GDPR jargon busting cheat sheet

GDPR Europe 'Roadmap for Marketers' Glossary of Terms:

• Binding Corporate Rules (BCRs) - A set of internal rules put in place to allow multinational companies and organizations to transfer personal data that they control from the EU to their affiliates outside of the EU but within the organization.
• Biometric data - Any personal data relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images.
• Breach notifications - UK organizations will be required to report data breaches to the ICO within 72 hours of becoming aware of it. In serious cases, where customer data is at serious risk, the individuals concerned must be notified.
• Consent - Informed, unambiguous, freely given, specific and explicit consent by statement or action from the data subject to have data relating to him or her processed.
• Cross-border processing - The processing of personal data when the controller or processor is established in more than one EU Member State and the data processing takes place in more than one Member State, or processing activities that take place in a single establishment in the Union, but that affects data subjects from more than one Member State.
• The Data Protection Act - Implemented by the UK government in 1998 to control how personal information is used by organizations and give legal rights to individuals.
• Data protection authority - National authorities that enforce the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the EU. The UK's data protection authority is the Information Commissioner's Office (ICO).
• Data controller- A legal individual, publish authority, agency, or body which, alone or jointly with others, determines the purposes and methods of processing personal data.
• Data processor - A legal individual, publish authority, agency, or body which processes personal data on behalf of the controller.
• Data protection officer - An expert on data privacy who works independently to ensure that an organization is adhering to the policies and procedures in the GDPR.
• Data subject - A data subject is a natural person who can be identified by the data stored whose personal data is processed by a controller or processor.
• Delegated acts - Non-legislative acts enacted in order to supplement existing legislation and provide criteria or clarity.
• Directive - A legislative act that sets out a goal that all EU countries must achieve through their own national laws.
• Encrypted data - The protection of personal data through technological measures to ensure that the data is only accessible/readable by those with specified access.
• Genetic data - Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the health or physiology of the individual.
• Personal data - Any information related to an identified or identifiable natural person or 'data subject' that can be used to directly or indirectly identify the person.
• Personal data breach - A breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
• Privacy by design - An approach to projects that designs privacy and data protection compliance from the start, rather than as an afterthought.
• Privacy Impact Assessment - A tool that is used to identify and reduce the privacy risks of a project. A PIA helps reduce the risk of misuse of personal data processed and can help to design more efficient and effective processes for handling personal data.
• Processing - Any operation performed on personal data, such as including collection, use, recording, etc.
• Profiling - Automated processing of personal data that enables aspects of an individual's personality or behaviour, interests, and habits to be determined, analysed and predicted.
• Pseudonymization - A process to make personal data no longer attributable to a single data subject without the use of additional data. Additional data must be separate to ensure non-attribution.
• Recipient - An entity to which the personal data is disclosed.
• Representative - Any person in the Union explicitly designed by the controller to be addressed by the supervisory authorities.
• Right to Access - Also known as 'Subject Access Right'. Data subjects are entitled to have access to information about the personal data that a controller has concerning them.
• Right to Erasure - also commonly known as the 'right to be forgotten'. GDPR enhances this concept to give individuals more power to request the removal or deletion of their personal data. Depending on the circumstances, organizations will also have to remove backups and archived data, as well as information shared with third parties.
• Right to Portability - Allows individuals to obtain their personal data and reuse it elsewhere if they wish to. Organizations are obliged to comply with requests providing the information in question meets a specific set of criteria and must be provided in a commonly used and readable format.
• Supervisory authority - public authority with the primary responsibility for dealing with a cross-border data processing activity. For example, when a data subject makes a complaint about the processing of his or her personal data, an organization will contact them for compliance activities such as registering a data protection officer, notifying a risky processing activity, or notifying a data security breach.
• Third Country - Recipients located outside the EEA.
• Trilogies - Information negotiations between the European Commission, the European Parliament, and the Council of the European Union. They are usually held following the first readings of proposed legislation to help move to a quicker agreement on how the text can be adopted.

 

Explore our Access Digital Learning and Compliance software