The GDPR, or General Data Protection Regulations comes into force on the 25th May 2018 which means that you will have to make some important changes to the way that you deal with data in your business. The terms used in the legislation can often be seen as complex, so here is a glossary of key terms to assist you.
Data controller: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data processor: Any person who processes data on behalf of the data controller.
Data subject: Although not defined in the GDPR, any reference made to the ‘data subject’ will mean the individual to whom the personal data relates and is processed on behalf of or for.
Personal data: Any information relating to a living individual who can be identified (either directly or indirectly). The GDPR will expand the definition of personal data to include identification numbers, location data and online identifiers. Personal data that has been pseudonymised (e.g. coded online) may also fall within the remit of ‘personal data’ depending on whether an individual can be easily identified via the pseudonym.
Pseudonymisation: The processing of personal data in such a way that the personal data cannot be attributed to the data subject, without using completely separate additional information.
Recipient: Any person to whom data are or will be disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller. However, recipient does not include any person to whom disclosure is or may be made as a result of a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
Relevant filing system: Any set of information relating to individuals that is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
Sensitive personal data: Data consisting of information relating to an individual’s:
- racial or ethnic origin
- his/her political opinions
- his/her religious beliefs or other beliefs of a similar nature,
- whether s/he is a member of a trade union
- genetic data
- biometric data for the purpose of identifying an individual
- his/her physical or mental health
- his/her sexual life or sexual orientation
Both genetic and biometric data are new categories of sensitive personal data under the GDPR, which were not outlined previously in the DPA. These two new categories likely cater to the technological and scientific advancements that have arisen in recent years.
Profiling: Any type of automated processing of personal data in order to evaluate certain personal aspects relating to an individual, in particular to analyse or predict certain aspects of an individual’s performance at work or regarding their health, interests, reliability, behaviour, location or movements.
Third party: Any other person other than:
1. the data subject,
2. the data controller, or
3. any data processor or other person authorised to process data for the data controller or processor.
Please note this article contains general overview information only. It does not constitute, and should not be relied upon, as legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter.