GDPR jargon busting cheat sheet

Executive bad communication. businessman don’t understand. talking confused. Flat design business financial marketing banking concept cartoon illustration.

Abi and I attended the GDPR Europe ’Roadmap for Marketers’ Conference at 155 Bishopsgate on Tuesday. The day was extremely insightful and provided us with some useful key takeaways, which Abi's talked about in her blog post here. As you'd expect from a conference about GDPR, the day was filled with abbreviations and technical jargon, fortunately, the conference had provided a glossary of terms put together by leading experts for delegates to refer to, which we thought was so useful we wanted to share with you.

GDPR Europe 'Roadmap for Marketers' Glossary of Terms:

  • Binding Corporate Rules (BCRs) - A set of internal rules put in place to allow multinational companies and organisations to transfer personal data that they control from the EU to their affiliates outside of the EU, but within the organisation.
  • Biometric data - Any personal data relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images.
  • Breach notifications - UK organisations will be required to report data breaches to the ICO within 72 hours of becoming aware of it. In serious cases, where customer data is at serious risk, the individuals concerned must be notified.
  • Consent - Informed, unambiguous, freely given, specific and explicit consent by statement or action from the data subject to have data relating to him or her processed.
  • Cross-border processing - The processing of personal data when the controller or processor is established in more than one EU Member State and the data processing takes place in more than one Member State, or processing activities that take place in a single establishment in the Union, but that affects data subjects from more than one Member State.
  • The Data Protection Act - Implemented by the UK government in 1998 to control how personal information is used by organisations and give legal rights to individuals.
  • Data protection authority - National authorities that enforce the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the EU. The UK's data protection authority is the Information Commissioner's Office (ICO).
  • Data controller- A legal individual, publish authority, agency, or body which, alone or jointly with others, determines the purposes and methods of processing personal data.
  • Data processor - A legal individual, publish authority, agency, or body which processes personal data on behalf of the controller.
  • Data protection officer - An expert on data privacy who works independently to ensure that an organisation is adhering to the policies and procedures in the GDPR.
  • Data subject - A data subject is a natural person who can be identified by the data stored whose personal data is processed by a controller or processor.
  • Delegated acts - Non-legislative acts enacted in order to supplement existing legislation and provide criteria or clarity.
  • Directive - A legislative act that sets out a goal that all EU countries must achieve through their own national laws.
  • Encrypted data - The protection of personal data through technological measures to ensure that the data is only accessible/readable by those with specified access.
  • Genetic data - Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the health or physiology of the individual.
  • Personal data - Any information related to an identified or identifiable natural person or 'data subject' that can be used to directly or indirectly identify the person.
  • Personal data breach - A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Privacy by design - An approach to projects that designs privacy and data protection compliance from the start, rather than as an afterthought.
  • Privacy Impact Assessment - A tool that is used to identify and reduce the privacy risks of a project. A PIA helps reduce the risk of misuse of personal data processed and can help to design more efficient and effective processes for handling personal data.
  • Processing - Any operation performed on personal data, such as including collection, use, recording, etc.
  • Profiling - Automated processing of personal data which enables aspects of an individuals personality or behaviour, interests, and habits to be determined, analysed and predicted.
  • Pseudonymisation - A process to make personal data no longer attributable to a single data subject without the use of additional data. Additional data must be separate to ensure non-attribution.
  • Recipient - An entity to which the personal data is disclosed.
  • Representative - Any person in the Union explicitly designed by the controller to be addressed by the supervisory authorities.
  • Right to Access - Also known as 'Subject Access Right'. Data subjects are entitled to have access to the information about the personal data that a controller has concerning them.
  • Right to Erasure - Also commonly known as the 'right to be forgotten'. GDPR enhances this concept to give individuals more power to request the removal or deletion of their personal data. Depending on the circumstances, organisations will also have to remove backups and archived data, as well as information shared with third parties.
  • Right to Portability - Allows individuals to obtain their personal data and reuse it elsewhere if they wish to. Organisations are obliged to comply with requests providing the information in question meets a specific set of criteria and must be provided in a commonly used and readable format.
  • Supervisory authority - public authority with the primary responsibility for dealing with a cross-border data processing activity. For example, when a data subject makes a complaint about the processing of his or her personal data, an organisation will contact them for compliance activity such as registering a data protection officer, notifying a risky processing activity or notifying a data security breach.
  • Third Country - Recipients located outside the EEA.
  • Trilogues - Information negotiations between the European Commission, the European Parliament and the Council of the European Union. They are usually held following the first readings of proposed legislation to help move to a quicker agreement on how the text can be adopted.


For more information on the GDPR Conference Europe: Roadmap for Marketers, visit their site here. And don't forget, you can always follow our conference and event coverage live on Twitter @unicorntraining.


Lucy Mitchell

Lucy Mitchell

Marketing Executive

With over 10 years’ experience in the Financial Services industry, Lucy has a varied background…

View articles by author

Subscribe to the Unicorn newsletter for the latest updates

Please complete missing fields or check information is correct.