Glossary

Data privacy has its own language, here are some of the key terms to help demystify the subject:

AnonymisationTo alter a data record such that it no longer allows a data subject to be identified and therefore falls outside the GDPR. Note that true anonymisation doesn’t just mean removing names and partial addresses, it may require obscuring, alteration or randomisation of many aspects of the record.
Article 29 Working Party (WP29)A committee of national Data Protection Authorities (including the UK Information Commissioner pre-Brexit), the EU’s internal regulator (the European Data Protection Supervisor) and the European Commission. It issues guidance on the interpretation of data protection laws. Replaced by the European Data Protection Board on implementation of the GDPR.
ConsentConsent is one of the 6 lawful bases for processing personal data under the GDPR. The criteria for a lawful consent are that it should be a ‘freely given’, ‘specific’, ‘informed’ and an ‘explicit’ affirmative action or statement that signifies agreement.
Data ControllerAn organisation which, on its own or jointly with others, collects personal data and determines the reason for collection (the ‘purpose’) and how processing will be carried out (‘the means’)
Data PortabilityA new right granted to individuals by the GDPR that allows them to demand that Data Controllers should provide to them, in a commonly used and easily electronically readable format, the personal data that they provided to that organisation for processing under contract or consent.
Data Privacy Impact Assessment (DPIA)Where processing, or proposed processing, of personal data presents a high risk to data subjects, the controller must carry out a DPIA to evaluate that risk and determine the appropriate measures to be taken to demonstrate that the processing complies with the GDPR.
Data ProcessorAn organisation that provides data processing services for a Data Controller but does not (largely) define the purpose or means of processing.
Data Protection Authority (DPA)The GDPR devolves responsibility for managing compliance with the GDPR to national bodies known as DPAs established under local law. The UK’s DPA is the Information Commissioner.
Data Protection Officer (DPO)A person with expert knowledge of data protection law and practices whose role is to assist the controller or processor to monitor internal compliance with data privacy regulations. The DPO must be able to carry out his or her duties independently. See here for more details of which organisations require a DPO.
Data SubjectA living individual to whom personal data refers. Includes personal customers, identified individuals at corporate customers, sole traders, partners of partnerships, stakeholders, connected parties, shareholders, individuals who work for vendors and suppliers, your employees, consultants, visitors to your premises or website, prospects and leads etc.
Data Subject Access Request (DSAR or SAR)The GDPR gives individuals the right to ask an organisation for a copy of all data the organisation holds on them. This is a potentially onerous obligation for which no fee may be charged, except for frequent or manifestly unfounded requests.
ePrivacyThe ePrivacy Directive, implemented in 1996 and updated in 2002, governs electronic direct marketing, provision of telecommunications services and other electronic communication matters
European Data Protection Board (EDPB)Replaces the Article 29 Working Party on implementation of the GDPR. Issues guidance on the interpretation of data protection laws and resolves differences in interpretation between national Data Protection Authorities.
GDPRThe General Data Protection Regulation – new EU data protection law in force from on 25th May 2018
Law Enforcement Data Privacy Directive (LEDP)The equivalent of the GDPR for Law Enforcement Agencies. Implemented as a Directive to provide flexibility for implementation in EU member states.
Lawful basis for processingThe GDPR mandates that processing is lawful only if it meets one of 6 bases: contract, consent, legal obligation, legitimate interest, vital interest, public interest. Each has its own definition and constraints.
Personal DataAny data which, in its own or in combination with any other piece or pieces of data, could be used to identify a data subject.
Personal Data BreachA personal data breach is not just accidental disclosure of data (for example emailing information to the wrong recipient) or a hacking incident, but also includes unauthorised access, processing of data without a legal basis, or unauthorised deletion or alteration of data. All breaches posing a ‘risk’ to individuals must be notified to the Data Protection Authority within 72 hours. All breaches posing a ‘high risk’ to individuals must be notified to the individuals concerned without delay. Both of these rules present a threat to the reputation of the organisation concerned.
Privacy and Electronic Communications Regulations 2003 (PECR)The UK Implementation of the EU’s ePrivacy Directive.
Privacy by Design and DefaultOrganisations need to show that they take data protection into account when designing and implementing systems that process personal data, for example by minimising the processing of personal data, pseudonymising personal data as soon as possible, improving security features, for example by building data privacy requirements into architectural and design policies and procedures, and making compliance with these policies mandatory for all system changes.
ProcessingAn operation performed on personal data, manually or by automated means, including: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Note that this includes viewing data on a screen, eg where administrative or IT support tasks are offshored to low cost locations.
PseudonymisationTo replace identifiable parts of a record, such a name, with an internal reference number. This reduces the risk of the data being usable in case of breach, but as it is reversible with the requisite key, it does not constitute anonymisation, and therefore pseudonymised data remains within scope of the GDPR.
Record of ProcessingThe GDPR requires data controllers and data processors to maintain key records of processing, purposes, categories of data processed, categories of recipients of data, and countries outside the EEA (European Economic Area) to which data has been transferred. This information can usually be derived from the organisation’s data map.
Right to be ForgottenAlso known as the Right of Erasure. The right of a data subject to request that an organisation deletes his or her data unless they have a lawful basis to hold that record, for example if other regulations require it to be held, or in cases where the organisation needs the data to support or defend against litigation.
Sensitive DataSee ‘Special Categories of Personal Data’.
Special Categories of Personal DataPersonal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person (eg fingerprints, voiceprints or pictures used in face-recognition), data concerning health or data concerning a natural person's sex life or sexual orientation. Also known as ‘Sensitive Data’. Processing of all these types of data is subject to severe restrictions. Information concerning criminal offences or convictions (for example, obtained in the context of DBS checks) does not fall into ‘Special Categories’ but is subject to similar restrictions.

If you have any questions about any terms which aren’t covered here, please feel free to contact us.