Data Protection and GDPR Glossary of Terms (A-Z)

The GDPR and Data Protection Act 2018 are two of the most comprehensive pieces of privacy legislation ever created, and it’s important to understand all of their components.

That’s why, as we build towards Data Protection Day on 28th January, we’ve decided to help you better grasp all the GDPR terms by putting together this A-Z glossary.

Below you can find everything you need to know about GDPR and Data Protection, in Trust Hogen’s essential Data Protection and GDPR glossary of terms:

Data Protection and GDPR Bodies

The Article 29 Working Party are a non-regulatory body that provides expert advice and recommendations for data protection and processing to Member States and the public.

DPAs are the national authorities with responsibility over data protection. Each Member State appoints a DPA body to implement and enforce data protection laws and offer guidance. Their roles involve investigating complaints, advising organisations on their compliance requirements, and levying substantial fines on those who do not comply with GDPR.

The EDPB is an independent European body that provides advice and expertise on GDPR compliance. It consists of representatives from each Member State’s DPA and is responsible for ensuring the consistent application of data protection law across all countries in the EU. The EDPB will replace the Article 29 Working Party.

Established in 2004 to ensure EU institutions respect people’s right to privacy when processing personal data. The EDPS advises EU institutions on all aspects of personal data and supervises the processing of personal data to ensure compliance with privacy rules.

An independent authority in the UK set up to enforce and uphold information rights within the public interest. The ICO promotes openness by public bodies and data privacy for individuals.


The UK law was introduced to enforce UK GDPR in the law. The DPA 2018 includes details on how intelligence services can process people’s personal data, how to process criminal conviction data, and how young someone has to be to consent to their personal data being collected.

The e-Privacy Directive currently controls privacy rights applied to electronic communications technology and content. 

The e-Privacy Regulation is an EU regulation that applies to any provider of electronic communication services and collector of electronic communications data across the EU.

Adopted in 2016, the General Data Protection Regulation are a set of rules that apply to every EU Member State. 

It creates a consistent framework for the protection of personal data, sets requirements on how organisations can collect and process data, and introduces rules to ensure that individuals have access to their own data.

With the opportunity available for more detailed rules to be made, the GDPR will help to protect individuals and organisations from data misuse. GDPR harmonises data protection rules across EU Member States and applies to data processed by individuals and organisations across the EU.

This also applies to organisations outside the EU that offer goods and services to EU citizens.

UK General Data Protection Regulation is the UK’s own version of GDPR. Introduced after the UK left the EU, UK GDPR is very similar to EU GDPR, but with some key differences with some of its details.

Rights of Data Subjects

The right for a person to know what information is held about them, and how that information is being processed.

The right for an individual to request that their personal data be corrected or updated if it is incorrect.

The GDPR grants individuals the right to have their personal data removed from an organisation’s records, in certain circumstances.

The right for an individual to limit or restrict the processing of their personal data. This includes suspending, withdrawing, and restricting their data from further processing.

The right for an individual to oppose the processing of their personal data.

The right for an individual to request that their data be transferred from one organisation to another in a secure and safe manner.

The right for an individual to have the information needed to understand how and why their data is being processed.

GDPR and DPA Terminology (A-Z)

The ability to demonstrate compliance with the principles of GDPR and know; what data to hold; where to store data; what the data is used for; who the data is shared with; how long this data is kept; and what policies must be followed.

The principle of accuracy states that data must be accurate and up to date. It reinforces the need for organisations to check the quality of their data and keep it updated.

A set of binding rules that allows companies to transfer the personal data they control from the EU to outside the EU (but within the same organisation).

Any data created from a biometric process, such as images of someone’s face or fingerprints.

Unauthorised violation of security, which leads to accidental or unlawful loss, destruction, disclosure, or access to personal data.

The conditions for processing personal data, as outlined in the GDPR. These include that the data must be obtained fairly and lawfully; collected for specific purposes; accurate, up to date and relevant; securely stored; kept only for as long as necessary; and subject to appropriate security measures.

GDPR requires organisations to obtain explicit consent from individuals before processing their personal data, meaning it must be given verbally or in writing and the individual must have made a positive indication to agree to the processing of their data. This must be given freely, with no duress, and include a specific purpose for the data.

Any information that can be used to identify an individual, such as name, age, address, or IP address.

When personal data is lost, stolen, or accessed without authorisation.

A controller is the natural or legal person who is responsible for deciding how and why personal data is processed. They are liable for ensuring that the appropriate measures are in place to protect the data and comply with GDPR.

The right to have personal data erased from a system or environment. This includes the right to be forgotten and requests for the deletion of data.

The principle of data minimisation requires that organisations process only the minimum amount of personal data necessary to achieve their processing purposes.

The GDPR gives individuals the right to receive their personal data in a commonly used machine-readable format and transmit that data to another controller.

A DPIA (Data Privacy Impact Assessment) is a process that helps organisations to identify, assess, and mitigate the potential privacy risks associated with their processing activities. It is a legal requirement for high-risk data processing activities and can help to ensure GDPR compliance.

The party that is responsible for processing personal data on behalf of a controller. They must have documented processes to ensure that they comply with GDPR.

