13 Key GDPR Terms You Need to Know
GDPR: General Data Protection Regulation. It's a massive piece of legislation and if you want to read all 250+ pages, talk about it with fellow data nerds or marketing professionals, or just comprehend the various articles online, you need to know some of the key terms.
1. Personal Data – This is the broad term for any information related to an individual or ‘Data Subject', that can be used to directly or indirectly identify the person. This can be anything from a name or address to a fingerprint or banking details.
2. Binding Corporate Rules (BCRs) - The set of internal rules adopted by multinational companies in to define their global policies on international data transfers within the same corporate group towards countries that don't share the same level of protection.
3. Processing – An automated or manual action performed on personal data, for example collection, organization or recording. For processing of personal data to be lawful under the GDPR, businesses must identify a lawful basis for this action.
4. Data Controller - Like the existing Data Protection Act (DPA), the GDPR applies to Data Controllers who process personal data. So first, who is the Data Controller? This is a person who decides the purpose for which any personal data is to be processed and the way in which it is to be processed. This can be decided by one person alone or jointly with other people.
5. Data Processor - Unlike the DPA, the GDPR introduces specific responsibilities for the Data Processor. These are third parties that process data on behalf of the Data Controller and includes IT service providers.
6. Consent - The concept of "consent" is foundational to EU data protection law. In general, the validly obtained consent of the data subject will permit almost any type of processing activity, including Cross-Border Data Transfers.
7. Data Protection Officer - A Data Protection Officer is someone who is given formal responsibility for data protection compliance within a business. Not every business will need to appoint a data protection officer – you need to do so if:
- Your organization is a public authority; or
- You carry out large-scale systematic monitoring of individuals (for example, online behavior tracking); or
- You carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.
8. Data Protection Authority (DPA) – Every country will have its own DPA, a national authority responsible for the protection of data and privacy as well as implementing and enforcing data protection law. For example, in France it's the Commission nationale de l'informatique et des libertés (CNIL) and in the UK it's the Information Commissioner's Office (ICO).
9. Biometric Data - Personal data that resulted from specific processing related to physical and behavioral features of a person, which allows the identification of that person.
10. Data Subject – When a piece of data relates to an individual, then they are known as the data subject. This could be you, me or anyone as long as they can be clearly identified from the data in question.
11. Right to be Forgotten - The right to erasure of personal data or ‘the right to be forgotten' enables an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
12. Pseudonymous Data - Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. A good example of pseudonymous data is coded data sets used in clinical trials.
13. Cross-Border Processing - Processing of personal data when the controller or processor is established in more than one Member State, and the data processing takes place in more than one Member State, OR processing activities that take place in a single establishment in the Union, but that affects data subjects from more than one Member State.