The GDPR Glossary of Terms Explained

Imagine you’ve just signed up for a magazine subscription. You’ve given the magazine company your address, bank details, and other personal info. What if the seller went and sold that data to a third party? What if that third party sold your data to someone else? Before you know it, your mailbox could be overflowing with unwanted junk. Worse still, your details might’ve been passed on to criminals or shady operators. Would you be OK with that?

You probably wouldn’t be OK with it at all. And that’s why we have the GDPR.

Nowadays, we’ve all got masses of personal information stored online. We need to give companies access to this data almost daily.

To control how our data is used, the EU and the UK adopted a set of rules called the General Data Protection Regulations or GDPR for short.

The GDPR governs how UK and EU businesses can store, collect, process, transmit, and use personal data. It’s a great set of regulations that protects our digital privacy.

Everything from emails to credit card transactions to banking details and our biometric and genetic data is covered by the GDPR. If a business or individual is found in breach of the GDPR, they could be prohibited from processing data or forced to pay huge fines.

Business owners must understand how the GDPR works. But, like all tech stuff, the GDPR is filled with jargon.

If the thought of wading through reams of tech-speak makes your eyes glaze over, don’t worry. Keep reading to get a short and straightforward breakdown of the GDPR glossary of terms and definitions.

All organisations and businesses must comply with the GDPR and be able to prove they are compliant.

Information that is not associated in any way with a person and cannot be considered to be personal data. The Information Commissioner’s Office (ICO) can provide guidance on how to confirm if data has been anonymised.

A document that states the retention policies and compliance measures of your business for special category data.

The rules that are in place to allow multinational companies and organisations to transfer data from the EU or UK to affiliates within their organisation outside of the EU or UK.

Personal data that has been derived from technical processing. Biometric data includes any physical, physiological, or behavioural characteristics of a natural person that could lead to their identification.

A set of conditions that allow for the processing of personal data. These include:

• Consent
• Necessary processing (such as required by a contract)
• Compliance with legal obligations
• To protect the vital interests of a person
• In the public interest
• Where there is a legitimate interest in processing the data

A freely given, specific, informed, and unambiguous indication that the data subject agrees to the processing of personal data. Consent can be given by a statement or explicit affirmative action.

A natural or legal person, public authority, organisation, or another body that, alone or in conjunction with others, determines how and why personal data is collected and how it is processed.

A natural or legal person, public authority, organisation, or another body that processes data on the data controller’s behalf.

A representative from an organisation or business who is appointed to oversee GDPR compliance. The Data Protection Officer deals with Subject Access Requests, liaises with the ICO, handles GPDR complaints, and advises colleagues on GPDR matters.

A natural person whose personal data is being processed by the data controller or data processor.

Any personal data related to a natural person’s inherited or acquired genetic characteristics. Genetic data is derived from an analysis of a biological sample of a natural person and provides unique information about the physiology or the health of that specific natural person.

Anyone who can be directly or indirectly identified by identifiers such as their name, identification number or location or by one or more explicit factors relating to their physical, genetic, physiological, mental, economic, cultural, or social identity.

Any information that can be used directly or indirectly to accurately identify a natural person.

The unlawful or accidental destruction, loss, alteration, or disclosure of personal data.

The fundamental principles of the GDPR describe the primary responsibilities of businesses and organisations.

Any operation or combination of operations performed on personal data or collections of personal data. Processing can be done by automated or non-automated means, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

Any automated processing that uses personal data to evaluate, analyse, or predict personal aspects of a natural person. These aspects can concern a natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Processing personal data so that the data itself cannot be associated with a natural person without the inclusion or use of additional information. The additional information must be stored separately. Measures must be taken to ensure personal data cannot be linked to an identified or identifiable natural person.

Stored personal data that can only be used for limited processing in the future and has been flagged as such.

Data subjects have the right to access their personal data and obtain information about how the data is processed by the data controller.

Any data relating to the racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, or biometric data of a natural person. Data concerning the overall health, sex life or sexual orientation of a natural person.

Formal requests from a data subject for a copy of all relevant personal data held by a data controller.

Navigating the language of the GDPR takes some getting used to. We hope that our quick guide on the GDPR glossary of terms helped you to get more familiar with the wording of this legislation.

You and your team can take our GDPR Staff Awareness Training to further your knowledge of the GDPR. This short course explains the purpose and principles of the GDPR. Participants learn about user rights and the responsibilities of businesses for data protection. It’s a great way to ensure your business stays on the right side of the GDPR.