The GDPR Glossary of Terms Explained

gdpr glossary of terms

The GDPR is full of odd terminology and weird abbreviations. The strange wording of the GDPR can make it challenging to understand your obligations. It’s hard for anyone unfamiliar with the GDPR glossary of terms and definitions.

To help you make sense of this vital legislation, we’ve compiled a quick explainer on the GDPR glossary of terms.

What is the GDPR?

Imagine you’ve just signed up for a magazine subscription. You’ve given the magazine company your address, bank details, and other personal info. What if the seller went and sold that data to a third party? What if that third party sold your data to someone else? Before you know it, your mailbox could be overflowing with unwanted junk. Worse still, your details might’ve been passed on to criminals or shady operators. Would you be OK with that?

You probably wouldn’t be OK with it at all. And that’s why we have the GDPR.

Nowadays, we’ve all got masses of personal information stored online. We need to give companies access to this data almost daily.

To control how our data is used, the EU and the UK adopted a set of rules called the General Data Protection Regulations or GDPR for short.

The GDPR governs how UK and EU businesses can store, collect, process, transmit, and use personal data. It’s a great set of regulations that protects our digital privacy.

Everything from emails to credit card transactions to banking details and our biometric and genetic data is covered by the GDPR. If a business or individual is found in breach of the GDPR, they could be prohibited from processing data or forced to pay huge fines.

The GDPR Glossary of Terms

Business owners must understand how the GDPR works. But, like all tech stuff, the GDPR is filled with jargon.

If the thought of wading through reams of tech-speak makes your eyes glaze over, don’t worry. Keep reading to get a short and straightforward breakdown of the GDPR glossary of terms and definitions.

GDPR Awareness Training

Our GDPR Awareness Training course provides a thorough understanding of the key aspects of general data protection regulations, data security levels and different types of threats that organisations or workplaces may face.

Accountability Principle

All organisations and businesses must comply with the GDPR and be able to prove they are compliant.


Information that is not associated in any way with a person and cannot be considered to be personal data. The Information Commissioner’s Office (ICO) can provide guidance on how to confirm if data has been anonymised.

Appropriate Policy Document

A document that states the retention policies and compliance measures of your business for special category data.

Binding Corporate Rules

The rules that are in place to allow multinational companies and organisations to transfer data from the EU or UK to affiliates within their organisation outside of the EU or UK.

Biometric Data

Personal data that has been derived from technical processing. Biometric data includes any physical, physiological, or behavioural characteristics of a natural person that could lead to their identification.

Conditions for Processing

A set of conditions that allow for the processing of personal data. These include:

  • Consent
  • Necessary processing (such as required by a contract)
  • Compliance with legal obligations
  • To protect the vital interests of a person
  • In the public interest
  • Where there is a legitimate interest in processing the data
conditions for processing personal data


A freely given, specific, informed, and unambiguous indication that the data subject agrees to the processing of personal data. Consent can be given by a statement or explicit affirmative action.

Data Controller

A natural or legal person, public authority, organisation, or another body that, alone or in conjunction with others, determines how and why personal data is collected and how it is processed.

Data Processor

A natural or legal person, public authority, organisation, or another body that processes data on the data controller’s behalf.

Data Protection Officer

A representative from an organisation or business who is appointed to oversee GDPR compliance. The Data Protection Officer deals with Subject Access Requests, liaises with the ICO, handles GPDR complaints, and advises colleagues on GPDR matters.

Data Subject

A natural person whose personal data is being processed by the data controller or data processor.

Genetic Data

Any personal data related to a natural person’s inherited or acquired genetic characteristics. Genetic data is derived from an analysis of a biological sample of a natural person and provides unique information about the physiology or the health of that specific natural person.

Identifiable Natural Person

Anyone who can be directly or indirectly identified by identifiers such as their name, identification number or location or by one or more explicit factors relating to their physical, genetic, physiological, mental, economic, cultural, or social identity.

Personal Data

Any information that can be used directly or indirectly to accurately identify a natural person.

Personal Data Breach

The unlawful or accidental destruction, loss, alteration, or disclosure of personal data.


The fundamental principles of the GDPR describe the primary responsibilities of businesses and organisations.


Any operation or combination of operations performed on personal data or collections of personal data. Processing can be done by automated or non-automated means, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

Glossary of terms and definitions


Any automated processing that uses personal data to evaluate, analyse, or predict personal aspects of a natural person. These aspects can concern a natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.


Processing personal data so that the data itself cannot be associated with a natural person without the inclusion or use of additional information. The additional information must be stored separately. Measures must be taken to ensure personal data cannot be linked to an identified or identifiable natural person.

Restriction on Processing

Stored personal data that can only be used for limited processing in the future and has been flagged as such.

Right of Access

Data subjects have the right to access their personal data and obtain information about how the data is processed by the data controller.

Special Categories of Personal Data

Any data relating to the racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, or biometric data of a natural person. Data concerning the overall health, sex life or sexual orientation of a natural person.

Subject Access Requests

Formal requests from a data subject for a copy of all relevant personal data held by a data controller.

Where to Learn More About the GDPR

Navigating the language of the GDPR takes some getting used to. We hope that our quick guide on the GDPR glossary of terms helped you to get more familiar with the wording of this legislation.

You and your team can take our GDPR Staff Awareness Training to further your knowledge of the GDPR. This short course explains the purpose and principles of the GDPR. Participants learn about user rights and the responsibilities of businesses for data protection. It’s a great way to ensure your business stays on the right side of the GDPR.

About the author(s)

Share with others
You might also like