The General Data Protection Regulation (GDPR) just as the name implies is a regulation on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the exportation of personal data outside the EU and EEA areas. The European Parliament adopted the GDPR in April 2016, which replaces the outdated 1995 regulation known as Data Protection Directive.
The primary objective of the regulation is to give individuals control over their personal data and to simplify the regulatory environment for international business. It contains provisions that require businesses operating or serving the EU to protect the personal data and privacy of EU citizens for transactions that occur within the EU.
Non-compliance to the provisions of the regulations attracts severe penalties. To help you fully comprehend the provisions of the GDPR document and prepare your business for compliance, we have put together a list of 25 GDPR key terms and definitions that you need to know.
A data controller refers to the organization (legal person, public authority, agency, or other body) or the natural person which alone or jointly with others decides what needs to happen (purposes and methods of processing data) with the personal data. Data controllers play a key role in GDPR compliance because of the personal data that they collect and retain. If your organization determines the purposes and manner in which personal data is processed, then it’s considered to be a data controller. You are the data controller if your organization collects the personal information of customers, site visitors, and other targets, and determines the purposes and manner in which those personal data is processed.
A data processor refers to a natural or legal person, company, public authority, agency, or other body which processes personal data on behalf of the controller. A data processor is the one who carries out the actual processing of the data under the specific instructions of the data controller. Examples of data processors include e-commerce stores, fintech companies, market research organizations, cloud providers, and other service providers that store and access the personal data of customers.
The term “data subject” in GDPR refers to a natural person whose personal data is processed by a data controller or processor. A data subject could be an EU resident or citizen located in the EU or anywhere, or just anyone whose personal data is located in the EU.
The term “personal data” generally means any personal information that could be used to identify the individual directly or indirectly. Under GDPR the definition extends further to mean any information relating to a living person who is either identified or identifiable (usually referred to as data subject).
An identifiable natural or living person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier (such as IP address or tracking ID), or to one or more factors specific to the genetic, physical, physiological, mental, economic, cultural or social identity of that natural person.
The term “processing” refers to any action, operation, or set of operations (manual or automated) that is performed on personal data or on sets of personal data. Processing includes operations such as collecting, recording, storing, structuring, retrieving, restricting, disclosing, erasing, and destroying personal data. For the processing of personal data to be lawful under the GDPR, businesses must identify a lawful basis for these actions or operations.
Restriction of Processing
GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. Restriction of processing is the marking of stored personal data with the sole aim of limiting the way organizations use them, instead of requesting erasure. Upon request, an organization must stop using an individual’s personal data, although it can continue to store it (but cannot process it.)
Profiling refers to any kind of automated processing of personal data that involves analyzing or predicting user behavior, habits, personal preferences, or interests. It may also involve analyzing or predicting aspects concerning an individual’s performance at work, economic situation, health, reliability, location, or movements, among others.
In general, pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers or pseudonyms. Pseudonymization renders personal data in such a manner that the personal data can no longer be attributed to a specific person (data subject) without the use of additional information that allows the data to be re-identified. This is provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Pseudonymization can be one way to comply with the GDPR demands for secure data storage of personal information. Pseudonymized data can be restored to its original state with the addition of information which then allows individuals to be re-identified, while anonymized data can never be restored to its original state.
Data protection regulation does not just apply to electronically processed personal data, it also applies to manual paper-based filing systems. A filing system under GDPR refers to any structured set of personal data that are accessible according to specific criteria whether centralized, decentralized, or dispersed on a functional or geographical basis.
In today’s globalized world, the transfer of personal data from one location to another when providing services online is now commonplace. GDPR imposes restrictions when transferring personal data between organizations in EU member states and outside the EU. This is referred to as cross-border processing.
Under GDPR, the term “cross-border processing” means either of the following:
- Processing of personal data when the data controller or processor is established in more than one member state, and the data processing takes place in more than one member state.
- Processing of personal data at a single establishment but to a significant degree affect or are likely to affect data subjects in more than one member state.
Under GDPR, the term “third-party” means “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data”.
When organization A outsources data processing activities to say organization B, organization A is the data controller, and organization B in this case is the third-party (data processor). A data controller determines what information is processed and the lawful basis for doing so, whereas the third-party (data processor) completes the processing on behalf of the controller. Under the GDPR, data controllers are responsible for their own compliance as well as that of processors.
