicit and legitimate purposes for which the data was collected and not for any other purpose.
Special Category Personal Data – more sensitive information relating to a data subject. Includes information which reveals a person’s: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
Third Party – a legal body or authority other than the data subject, controller or processor who is authorised to process personal data under authority of the data controller or processor.
The terminology used when describing GDPR can be confusing, but it’s important that you understand them all. Knowing what responsibilities GDPR places on different individuals and what policies and procedures you must comply with is important if you want to avoid severe legal fines and a lost reputation. Use the information contained in this article to ensure you understand what is expected of you.
What to Read Next:
Like this article?
Please share with your friends
Katie has a master’s degree in Chemistry and enjoys researching new methods of communicating teaching material online. In her spare time, Katie enjoys cooking Italian food and going to the ballet.