Privacy Glossary

Principle that the controller is responsible for and must be able to demonstrate, compliance with all data protection principles.

Principle that personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.

A decision by the European Commission or UK government that a third country provides an adequate level of data protection, enabling data transfers without additional safeguards.

The irreversible process of altering personal data so that individuals cannot be identified directly or indirectly. Truly anonymised data falls outside the scope of GDPR.

Internal policies adopted by multinational organisations to permit intra-group transfers of personal data outside the EEA in compliance with GDPR.

The obligation to report a personal data breach to the supervisory authority within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals' rights.

The processes and systems used to collect, record and manage individuals' consent for personal data processing. Consent must be freely given, specific, informed and unambiguous.

The requirement under PECR and ePrivacy rules to obtain user consent before placing non-essential cookies or similar technologies on their device.

A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

The entity that determines the purposes and means of processing personal data. Responsible for compliance with data protection principles.

A comprehensive register of all personal data assets held by an organisation, including data types, storage locations, processing purposes and retention periods.

The process of documenting what personal data an organisation holds, where it is stored, how it flows and who has access.

Principle that personal data collected should be adequate, relevant and limited to what is necessary for the stated purpose.

An entity that processes personal data on behalf of a data controller. Must act only on documented instructions from the controller.

Requirement that only personal data necessary for each specific purpose is processed by default, applying to the amount collected, the extent of processing, the storage period and accessibility.

The UK's primary data protection legislation. Supplements UK GDPR and provides exemptions, enforcement powers and rules for law enforcement processing.

A process to identify and minimise data protection risks of a project. Required under GDPR when processing is likely to result in a high risk to individuals' rights and freedoms.

An individual designated to oversee data protection strategy and compliance. Required for public authorities and organisations processing special category data at scale.

A request from an individual to access the personal data an organisation holds about them. Must be responded to within one calendar month.

An independent EU body that ensures consistent application of GDPR across member states and issues guidelines, recommendations and binding decisions.

A framework enabling the transfer of personal data from the EU to certified US organisations, replacing the invalidated Privacy Shield.

The practice of replacing raw personal data values with hashed or redacted tokens in review interfaces, so reviewers can confirm exposures without seeing underlying personal data.

EU regulation (2016/679) governing the processing of personal data of individuals in the EU. Came into force May 2018.

The UK's independent authority for upholding information rights. Enforces UK GDPR and the Data Protection Act 2018.

Principle that personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

The transfer of personal data to a country outside the UK or EEA. Requires appropriate safeguards such as adequacy decisions, SCCs, or BCRs.

Two or more controllers that jointly determine the purposes and means of processing. Must establish a transparent arrangement defining their respective responsibilities.

The legal grounds for processing personal data under GDPR. Six bases exist: consent, contract, legal obligation, vital interests, public task and legitimate interests.

A structured assessment used to determine whether legitimate interests can serve as a lawful basis for processing, balancing the controller's interests against the rights of individuals.

UK regulations covering electronic marketing, cookies and communications privacy. Sits alongside UK GDPR and is enforced by the ICO.

Any information relating to an identified or identifiable natural person. Includes names, identification numbers, location data and online identifiers.

Approach where data protection is considered throughout the development lifecycle of systems, services and processes.

Processing personal data so that it can no longer be attributed to a specific individual without the use of additional information, which is kept separately and subject to technical and organisational measures.

Principle that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

A documented record maintained by controllers and processors detailing the categories of processing activities, including purposes, data categories, recipients and retention periods.

A person or organisation established in the EU or UK designated by a non-resident controller or processor to act as a point of contact for supervisory authorities and data subjects.

The length of time personal data is kept before deletion. Should align with legal requirements and the purpose for which data was collected.

The right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

The right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

The right of individuals to request deletion of their personal data in certain circumstances, such as when data is no longer necessary.

The right to object to processing based on legitimate interests, direct marketing, or research purposes. The controller must stop processing unless compelling grounds exist.

The right of individuals to have inaccurate personal data corrected or incomplete data completed without undue delay.

The right to request that an organisation limits how it uses personal data in certain circumstances, such as when accuracy is contested.

Personal data that exists in systems, exports, or locations not formally tracked by the organisation. Often discovered during DSAR responses or audits.

Sensitive personal data requiring additional protections: racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.

Pre-approved contractual terms adopted by the European Commission for transferring personal data to countries outside the EEA that lack an adequacy decision.

Principle that personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.

Alternative term for a Data Subject Access Request (DSAR). The right of individuals under GDPR Article 15 to obtain confirmation of whether their data is being processed and access to that data.

An independent public authority established by an EU member state to monitor GDPR compliance. The ICO serves this role in the UK.

Principle that personal data must be processed lawfully, fairly and in a transparent manner. Individuals must be informed about how their data is used.

The UK version of GDPR, retained in UK law after Brexit and supplemented by the Data Protection Act 2018.