Find definitions for the key terms that you need to understand for data protection compliance under the GDPR and the DPA 2018.
GDPR stipulates that organisations must be able to show evidence of their compliance with data protection laws. Accountability is the capacity of organisations to show that they are carrying out measures demanded by the regulations.
The notion that data controllers should keep personal data up to date and accurate, taking reasonable steps to ensure that inaccurate data is corrected.
Data that cannot be traced back to an identifiable individual, and hence falls outside the scope of the GDPR.
A non-regulatory EU-level data protection body that provided advice on how to comply with data protection law to the Member States before the introduction of GDPR. The organisation comprised members of national data protection authorities at the EDPS. It is now the EDPB under GDPR.
Legally enforceable rules that enable a multinational company or organisation to transfer personal data from its entities in the EU to its entities (subsidiaries and affiliates but not third parties) in countries outside the EEA.
Biometric data refers to any data derived from a data subject's biology or physical body. These data could include information regarding the physiological, behavioural or physical characteristics of a natural person, including iris scans, fingerprints, and facial images.
A security failure that leads to the accidental or unlawful access, disclosure, loss or destruction of personal data.
The requirement for organisations to report data breach to the supervisory authority (ICO in the UK) within 72 hours of becoming aware of the breach. The individual data subjects impacted in the breach may also need to be notified in case of a risk to their rights or freedoms.
Any act by the owner of data that indicates that they are willing to allow their data to be processed for a specific purpose. Consent must be unambiguous, informed, specific and freely given and can be retracted by the data subject at any time under GDPR.
Any situation in which the data processor or data controller operates across multiple Member States and processes personal information across those borders. Cross-border processing also refers to a situation in which a data controller operates in one country, but receives data from data subjects in multiple countries.
The controller (organisation or individual) the main decision-makers in relation to personal data. They exercise overall control over the purposes and means of the processing of personal data. Employers are data controllers of their employees' data. Joint controllers are two or more controllers that jointly determine the purposes and means of the processing of the same personal data.
Data portability is a scheme that makes it easier for individuals to transfer their data from one controller to another. GPDR gives data subjects the right to receive their data in electronic format and then pass it on to another controller (for example, if they want to change service provider).
A DPIA is a process that is used to help identify and minimise the data protection breach risks that come with processing any personal information. When it comes to processing, there are certain types that require a DPIA. This is usually the case when any type of processing is considered to be high risk in terms of security leaks.
In the context of data protection, processing covers a wide range of manual or automated operations performed on personal data, including the collection, recording, structuring, storage, adaptation or alteration, archival, retrieval, consultation, use, disclosure by transmission, dissemination or publishing, combination, restriction, and erasure or destruction of personal data.
A legally binding contract (required under GDPR Article 28 Section 3) that states the rights and obligations of the data processor and data controller concerning the protection of personal data.
Any individual or organisation with authorisation to edit, modify, delete, transfer, use or change a data subject's personal data. A data controller can be the data processors too, or may outsource processing to a third party (which then is the data processor).
The Data Protection Act 2018 sets out the data protection framework in the UK, alongside the GDPR.
Each member state of the EU has a data protection authority or supervisory authority. The job of the national DPA is to ensure that member states of the EU enforce data protection law. Many DPAs have extensive enforcement powers, allowing them to impose fines on organisations and individuals who do not comply. The authority in the UK with these powers is the ICO.
A data protection officer is a person who works in an organisation to ensure that the business complies with data protection laws. Not all organisations have DPOs, but some have to by law, especially those who process special categories of data. The DPO is responsible for monitoring data protection compliance, keeping you informed about our data protection obligations, and providing any necessary advice for remaining compliant at all times.
Seven key principles set out by the GDPR that should lie at the heart of any approach to processing personal data: Lawfulness, fairness and transparency, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity and confidentiality (security), Accountability.
Data security is the term used for how digital data is protected from the unwanted actions of unauthorized users, including cyber-attacks and data breaches.
A data subject is any person to whom data can be attributed and, thus, falls under the jurisdiction of existing data protection laws. Subjects could include a customer, employee, a third-party contact or any individual with whom a data controller interacts.
Data Protection Act 2018
The EDPS or European Data Protection supervisor is an EU-level public body that ensures that institutions within the EU respect EU citizen's right to privacy and data protection while processing their data. The body is made up of representatives from member state national data protection institutions.
Encryption is a mathematical operation to encodes data in such a way that it can only be accessed by authorised users. Article 32 of the GDPR includes encryption as an example of an appropriate technical measure.
A principle which states that a data controller should put in place facilities that enable the data subject to exercise rights pertaining to their data. Under the fairness principle, data controllers could include facilities that provide access, rectification and erasure of the data as well as those that allow the subject to place restrictions on processing or transfer the data from one controller to another.
The General Data Protection Regulations (GDPR) is an EU law that concerns the privacy and data protection of all citizens in the EU and the European Economic Area (EEA).
Any data that describes the biological characteristics of a subject at the level of DNA. Genetic information, for instance, could include a person's entire genome, their genetic markers, DNA information that can identify them, or information related to their characteristics or disease status.
The Information Commissioner's Office is the supervisory authority under the data protection laws in the UK. It is non-departmental body that reports directly to the UK parliament. Data controllers and data processors in the UK need to register with the ICO and need to notify data breaches to the ICO.
A legal paradigm that states that organisations should only use personal data on the grounds specified by GDPR. The legitimate use of data includes situations in which an individual gives their consent, there is a contract with the individual, or using data allows the organisation to comply with an existing legal obligation.
Countries that are part of the European Economic Area (or European Union) and subject to GDPR.
