GDPR Key Definitions

This document contains key definitions for some of the terms and jargon you might come across in a GDPR context. This is not intended to be an exhaustive list of GDPR definitions and, where technical terms are explained in the course lectures, they are not generally duplicated here.

Personal Data (also Personally Identifiable Data) - any information that is to do with an identifiable person. The definition of Personal Data under the GDPR is wide. For example, personal data might include a wide range of information such as names, addresses, social media “likes”, hair colour, voting records and images of the person.

Data Subject - any person to whom Personal Data may relate.

Data Controller - any person or organisation that decides that personal data is to to be processed, and determines how and why that processing should take place is considered a Data Controller. Any Data Controller may process personal data itself or may instruct Data Processors to work on their behalf; in either case, the Data Controller is responsible for ensuring that processing is in line with the GDPR.

Data Processor - any person or organisation who processes personal data on behalf of a Data Controller will be considered a Data Processor. The GDPR considers that Data Processors are always working under the instruction of a Data Controller.

Special Categories of Personal Data - specific categories of personal data that are considered to have extra sensitivity and therefore require additional safeguards. Special Personal Data includes information such as health, sexual preferences and behaviour, political allegiances, criminal convictions and trade union membership. This was previously defined as sensitive personal data under the Data Protection Act.

Supervisory Authority - regulatory organisations that exist in each EU member state to enforce the correct implementation of the GDPR. In the UK, the Information Commissioner's Office (ICO) is the Supervisory Authority.

Profiling - the use of automated data processing to determine or predict characteristics that relate to individuals from their data. Any activity that compares personal data against a checklist in order to allocate them to a group of similar people, such as identifying marketing segments, is likely to count as profiling. Profiling is subject to specific safeguards where this produces legal or significant effects on the data subject.