Data Protection Toolkit - Glossary
Using the glossary
This glossary is cross-referenced. Links to other terms appear in bold.
Links to relevant guidance in the Data Protection Toolkit are in blue boxes.
Links to further information from other sources (like the ICO) are in grey boxes.
You'll also find links to entries in the glossary from other parts of the Data Protection Toolkit.
This means that the controller must take appropriate technical and organisational measures (e.g. ensuring data security, implementing data protection policies and recording processing activities) so that the processing of personal data is safeguarded and protects the rights of the data subjects .
Data protection by design and by default is key to keeping to the accountability principle.
Guidance: Document your processing activities
If a breach does happen, in most cases the controller must report the issue to the Information Commissioner's Office as soon as possible and within 72 hours of becoming aware of it. The processor should notify the controller without undue delay. The controller must also notify the data subjects who have been affected.
In a different sense, controllers and processors might also find themselves in breach of the articles of the GDPR itself, for example, by failing to respond adequately to a subject access request within the required timeframe.
Taking a sensible and appropriate approach to the security of personal data can help to reduce both the impact and likelihood of a breach.
The GDPR sets a higher standard for consent than the DPA does, and it is possible that where consent is currently relied on that the data controller or processor will need to review and refresh existing consents—unless another lawful basis can satisfy the processing of personal data. The controller must be able to demonstrate that the data subject has consented to the processing.
Consent must be:
- freely given: there must be a clear choice to give consent. An individual should not suffer detriment or penalty by not consenting for this to be a free choice.
- specific: there must be a clear separation between consent for data processing and other matters.
- informed: it should be clear that the data subject understands what they are consenting to.
- unambiguous: it must be obvious that an individual has consented.
- clear and distinguishable: the request for consent can't be buried in terms and conditions. "Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent".
- easy to withdraw: it should be as easy for the individual to withdraw consent as it is to give it, and they should be informed of this right.
Consent can be given by either a statement (which can be written or verbal), or a 'clear affirmative action' (such as ticking a box or actively providing some information). You must keep records to demonstrate that consent was given by the data subject.
Be aware that explicit consent (one of the possible conditions for processing special category data), though not actually defined in the GDPR, is likely to mean that consent must be given as a clear statement expressed in words (verbally or in writing).
ICO, Guide to the GDPR: Consent
ICO, Guide to the GDPR: Lawful bases for processing: consent
ICO, ICO News Blog: Raising the bar on consent under the GDPR
ICO, ICO News Blog: Consent is not the ‘silver bullet’ for GDPR compliance
GDPR Article 7, Recital 32
Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679
A data controller is the organisation that "determines the purposes and means of processing of personal data ". In most cases, this will be your organisation when you decide to process some data about individuals.
The Accountability Principle means that although another organisation may take on the role of a processor , the controller is still responsible for demonstrating compliance with the data protection principles . This means that if you (as controller) commission someone else to process personal data on your behalf, you have to ensure and be able to show that appropriate measures are in place (e.g. policies, contracts)
ICO, Data Controllers and Data Processors: what is the difference? (N.B. pre-GDPR)
GDPR Article 4, Article 24, Article 26
This suggests that you should limit the amount of personal data needed to be able to carry out the purpose that you hold it for.
Limiting the amount of data that you hold and use is known as 'data minimisation'. This requires striking a balance to ensure that the amount of information that you hold about a person is adequate for its purpose, and no more.
Having more personal data than you need for a purpose increases the risks inherent in a personal data breach , and increases the burden on you of collecting, storing, securing and keeping up to date irrelevant information.
For example, if you were to ask questions on a job application form about a candidate's health which were not relevant to awarding the job, this principle could be said to have been breached. As well as being an unnecessary invasion of the potential recruit's privacy, this places an extra and unnecessary burden on you to keep this information confidential and secure. Data subjects have the right to have unnecessary personal data deleted.
To minimise the amount of data that you hold, you should review what information you require to fulfill the purpose of your processing activity. Data that is additional to what is necessary should be discarded, or not collected.
While you shouldn't collect personal data where it is unlikely that it will be useful in future, you may be able to justify holding data for a foreseeable event that may never occur if the need to have the data can be made clear.
Usually, the Data Protection Act 1998 (DPA), which established the core data protection principles in the UK.
The 1998 Act is repealed by the Data Protection Act 2018, which adds some more specific variations and clarifications for the operation of the GDPR in the UK, and sets the framework for the incorporation of the GDPR into UK domestic law beyond Brexit.
Also referred to as 'privacy by design and by default'. This is the practice of ensuring that systems and projects incorporate data protection from the beginning, and that data protection principles are implemented.
While this can encompass a wide range of organisational and technical aspects, controllers have an obligation to ensure that, by default, only the personal data necessary for each specific purpose is processed . Measures can include data minimisation efforts, pseudonymisation, enabling data subjects to access their own data and set privacy controls, and limiting access to specific members of staff. What you decide to do will depend on the service or project, the scope of the data collected and how it integrates with current systems.
