Definitions

To make sense of the law you need to understand what certain things mean.  Here are some of the key definitions in the GDPR/ Data Protection Act:

‘personal data’ any information relating to an identified or identifiable living person

‘data Subject’ an individual whose personal data is being processed

‘processing’ means virtually everything you do with personal data – collecting, storing, considering it, sharing, erasing…

‘profiling’ any form of automated [‘computers’] processing of personal data consisting of the use of an individual’s personal data to evaluate the.  Typically used to analyse behaviour or predict what someone might to in the future.

‘pseudonymisation’ working on personal data so that it can no longer be attributed to a specific individual without the use of additional information i.e. a ‘key’.

‘controller’ someone who determines the purposes (why) and means (how) of the processing of personal data.

‘processor’ someone who processes personal data on behalf of the controller e.g. storage, transcription, payroll…

‘recipient’ someone who personal data is disclosed to …

‘consent’ -the freely given, specific, informed and unambiguous indication of an individuals’  agreement to the use of their personal data

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Special category Personal data – that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.  Also the processing of genetic data, biometric data for the purpose of uniquely identifying someone, data concerning health or data concerning a person’s sex life or sexual orientation

Privacy Notice – information you provide to an individual when you want to collect their personal data.  Typically includes what data you are collecting, why, who it might be shared with etc.   May need to give one even where you receive the personal data indirectly.

Data Subject rights – the rights of individuals under the GDPR such as to receive a copy of their data, to correct inaccurate information, to be forgotten, to restrict or object to processing etc.

Restrictions – where the law (see the Data Protection Act 2018) allows a controller to depart from the obligation to comply with a data subject right.

Record of Processing Activities – document a controller (and to some extent a Processor) has to create recording what data they process, on who, why etc.

Information Commissioner’s office – the body who oversee the operation of data protection law in the UK

Data Protection Impact Assessment – a means of identifying risks to the privacy of individuals if proposed processing is carried out.  A DPIA should also highlight what needs to be done if risks are identified.

Data Protection Officer – an individual whose role is to advise the controller on law and practice rewalting to data protection and to monitor compliance – amongst other things.

Restricted transfer – transferring personal data outside of the (protection) of the EEA.

Adequacy – a finding by the EC that they are satisfied with the level of data protection offered by a country outside the EEA

Standard Contractual Clauses – contract terms that a controller and another controller (or processer) enter in to in order to protect personal data where it is sent out of the EEA

The Law Enforcement Directive – the ‘GDPR’ for law enforcement.  Found within the DPA 2018.

Enforcement Notice- a Notice served by the ICO requiring a controller to stop doing something or to do something.  Can be appealed.