The Definitions

The following terms defined here will be used heavily when referring to the GDPR regulations. This will also help understand what GDPR does and does not refer to:

Personal data

  • This is any information relating to a living individual (not an entity like a company) either directly or indirectly. This can be:
    • Name, address, phone number.
    • An individuals email address (eg: [email protected]), mobile device ID, photograph of a individual, social media post, username used on website, IP address, Internet of Things (IoT) collected data about the individual.
    • Data does not have to be directly personally identifiable but can still classed personal data.
  • You must now carefully consider how you classify data, as on it’s own it may not directly identify someone, eg: last 4 digits of a credit card. However when it’s combined with another piece of data (eg: a post code), an individual may be identified. Each piece of data is therefore considered personal data.

Processing of data

  • Anything that is done with personal data.
  • Either manually (by hand) or automated (by a computer).
  • This includes: Collecting, storing, using, transferring or the deletion of any part of personal data.

Data Subject

  • A “natural person” is the owner of their own personal data.
  • This can be a someone who uses your services, a customer, employee, contractor, supplier etc.. Typically, a computer will hold personal data on all of these data subject types.
  • Data subjects have rights in regards to any personal data held on or about them. More on this later.
  • If these rights are infringed they can complain directly to the ICO.

Data controller

  • A person, company or public body who determines the means and purpose of processing of personal data, ie: Who has the freedom to decide what is done with the data.
  • They have a duty to fulfil the rights of data subjects and obligations towards the ICO.
  • These duties and obligations cannot be outsourced.

Data processor

  • The person, company or public body that is processing the personal data under instruction of the data controller, e.g.: a cloud service like Google, Dropbox, Amazon Web Services who are providing a service for your data, or an outsourced provider carrying out set tasks for you, eg: a payroll processor).
  • Data processors now have more stringent obligations under the GDPR. Such as:
  • Data processing agreements must be in place with their data controllers stating exactly what they can do and what measures are in place to protect the data controllers data.
  • Processing activities must be documented.
  • Breaches must be reported and the processor will be legally liable if found responsible for the breach.
  • Data controllers may only rely on data processors that provide sufficient security controls and GDPR compliance.
  • Data processors who have legal obligations to report certain activity (eg: banks, accountants) take the role of data controllers, due to their responsibility in deciding whether data needs to be reported.

Data breach

  • A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • It’s important to note here that a data breach isn’t only considered when personal data is stolen, it can also occur through the unauthorised access by an employee or even the accidental loss of data.
  • If this personal data gets into the wrong hands it can cause a risk to the rights and freedoms to the individual.
  • Certain types of data breaches have be reported to the ICO and the data subject concerned. More on this later.

Special categories of personal data

  • Additional restrictions are placed on personal data when it fits into one of these groups:
    • Race – Race, ethnic origin.
    • Beliefs – Political opinions, religious and philosophical beliefs, trade union memberships.
    • Body – Health data (including height, weight) or genetic and biometric data when used for identification.
    • Sex – Sexual orientation, sex life.

Due to the sensitivity of the data in these categories, certain conditions comes when processing this data. More on this later.

Previous: 1. Introduction
Next: 3. The Principles