Data processors should keep as little information on data subjects as possible and only collect data that they require for their processing. They should not seek out additional data that is not necessary for them to carry out their objectives.
A natural person refers to an entity under the law classified as a human being. A non-natural person under the law could refer to an organisation, public or private, sometimes called a legal person.
Many businesses have locations across a number of EU Member States. The One-Stop-Shop concept allows companies to deal with the lead GDPR regulator in their home country, not all regulators in all countries in which they operate.
In the UK, only children aged 13 or over are able provide their own consent for processing their personal data. Under this age, it is necessary to obtain consent from whoever holds parental responsibility for them.
Personal data includes any data that a third-party could use to verify the identity of the data subject - the person to whom the data refers. It could consist of bank details, phone, numbers, addresses, names, photos or data gleaned from social networks.
An event in which a subject's data is somehow lost, stored, disclosed or transmitted in a way that contravenes the GDPR. Personal data breaches can be either accidental or deliberate.
A set of basic statements describing the spirit and purpose of the GDPR. The principles also set out the main objectives of the regulations and the mission of the public bodies that will enforce them across the EU.
A concept whereby organisations build privacy into their processes from the outset, reducing the likelihood of a data breach in the future. Privacy by design, for instance, could involve the development of technical systems that better protect subject data compared to existing protocols ahead of time, rather than waiting for a data breach to make changes.
GDPR rules state that data controllers must create a privacy impact statement (also called a Data Protection Impact Assessment) whenever processing data that might present a privacy risk. Data processing could be a privacy risk because of its purposes, scope or nature.
A privacy notice is a document in which a data controller tells people what they'll be doing with their personal data and whom they'll share it with, etc.
The EU-US Privacy Shield is a scheme that is deemed by the European Commission to provides adequate protection to allow personal data to be transferred to entities in the United States that are registered under this scheme.
Visit the privacy shield website to verify if an organisation is registered.
See Data Processing.
Profiling is a tool that attempts to use patterns in data to discern secondary information about a subject. Companies often use profiling to analyse employee behaviour, preferences or capacity to perform reliably at work.
A process that permits the processing of data such that the contents can no longer be traced back to the original data subject without the use of additional information. Organisations and data controllers who use pseudonymisation often keep identifiable and non-identifiable data separately.
Data processors should only collect data for explicit, legitimate reasons and not use it in further ways that are not compatible with the initial purpose.
The correction and/or completion of inaccurate or incomplete data.
The official regulation code for the EU General Data Protection Regulation (GDPR) approved by the European Parliament and Council on April 27, 2016. GDPR applies to member states without the need for national legislation implementation.
GDPR puts in place restrictions for any organisation wanting to transfer data outside of the EEA. The rules define transfer as both the physical transportation of data outside of the EEA, but also remote viewing of EU data subjects' data by international third parties, eg by digital means.
The act of marking stored data to prevent the further use or processing of that data in the future. A data controller, for instance, might restrict processing, if he or she believes that further use of the data might put the privacy of the owner at risk.
Data subjects have the right to access all the data that we hold on them. Such a request is called a Subject Access Request (SAR). It can be given to us verbally or in writing on paper or any online channel.
Data subjects have the right to be informed about the purpose for which we are holding and processing their personal data. This is typically done with a privacy notice.
Data subjects have the right to data portability - ie to obtain a copy of their data in a standard format, even if they are moving it to one of our competitors.
Data subjects have the right to the erasure of their data (also known as the right to be forgotten) unless we have a legitimate interest to hold the data.
If the data subject doesn't want their data to be used for a certain purpose - e.g. profiling - they have the right to object.
Data subjects have the right to rectification of any inaccurate or incomplete data.
In addition to the right to erasure, data subjects also have the right to restrict processing, whereby we may store the data but have to refrain from processing it.
Data subjects also have rights with respect to automated decision making and profiling.
Any form of personal data that the GDPR consider uniquely special or sensitive. These data include information relating to religious affiliation, sexual orientation, ethnic and racial origins, trade union membership, and biometric/DNA data that could identify a person.
The storage limitation principle states that data controllers must only retain information for as long as they need it for processing purposes. Data controllers should not keep personal data for longer than is necessary. Long-term storage is only permitted for public interest archiving or statistical research purposes.
GDPR rules state that subjects have the right to access their personal data held by a data controller. A subject can request a data controller to give them access to any personal data that they hold.
A subject access request is a request for access made by the data subject. The GDPR does not specify how to make a valid request. Therefore, it could be verbal or in writing. It can be made to any part of the organisation - it does not have to be to a specific person or contact point. It doesn't even need to formally say 'subject access request'. As long as it is clear that the individual is asking for their own personal data, the organisation needs to recognise it as a SAR and respond to it within one month. Unless the request is manifestly unfounded or excessive or repetitive, the organisation cannot charge a fee.
See Data Protection Authority or ICO in the UK
The term territorial scope refers to the geographic region over which the EU GDPR rules apply. Currently, GDPR encompasses the European Economic Area (EEA), which includes all current 28 EU member states. It also covers additional territories, including Norway, Lichtenstein and Iceland. It does not include Switzerland.
In the context of GDPR, a third party is any person who legitimately interacts with protected data and is neither a data subject nor a data controller. Third parties receive authorisation to process or view data from either the data controller or the data subject.
The notion that data controllers should give data subjects data on request that is accessible, understandable, intelligible and provided in written form. Thus, data subjects should be able to understand the data the organisations or data controllers have about them and be able to make requests based on those data.
Customers who are more vulnerable than others, for example, due to their state of mental capacity, or having been diagnosed with a terminal illness. The category and level of data that a firm could now hold on a customer, could far exceed their original expectations and be far more reaching into the personal life of the customer than they initially had established data storage and retention controls for.