The GDPR requires that data protection measures are built into the design and implementation of processing activities from the outset. This means that organisations must think about the data protection implications of their activities at the design and implementation stage.

A designated professional who is responsible for monitoring the GDPR compliance of their organisation and ensuring data is collected, stored and processed safely and in accordance with the law.

An individual whose personal data is being collected and processed, such as a customer or employee.

The GDPR provides individuals with a set of rights when it comes to their personal data, including the right to access, rectify and erase their data.

Data that has been converted into a code, making it unreadable and unusable without the decryption key.

The period of time for which a company or organisation’s financial records are kept. The GDPR requires that personal data is only kept for as long as is necessary for the purpose it was collected and no longer than the duration of that financial year.

Genetic data includes information about an individual’s genetic makeup or characteristics, such as blood type.

The GDPR requires organisations to have a lawful basis for collecting and processing personal data, such as consent or legitimate interest. This must be clearly stated in the privacy policy.

A living individual who can be identified either directly or indirectly through their personal data.

The practice of ensuring the security and privacy of personal data. This includes technical measures such as encryption, access control, data minimisation and storage policies.

The GDPR requires organisations to ensure the integrity and confidentiality of personal data by taking appropriate technical and organisational measures. This means protecting it from unauthorised access, alteration and destruction.

The GDPR requires that controllers must have a lawful basis for processing personal data. This can include consent, contract, legal obligation or legitimate interest.

The GDPR requires that data is collected and processed in a way that is lawful, fair and transparent. This means that organisations must ensure they provide clear and detailed information about their data processing activities.

Organisations are allowed to process personal data if it can be justified on the basis of their legitimate interest. This means that organisations must demonstrate that there is a compelling reason for processing the data and that the rights of individuals are not being infringed.

The 27 countries that are members of the European Union.

The GDPR sets out a one-stop-shop concept which means that organisations can be monitored and regulated by a single supervisory authority, rather than multiple authorities in different Member States.

When collecting personal data from children, the GDPR requires organisations to obtain parental consent.

Any information that relates to an identifiable natural person, such as name, address or email address.

The GDPR sets out six principles that organisations must adhere to when processing personal data, including lawfulness, fairness and transparency.

The GDPR requires organisations to take proactive measures to protect the privacy of personal data. This includes incorporating data protection and security into all aspects of their operations, from the design phase right through to destruction.

A tool used to identify, assess and mitigate potential privacy risks arising from the processing of personal data. It is a requirement under the GDPR for organisations to conduct a PIA in relation to any data processing activities that are likely to result in a high risk to individuals’ rights and freedoms.

An agreement between the US and the EU which allows organisations to transfer personal data from the EU to the US in a secure manner.

The GDPR defines processing as any operation or set of operations performed on personal data, such as collection, recording, organisation and destruction.

An automated process used to analyse and predict an individual’s behaviour, preferences or characteristics.

The process of replacing personally identifiable information with a pseudonym, such as a code. This allows organisations to use the data without needing to store it in an identifiable form.

Any organisation that is acting in an official capacity and has the power to make decisions which affect individuals.

The GDPR requires organisations to collect, process and store personal data for specified, explicit and legitimate purposes. The purpose must be outlined in the privacy policy or other privacy notices.

A section of the GDPR which provides additional guidance and interpretation of the regulations.

The GDPR allows individuals to request that their personal data is restricted from being processed, in certain circumstances.

Personal data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic or biometric data used for identification.

This term is used to refer to sensitive personal data, such as health and genetic data.

The GDPR requires personal data to be stored in a way that ensures its security and accuracy, and only for as long as is necessary.

A process under which individuals can request a copy of their personal data from an organisation.

A request from an individual for a copy of their personal data, as stipulated in the GDPR.

An independent public authority which is responsible for ensuring compliance with the GDPR.

The GDPR applies to organisations that process personal data of individuals located in the EU, regardless of where the organisation is located.

An individual, organisation or company that is not directly involved in a particular agreement, transaction or activity. Any country outside of the European Economic Area (EEA) is considered a third-party.

The transmission or transfer of personal data from one organisation to another, either within the same country or across borders.

The GDPR requires organisations to be open and transparent about how they use personal data. This includes providing individuals with clear, concise and easy-to-understand information about their data processing activities.

The total of a company’s income for the year, excluding taxes and other expenses.

A data-driven access control system that gives individuals the ability to manage and control their personal data. UMA is based on principles of privacy by design and privacy by default.

Trust Hogen Data Protection Month

These are just some of the key GDPR glossary of terms that organisations must be aware of in order to ensure compliance.

As we build towards Data Protection Day on 28th January, Trust Hogen’s knowledge blog is going to be exploring more of the GDPR and its implications. Be sure to check in regularly for more information on how you can ensure your organisation is compliant with this important piece of legislation.

Stay up-to-date with the latest news and developments in data protection by taking part in Trust Hogen Data Protection Month.

If you want to protect your company or business from the risks associated with data protection, then contact Trust Hogen today to find out how we can help. With our expertise in the field of data protection, you can trust that your business is in safe hands.