UK GDPR terminology guide

Data Controllers

Data Controllers are the main decision-makers. They exercise overall control over the purposes and means of the processing of personal data.

Data Processors

Data Processors act on behalf of, and only on the instructions of, the relevant Data Controller.

Data Protection Officer 

An expert on data privacy who works independently to ensure that an organisation is adhering to the policies and procedures set forth in the UK GDPR.

UK GDPR

Means UK specific data protection regime which came into effect from 1 January 2021 following amendments to the DPA 2018 by the DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019.

Information Commissioner's Office

The Information Commissioner’s Office is the independent regulatory office in charge of upholding information rights in the interest of the public. The organisation covers the following:

• Data Protection Act
• Freedom of Information Act
• Privacy and Electronic Communications Regulations 
• Environmental Information Regulations
• INSPIRE Regulations
• The re-use of Public Sector Information Regulations

Individual rights

The UK GDPR provides the following rights for individuals:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• rights in relation to automated decision making and profiling

Lawful basis

The UK GDPR requires any organisation processing personal data to have a valid legal basis for that processing activity. The law provides six legal bases for processing:

• consent
• performance of a contract
• a legitimate interest
• a vital interest
• a legal requirement
• a public interest

Personal data

Personal data identifies and relates to a living person. This can include information that when put together with other information can identify a person. For example, this could be your name, address and telephone number.

Personal data breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Example personal data breaches include (not exhaustive):

• access by an unauthorised third party
• deliberate or accidental action (or inaction) by a Data Controller or Data Processor
• sending personal data to an incorrect recipient
• computing devices containing personal data being lost or stolen
• alteration or personal data without permission
• loss or availability of personal data

Personal Identifier

A personal identifier is a data element within a data set that singly or in combination can uniquely identify an individual, such as a National Insurance number, name, address, birth date, physical characteristics, demographic information etc.

Record of Processing Activities

The Record of Processing Activities is a log of all datasets which contains personal information that an organisation collects or processes. The record also contains details of the legal basis for holding the data, the purposes of the processing, with whom it is shared, and other details specified by the Information Commissioner’s Office.

Special Category Data

The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection:

• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical beliefs
• personal data revealing trade union membership
• genetic data
• biometric data (where used for identification purposes)
• data concerning health
• data concerning a person’s sex life
• data concerning a person’s sexual orientation