As the clock counts down to 25th May 2018 when the EU GDPR becomes enforceable, this blog post takes a look at the GDPR key definitions and terminology within the regulation that companies should familiarise themselves with:

  • Personal Data: Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. Personally Identifiable Information can also relate to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Data Controller: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processor: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Data Processing: When single or multiple operations are performed on personal data (collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).
  • Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • Pseudonymisation: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Personal Data Breach: If there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, this is classed as a Personal Data Breach.
  • Principles: Under the GDPR, the data protection principles set out the main responsibilities for organisations.
  • Supervisory Authority: An independent public authority which is established by a Member State. Read our previous blog post about the UK’s Supervisory Authority – the Information Commissioner’s Office (ICO) and what you need to know.
  • Binding Corporate Rules: These are personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more international markets.
  • Cross-Border Processing: If – as a company – your personal data processing activities takes place in more than one EU member state, or if you control data that could substantially affect data subjects in more than one EU member state, this is known as Cross-Border Processing.

The above are just some of the GDPR key definitions and terminology within the EU General Data Protection Regulation. If you’re not familiar with any of the above GDPR key definitions and terminology or would like to find out how we can help your business prepare for compliance through our staff training and awareness programmes, contact us today.