There are some types of data processing that require user (data subject) consent before they can be carried out. Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Under the GDPR, no one should be forced to give consent. It must be freely given, specific, and informed. Users must be told what purpose(s) their data will be used for, and they should show their consent through a statement or as a clear affirmative action such as checking a box or clicking a button.
Right to be Forgotten
The GDPR governs how personal data are collected and processed, and gives individuals the right to ask organizations to delete their personal data. This is referred to as the “right to be forgotten”. The right to be forgotten appears in Article 17 of the GDPR and it states that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”, provided one of a number of conditions applies.“ Within the context of the GDPR, “undue delay” is considered to be about a month.
Right to Data Portability
The right to data portability is one of the fundamental data subject rights in the GDPR. It allows data subjects to obtain data that a data controller has in an electronic format and to reuse it for their own purposes.
Individuals are free to either store the data for personal use or pass it on to another controller. This enables them to move or port to alternative service providers without any difficulties. The right to data portability applies:
- Where data processing require user consent before it can be carried out
- To personal data that an individual has provided to a data controller
- When the processing is carried out by automated means
Data portability does not apply in situations where an organization uses the public interest to process personal data, or if the data is pseudonymized.
Right to Access
Under GDPR, individuals have the right to access so as find out from a data controller if their personal data is being processed, where this is happening and why. Controllers must provide a copy of that data free of charge when requested. Individuals may also query and contest algorithmically based decisions affecting them.
Privacy Impact Assessment (PIA)
The instrument for a Privacy Impact Assessment (PIA) is defined in Article 35 of the GDPR. This basically refers to the obligation of the data controller and processors to conduct and document an impact assessment before embarking on any data processing that presents a specific privacy risk by virtue of its nature, scope, or purposes.
A Supervisory Authority is simply a Data Protection Authority (DPA) responsible for the protection of data and privacy as well as implementing and enforcing data protection law. In the context of the GDPR, DPAs are called supervisory authorities. A supervisory authority is defined as “an independent public authority which is established by a Member State pursuant to Article 51”.
Supervisory Authority Concerned
GDPR Article 4 defines the term “supervisory authority concerned” as one which is concerned by the processing of personal data because:
- The controller or processor is established on the territory of the Member State of that supervisory authority.
- Data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing.
- A complaint has been lodged with that supervisory authority.
Personal Data Breach
A personal data breach is a security incident (deliberate or accidental) that affects the confidentiality (unauthorized access or disclosure of personal data), integrity (alteration of personal data), or availability (unauthorized destruction or denial of access to personal data) of personal data.
In the event of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
GDPR defines genetic data as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question using commercial DNA testing kits or other tools.
The GDPR lists genetic data as “special categories of personal data” or sensitive data. This classification makes processing genetic data subject to the adoption of suitable safeguards for its protection such as pseudonymization.
GDPR defines the term “biometric data” as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
Biometric data for individuals is considered sensitive personally identifiable information, and as such it requires a higher level of protection. Most organizations and countries collect biometric data, and the GDPR explicitly prohibits the processing of such data for the purpose of uniquely identifying (authentication or identification) natural persons, but there are multiple exemptions spelled out in Article 9(2). For authentication, the application must require high reliability which cannot be obtained by other technologies.
Data Concerning Health
According to Article 4 (15) of the GDPR, “data concerning health” means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
This kind of data can be derived from various sources such as health care providers, insurance companies, employers, etc. Due to the sensitivity of health data, any breach of such data may have significant adverse impacts on data subjects. The GDPR, therefore, stipulates higher protection measures for data of this nature.
The term “main establishment” is analogous to the term headquarters, and is defined under Article 4(16) of the GDPR as follows:
“As regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment”.
“As regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation”.
Under the GDPR, the representative is a natural or legal person established in the Union who acts on behalf of the controller or processor about their respective obligations under the GDPR. The representative acts as a direct contact to the authorities and data subjects, while also being an authorized agent to receive legal documents.
Binding Corporate Rules
In GDPR, the term “binding corporate rules” refers to a set of internal rules adopted by multinational companies (controller or processor) to define their global policies on international data transfers within the same corporate group towards countries outside the EU that don’t share the same level of protection.