Privacy glossary
Key terms and definitions for GDPR, UK GDPR, DSARs, and privacy operations.
GDPR(General Data Protection Regulation)
EU regulation (2016/679) governing the processing of personal data of individuals in the EU. Came into force May 2018.
UK GDPR(UK General Data Protection Regulation)
The UK version of GDPR, retained in UK law after Brexit and supplemented by the Data Protection Act 2018.
DSAR(Data Subject Access Request)
A request from an individual to access the personal data an organisation holds about them. Must be responded to within one calendar month.
Personal Data
Any information relating to an identified or identifiable natural person. Includes names, identification numbers, location data, and online identifiers.
Data Controller
The entity that determines the purposes and means of processing personal data. Responsible for compliance with data protection principles.
Data Processor
An entity that processes personal data on behalf of a data controller. Must act only on documented instructions from the controller.
Special Category Data
Sensitive personal data requiring additional protections: racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.
DPO(Data Protection Officer)
An individual designated to oversee data protection strategy and compliance. Required for public authorities and organisations processing special category data at scale.
ICO(Information Commissioner's Office)
The UK's independent authority for upholding information rights. Enforces UK GDPR and the Data Protection Act 2018.
Data Minimisation
Principle that personal data collected should be adequate, relevant, and limited to what is necessary for the stated purpose.
Right to Erasure(Right to be Forgotten)
The right of individuals to request deletion of their personal data in certain circumstances, such as when data is no longer necessary.
Privacy by Design
Approach where data protection is considered throughout the development lifecycle of systems, services, and processes.
Shadow Data
Personal data that exists in systems, exports, or locations not formally tracked by the organisation. Often discovered during DSAR responses or audits.
Data Mapping
The process of documenting what personal data an organisation holds, where it is stored, how it flows, and who has access.
Retention Period
The length of time personal data is kept before deletion. Should align with legal requirements and the purpose for which data was collected.
Lawful Basis
The legal grounds for processing personal data under GDPR. Six bases exist: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Need help with privacy operations?
See how Sylure helps teams find shadow data, respond to DSARs, and produce governance-ready outputs.