With GDPR just a couple of weeks away, no doubt your organisation has started to take the necessary steps towards compliance. But, the language around GDPR can make the somewhat daunting task of trying to comply, even more overwhelming. Unfamiliar acronyms and ‘techie’ jargon simply add to the confusion many organisations already feel around GDPR. In this blog, we simplify some of the most common terminology associated with GDPR which will help you create clear GDPR compliance goals within your organisation.
GDPR glossary of terms
Accountability – a key principle of GDPR which holds organisations responsible for complying with the other principles of GDPR. The accountability principle requires organisations to provide evidence that procedures are in place to comply with GDPR.
Binding Corporate Rules (BCRs) – rules allowing multinational organisations to transfer personal data from the EU to affiliates outside the EU.
Biometric Data – personal data relating to the physical, physiological or behavioural characteristics of an individual.
Consent – consent given by a data subject to have their personal data processed. It should be freely given, informed and explicit.
Controller – a company, organisation or person that collects data and decides how it will be used.
Data Breach – a security issue in which data is accidentally or unlawfully accessed, lost, used, disclosed and/or shared.
Data Privacy Impact Assessment (DPIA) – an assessment of your organisation, also known as a gap analysis, which can identify privacy risks and areas in need of attention and review in order to become GDPR compliant.
Data Protection Officer (DPO) – an individual who oversees an organisations’ data security and compliance with GDPR.
Data Subject (also known as an Identifiable Natural Person) – an EU citizen whose personal data is processed by a controller or processor.
Data Subject Rights – the rights afforded to every data subject which govern how their data can be processed.
Encrypted data – data that is protected because it has been translated into another form or code. Only people with specific access can read encrypted data.
ICO – Information Commissioner’s Office. The UK body responsible for upholding GDPR.
Member State – a country that is a member of the European Union.
Personal Data – information related to an identifiable data subject (e.g., name, national ID number etc.)
Principles – the set of data protection principles which form GDPR and that set out the main responsibilities for organisations.
Processor – a company, organisation or individual that processes data, but doesn’t decide what to do with the data.
Profiling – automated processing of data to analyse or predict the behaviour of the data subject, including personal preferences, work performance, location, health, economic status etc.
Pseudonymisation – when personally identifiable data is replaced with artificial identifiers or pseudonyms.
Sensitive Personal Data – special categories of personal data including racial or ethnic origin, religious or political views, sexual orientation, health, genetic and biometric data. Criminal convictions are not included.
Subject Access Request – a request made by a data subject to find out the data that an organisation has relating to them.
Supervisory Authority – a public authority created by EU member states according to article 46 of GDPR.
Third Country – a country or countries outside the EU. If a third country sells products or services into the EU they must comply with GDPR.
Hopefully this glossary has explained some of the terms and phrases you may have heard in recent weeks. We hope it helps you in setting out and achieving your GDPR compliance goals. Core has also created a useful GDPR guide and checklist to help you assess your current level of compliancy. To download your free checklist, click below:
Do you have something to add to our list? Let us know in the comments!