Jargon-buster
Data protection, in plain English
Data protection has a lot of jargon. Here is what the terms actually mean, written for people running a business, not lawyers. Search for a term, or browse the list.
- Accountability
- The principle in Article 5(2) that you are responsible for complying with the rules and must be able to demonstrate it. In practice this means keeping the records, assessments and policies that evidence your compliance, ready to produce on request.
- Related: ROPA, ICO
- Adequacy
- A formal UK government decision that a particular country or framework provides an adequate level of data protection. Transfers to an adequate destination do not need an additional safeguard such as the IDTA.
- Related: Third-country transfer, IDTA
- Anonymisation
- Processing data so that individuals can no longer be identified by anyone, by any reasonably likely means. Genuinely anonymous data is no longer personal data, so the rules do not apply, but true anonymisation is harder than it looks.
- Related: Pseudonymisation, Personal data
- Appropriate Policy Document
- A document required by Schedule 1 of the Data Protection Act 2018 when you rely on certain conditions to process special category or criminal-offence data. It explains your compliance and retention for that processing.
- Related: Special category data, Lawful basis
- Consent
- A freely given, specific, informed and unambiguous agreement from the individual, given by a clear positive action. It must be as easy to withdraw as to give. It is often the wrong basis at work, where the power imbalance makes it hard to call consent freely given.
- Related: Lawful basis, Legitimate interests
- Controller
- The organisation that decides the purposes and the means of processing, the why and the how. If you choose to run payroll and pick the payroll provider, you are the controller for that activity.
- Related: Processor, Joint controller
- Data flow map
- A visual or structured view of how personal data enters, moves through, and leaves your organisation, including any flows abroad. It helps you see what your records describe and spot gaps.
- Related: ROPA, Third-country transfer
- Data minimisation
- The principle that personal data should be adequate, relevant and limited to what is necessary for the purpose. Collect only what you need, and do not keep it longer than required.
- Related: Retention period, Personal data
- Data subject
- The living individual that personal data is about. In practice these are your employees, job applicants, customers, and the contacts at your suppliers. They have rights over their data, such as the right to access it.
- Related: Personal data, DSAR
- DPA (Data Processing Agreement)
- Data Processing Agreement. The contract required under Article 28 whenever a processor handles personal data on your behalf, setting out what they may do with it, security duties, and rules on sub-processors and deletion. (Not to be confused with the Data Protection Act 2018, also abbreviated DPA.)
- Related: Processor, Sub-processor
- DPIA
- Data Protection Impact Assessment. A structured assessment of the risks a processing activity poses to people, required under Article 35 before processing that is likely to be high risk, such as large-scale monitoring or new technologies. It identifies risks and the measures to reduce them.
- Related: Processing activity, Special category data
- DSAR
- Data Subject Access Request. A request from an individual to see the personal data you hold about them and certain information about how you use it. You normally must respond within one calendar month of receiving it.
- Related: Data subject, Personal data
- ICO
- The Information Commissioner's Office, the UK's independent regulator for data protection. It publishes guidance, handles complaints, and can investigate and fine organisations.
- Related: Personal data breach, Accountability
- IDTA
- International Data Transfer Agreement. The UK's standard contract for lawfully transferring personal data to countries without a UK adequacy decision, the UK equivalent of the EU's SCCs.
- Related: SCCs, Third-country transfer, TRA
- Joint controller
- Where two or more organisations jointly decide the purposes and means of a processing activity. They must agree, in an arrangement, who is responsible for what, including handling people's rights.
- Related: Controller, Processor
- Lawful basis
- The legal justification that allows you to process personal data for a given activity. Article 6 sets out six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. You pick the one that genuinely fits each activity.
- Related: Consent, Legitimate interests, ROPA
- Legitimate interests
- A lawful basis where you process data for a genuine interest of your business or a third party, provided that interest is not overridden by the individual's rights and expectations. Relying on it requires a documented balancing test, a Legitimate Interests Assessment.
- Related: Lawful basis, LIA
- LIA
- Legitimate Interests Assessment. The documented three-part test (purpose, necessity, balancing) you complete before relying on legitimate interests as your lawful basis, showing your interest does not override the individual's rights.
- Related: Legitimate interests, Lawful basis
- Personal data
- Any information relating to a living individual who can be identified from it, on its own or combined with other information. Names, emails, staff numbers, IP addresses and photos can all be personal data.
- Related: Special category data, Data subject
- Personal data breach
- A breach of security leading to personal data being accidentally or unlawfully destroyed, lost, altered, disclosed or accessed. Higher-risk breaches must be reported to the ICO, usually within 72 hours of becoming aware.
- Related: ICO, Personal data
- Privacy notice
- The statement you give individuals explaining how you use their personal data: what you collect, why, the lawful basis, who you share it with, how long you keep it, and their rights. It should match what your records actually say.
- Related: ROPA, Data subject
- Processing activity
- A distinct thing you do with personal data for a particular purpose, such as running payroll, recruiting, or sending marketing. Your record of processing activities is the list of these, and most other records build on it.
- Related: ROPA, Lawful basis
- Processor
- A supplier that processes personal data on a controller's behalf and on its instructions, rather than for its own purposes. Your payroll bureau or hosting provider is typically a processor. The relationship needs a data processing agreement.
- Related: Controller, Sub-processor, DPA (Data Processing Agreement)
- Pseudonymisation
- Processing personal data so it can no longer be attributed to a specific person without separately-held additional information (a key). It reduces risk but the data is still personal data, because it can be re-identified.
- Related: Anonymisation, Personal data
- Recipient
- Any organisation or person you disclose personal data to, including your processors, professional advisers, and authorities such as HMRC. Your records and privacy notice describe the categories of recipient.
- Related: Processor, Privacy notice
- Retention period
- How long you keep a category of personal data before deleting or anonymising it, and the event that starts the clock (for example, six years after employment ends). You should keep data no longer than you need it.
- Related: Data minimisation, ROPA
- ROPA
- Record of Processing Activities. The written record of how your organisation uses personal data, required by Article 30 of the UK GDPR for most organisations. It lists each processing activity with its purpose, the data involved, who it is shared with, how long it is kept, and any transfers abroad.
- Related: Processing activity, Lawful basis, Retention period
- SCCs
- Standard Contractual Clauses. A set of contract terms approved for safeguarding personal data sent to countries without adequacy. In a UK context they are usually used with the UK Addendum, or replaced by the IDTA.
- Related: IDTA, Third-country transfer
- Special category data
- A more sensitive class of personal data: health, racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetics, biometrics used to identify someone, sex life or sexual orientation. Processing it needs both a lawful basis and an extra condition under Article 9.
- Related: Lawful basis, Appropriate Policy Document, Personal data
- Sub-processor
- A supplier engaged by your processor to help it deliver its service, for example the cloud host your software vendor runs on. Your processor must authorise sub-processors in its agreement with you and tell you about changes.
- Related: Processor, DPA (Data Processing Agreement)
- Third-country transfer
- Sending personal data to, or making it accessible from, a country outside the UK and EEA. It needs a basis for the transfer: an adequacy decision, an approved safeguard such as the IDTA or SCCs, or a limited exception.
- Related: Adequacy, IDTA, SCCs, TRA
- TRA
- Transfer Risk Assessment. The assessment you do before relying on safeguards (such as the IDTA or SCCs) to send personal data to a country without a UK adequacy decision, checking the destination's laws and whether extra measures are needed.
- Related: Third-country transfer, Adequacy, IDTA, SCCs
This is a plain-English guide, not legal advice. Where your situation is complex or high risk, take advice from a qualified professional.