Data Protection Common Terms

Data protection glossary: common terms explained

January 23rd, 2023 Posted in Compliance, Data Protection

Any given subject usually comes with its own set of acronyms and jargon. A quick scan through our own website and service offerings such as data protection, proves just that. It makes sense to us because we live it every day but if you’re just trying to get on with running your business and data protection is not your area of expertise, trying to find all the relevant information (and some of it can be contradictory) through search engines can quickly become daunting.

If you’re a startup, you probably have questions such as: Should you outsource your DPO? We also have some great resources for new businesses who are just getting started on their compliance journey, such as 8 tips on data protection for start-ups. But, to get you started, let’s begin with the basics, here is a Data protection glossary of the most common terms to help you on your way to understanding compliance terms.


The General Data Protection Regulation (2016/679) is a European Regulation designed to protect the privacy of citizens in the European Union and European Economic Area and to give individuals control over how their personal data is used. Its purpose was to harmonise the various data protection legislation across the EU and came into force on the 25th of May 2018. In 2021 there were changes to GDPR and international transfers due to Brexit, which are helpful to know about.

DPA 18

The Data Protection Act 2018 is a British law which governs the use of the personal information of British citizens. It complements the GDPR and came into force on the 23rd May 2018. When dealing with UK Citizens, the GDPR and DPA18 should both be referred to jointly.


The United Kingdom General Data Protection Regulation retains the GDPR in UK domestic law now the transition period has ended and the UK has left the EU, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.


Under the GDPR’s e-privacy directive, there are specific rules concerning individuals’ privacy rights in relation to electronic communications such as emails and cookies. The UK has incorporated this directive into UK law via the PECR – Privacy and Electronic Communications Regulation. There is a cross-over between the GDPR and PECR so both should be consulted jointly, especially when marketing to individuals. Read our latest post on Email Marketing in the UK.

Personal data

What is Personal Data? Any information (information is also referred to as data) of an identified or identifiable natural person. As well as the obvious ‘name’, this includes reference numbers, online identifiers, location data, physical, physiological, mental, genetic, economic, cultural or social information that can be used on its own or put together to identify that person. Read our blog on data sharing code of practice here to learn when it’s ok to share personal data.

Natural person

A living person (the deceased does not have data privacy rights).

Data subject

Natural person (see above).


There is a distinction between those who ‘control’ data and those who ‘process’ it. The distinction is important because there are slightly different requirements applied depending on who you are. The data ‘controller’ is the natural or legal person, public authority, agency or other body which alone or in conjunction with others determines why the data is needed, (the purpose) and how it will be processed. If you’re a controller, then you’ll also be a processor. To use an analogy of driving a car, if you’re the driver then you could also be considered a passenger. All passengers have to wear a seatbelt but if you’re a driver then you have other tasks and requirements to meet.


The data ‘processor’ is any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor would be a third-party supplying a service to the controller.


European Data Protection Board. The EDPB is an independent European body which ensures all member states apply the GDPR correctly and consistently. It is made up of representatives from the supervisory bodies of the individual member states, (the UK representative is the Information Commissioners Office (ICO)).


Information Commissioner’s Office is the UK’s Independent public body which governs and upholds data protection laws. The ICO falls under the government department for Digital, Culture, Media and Sport. It investigates breaches to data protection law and can issue fines in line with the UK GDPR to offending natural persons, organisations, agencies or bodies.

If you control or process the personal information of UK citizens on any electronic device including CCTV for crime prevention, you will most likely have to pay the annual fee to the ICO. You can check if you have to pay by using the ICO’s self-assessment checker. If you become aware of a data breach within your organisation you may be required to report it to the ICO.

Subject Access Request (SAR)

Individuals have the right to ask you what personal information your organisation holds on them. You have to respond within one calendar month of receiving their request unless the request is complex or you have many concurrent requests, in which case you can extend the deadline to three calendar months as long as you inform the data subject of the delay and state your reason. Read our latest blogs on ‘Understanding subject access requests’, Understanding Subject Access Requests – Part 2: Refusing to comply and Understanding Subject Access Requests – Part 3: Third Parties and Complaints Data.

Legitimate Interest Assessment (LIA)

Under the GDPR there are six lawful bases upon which you can process data. Consent for example is one of the lawful bases which requires a data subject to give you permission to process their data. ‘Legitimate Interest’ is a lawful basis whereby you can process personal data if you deem it necessary to carry out your business but to justify your decision, you have to weigh up the rights and freedoms of the individual with the purpose for which you believe you need to process the data. This requires you to carry out a Legitimate Interest Assessment. If you process data under the basis of Legitimate Interest, it is a legal requirement to carry out an LIA.

Data Protection Impact Assessment (DPIA)

If you process high-risk data such as biometric data (learn more about the full list of types of high-risk data), it is a legal requirement under the GDPR to carry out a Data Protection Impact Assessment. The aim of the DPIA is to help you clarify what personal data you control and why you need it so that you can either justify why you’re collecting it or decide to stop collecting it. For more information, read our Guide to DPIAs.

Record of Processing Activities (RoPA)

Under the GDPR, if your organisation processes personal data, you must create a Record of Processing Activities and keep it up to date. This document lists all the types of personal data that your organisation controls and/or processes.

Privacy notice

If you process personal data, you must make it clear to the data subject what data you are processing, why you need it, under what lawful basis you are collecting it, how long you intend to keep it, what third parties you send it to do, why and what they will be doing with it. Your Privacy notice must be easily accessible and written in a clear and transparent way. Read in more detail, about how to write privacy notices.

Data transfers

Sometimes businesses that process personal data of citizens in the EU and EEA, need to send that data to a supplier outside of the EEA where it loses the protection of the GDPR. This could be as simple as the cloud provider you are using being based outside of the EEA. In certain circumstances, such as the EU Commission determining that a country has adequate data protection standards, this is permitted by the GDPR and is referred to as a ‘restricted transfer’. If there is no adequacy decision you have to ensure that certain safeguards are in place such as a contractual agreement. Learn more about data transfers here. ICO publishes updated guidance on international data transfers.

Need help?

If you are trying to clarify whether you are at risk of a data breach, or want to discuss what your business needs in order to prevent a breach, we can help. Our highly qualified, expert consultants offer a wide range of data protection services

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Evalian Icon PNG

Written by Evalian®