The General Data Protection Regulation is the legal framework issued collectively by the European Parliament, the European Commission and Council of the European Union with the aim of unifying and strengthening data protection for all EU citizens, and it’s enforceable from 25th May 2018.
There’s no doubt about it, the GDPR has stirred up a lot of concepts and terms that those of us expected to comply with it can sometimes struggle to decipher. So, we’ve compiled a list of the terms that we tripped over while decoding the regulation for ourselves; we hope you will find it useful in your GDPR preparations.
The individual to whom the personal data relates
Any information relating to a data subject. It’s a very broad concept; you might be surprised at what’s included – and it’s still expanding.
Any manual or automated activity carried out on personal data, from collection to destruction and everything in between.
A grouping of personal data that has been collected for a specific purpose (e.g. customer contact data; employee payroll data; etc.).
Sensitive / Special Categories of Data
Information relating to an individual’s race or ethnicity, political opinions, religious or philosophical beliefs, physical and mental health, sexual life, criminal convictions or allegations, trade union membership; genetic and biometric data. Processing of this data is prohibited unless the data subject gives their explicit consent or the processing fulfils one of nine other specific conditions.
The individual or private organisation, public authority, agency or other body that decides why and how personal data will be processed. (GDPR, Article 4(7))
The individual or private organisation, public authority, agency or other body which processes personal data on behalf of the controller. The controller may also be the processor. (GDPR, Article 4(8))
Data Protection Officer (DPO)
The individual, team or contractor nominated by the data controller to oversee the organisation’s data protection planning, training and other activities to ensure compliance with GDPR.
The independent public authority or authorities appointed by each EU Member State and tasked with the responsibility for monitoring the application of the GDPR.
Legal Basis for Processing
There are six legal bases that a data controller can rely on for processing personal data: 1. the data subject has given active consent to the processing for one or more purposes that have been previously disclosed to them; 2. the processing is necessary in the context of or to enter into a contract; 3. the processing is necessary for the data controller’s compliance with a legal obligation; 4. the processing is necessary to protect the vital interests of the data subject or another individual; 5. the processing is necessary in the public interest or to exercise the data controller’s official authority; 6. the processing is necessary for the legitimate interests of the data controller – however, these interests cannot override the interests or the fundamental rights of the data subject, particularly where that individual is a child. (GDPR, Article 6)
Data Protection Impact Assessment (DPIA)
When a proposed processing activity is “likely to result in a high risk to the rights and freedoms of natural persons” the data controller must carry out a DPIA. A DPIA is a process that systematically describes and assesses the need for and the proportionality of the data processing activity. The DPIA must include an assessment of the risks to the rights and freedoms of the data subjects and must also provide measures for addressing those risks and ensuring the protection of the personal data. (GDPR, Article 35)
This is where an organisation sets out how the principles of data protection are applied to all of its data processing activities – including employee, customer and third-party data.
Data Retention Period
The length of time that personal data will be kept by the data controller, or the data processor on instruction from the data controller. It must be no more than is necessary for the purposes for which the data is processed. Once that defined period lapses, the data must be deleted or converted into a form that does not permit the identification of its subject(s). For some sectors and / or in certain circumstances, there are legal requirements that govern retention periods for particular data and these trump GDPR. However, data controllers should ensure that they retain only the data specified by the legal requirement and delete or anonymise the remainder.
Data Minimisation Principle
To process (i.e. collect, store, use, etc.) only the minimum data necessary for the specified purpose.
Under GDPR, it is not enough to be compliant with the regulation but you must be able to provide demonstrable evidence of your compliance activity.
Active consent in the form of an unambiguous written or spoken statement by the data subject where they have been presented with a clear option to agree or disagree with the processing of their personal data for a specified purpose.
Data Subject Request / Data Access Request
The method by which a data subject can request all of the personal data relating to them that is held by an individual or an organisation, free of charge.
The tasks that the DPO is responsible for carrying out.
The means of documenting all of the personal data the organisation processes, the processing it is subjected to and the purposes for which it is processed.
The technique of modifying personal data in such a way that it can no longer be associated with the data subject without the addition of other information.