This is the third glossary in the GDPR series. It is important to note what GDPR protects whether you are a business or consumer. There is a lot of legal jargon which is actually very simple in terms of data protection. GDPR protects both the business holding the data and ultimately GDPR protects the subject of the data being held.
As a business or consumer, I believe it is important to understand the extent of these definitions and some umbrella terms which are frequently used. Generally, these terms and definitions are similar. However, for me, it has been important to note the similarities and differences between the terms.
Consent: Receiving a subject’s agreement to process their data. Agreement must be freely given, informed, specific and unambiguous. Consent can be given by a written statement or an oral statement. The data subject must understand implicitly what they are providing their data for, how it will be processed, who will process it and how long it will be stored.
Data Eraser: (Also known as the right to be forgotten) This entitles the data subject to your request that the data controller erase their personal information.
Data Minimisation: This means you can only collect personal data if it’s needed to achieve the intended purpose. Personal data should be adequate, relevant and limited to what is necessary. Where appropriate, such data should also be kept up to date.
Data Subject: someone whose personal data is being processed by a controller or processor.
Data Subject Rights: The data subject has the right to:
- Transparency (to be informed).
- Access the data.
- Rectify the data.
- Request that the data be erased.
- Restrict processing.
- Data portability.
- Object to the processing of data.
- Not to be subject to a decision based solely on automated processing.
Encrypted Data: Personal data which has been translated to another form or code so that only people with specific access can read it.
Natural Person: Any living individual. The GDPR does not concern itself with the privacy of the deceased.
Personal Data: Any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This includes name, identification number, location data or online identifier.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Pseudonymisation: The processing of personal data so that it can no longer be attributed to the specific data subject without the use of additional information, if such additional information is kept separately and technical and organisational measures are used to ensure non-attribution to an identified or identifiable person.
Profiling: The automated processing of personal data.
Purpose Limitation: This refers to using information only for the specified, explicit and legitimate purposes for which the data was collected and not for any other purpose.
Sensitive Personal Data: Specific categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. This includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation.
I hope you have found the third part in the GDRP glossary series useful. If you feel any terms should be moved around in this glossary or would like to add any more terms, please feel free to leave a suggestion in the comments.
If you would like to continue reading these glossaries, please see the fourth and final part of the series ‘What Needs to be Done when GDPR is Enforced‘.