Previously, privacy by design has been recommended best practice. It is now made explicit in the GDPR. The ICO has published guidance on privacy by design, and are now working to update this guidance to reflect the GDPR. In the meantime, the existing guidance is a good starting point for organisations. Having data protection by design and by default may be taken into consideration into public tenders and funding opportunities, so it is also important to consider from a business perspective.
A DPIA (also referred to as Privacy Impact Assessment) is a tool that can help identify and mitigate risks to privacy that might exist in your project.
Controllers are required to carry out a DPIA when a project is likely to result in a high risk to the rights and freedoms of individuals, particularly when the use of new technologies is involved. These should be carried out prior to any processing taking place in the case of new projects, but can also be applied in the case of current projects.
Assessments cover the nature and purpose of the processing, how data will be processed, secured and shared, and cover the possible risks to data subjects involved.
DPIAs can be thought of as a part of data protection by design and by default . The ICO has previously developed a Code of Practice for Privacy Impact Assessments which organisations can use to assess and reduce risks in their project.
The person that personal data relates to, and who can be identified from information such as a name, location, address, identification number (e.g. social security number), or with reference to other information that makes them directly or indirectly identifiable.
The protection of data that is either stored or transmitted to render it unreadable without a security key.
By encoding useable information as ciphertext using an encryption algorithm, this can provide an effective and appropriate security measure to guard data against intentional misuse or accidental disclosure. This is especially where data is to be transferred over the Internet or is stored on removable devices.
Encryption should not be the only security measure taken, and should be considered along with other technical and organisational security measures.
Guidance: GDPR and Encryption
ICO, Guide to Data Protection: Encryption
The European Data Protection Board (EDPB) is an independent European advisory body. The EDPB was established by the GDPR and succeeded the Article 29 Working Party.
The Board provides general guidance to clarify European data protection laws, advises on EU legislation, and promotes cooperation between national supervisory agencies.
The Regulation aims to give the control of personal data to data subjects and create coherent regulation within the EU.
UK government body which acts as the data protection regulator, with a range of enforcement powers including undertaking investigations and audits, and issuing written notices and monetary penalties in relation to the Data Protection Act and the PECR .
The ICO is the "supervisory authority" responsible for monitoring and enforcing the GDPR in the UK and is recognised as the National Data Protection Authority by the European Commission.
An international transfer is any transfer of personal data to a "third country" or an international organisation. This means either to a place outside of the European Economic Area (EU countries plus Iceland, Liechtenstein and Norway), or to another organisation governed by international law or set up between two or more countries.
For example, storing personal data on a cloud service that has its servers in the United States would qualify as an international transfer (even if those servers were owned by an EU company).
Under the GDPR, international transfers are restricted unless the country in question has received an adequacy decision from the European Commission, or "appropriate safeguards" (specifically a certification mechanism, standard contractual clauses or binding corporate rules) can be demonstrated.
These joint controllers must enter into an agreement that sets out their respective responsibilities for complying with the GDPR and protect data subjects' rights, and this should be clearly communicated to the data subjects (for example, in a privacy notice).
You must have a lawful basis in order to process some personal data. The most appropriate basis to use depends on the personal data , the purpose of the processing , and the relationship with the data subject .
There are six lawful bases set out by the GDPR for processing personal data:
- the consent of the data subject that the data be processed for a specific purpose has been obtained
- necessary to fulfill a contract (or pre-contractual obligations)
- necessary to meet a legal obligation to which the controller is bound
- necessary to protect a life - of the data subject or another person ("vital interests")
- necessary for a task carried out in the public interest or under the duty of a public authority
- necessary for purposes within the legitimate interests of the controller or someone else, except where this would be offset by the interests, rights and freedoms of the data subject
There is no order or preference for lawful bases. You should choose the most appropriate basis to meet the purposes of your processing. Generally speaking, if numbers 2 to 5 apply they should be used - if not then legitimate interests can be considered. If legitimate interests cannot be applied, then getting the consent of the data subject is the only remaining option.
There are three parts to determining where you can use legitimate interests (often referred to as the 'legitimate interests assessment)':
- A legitimate interest must be identified. controller should be able to clearly articulate a legitimate interest. For example, the prevention of fraud or undertaking an activity that is of benefit to the wider community, such as medical research.
- It must be necessary for the processing activity (and the personal data required for that processing) to happen in order to achieve that interest. If the same purpose could be achieve without the processing (or by processing in a less-invasive way), then the activity could be said not to be necessary.
- These interests must be balanced against the interests and rights of the data subject. The GDPR is clear that particular weight must be given to protecting children's privacy. It is most likely to be appropriate in using a person's data in ways that they would reasonably expect based on their relationship with the controller (for example, where the person is a current client), and with minimal privacy impact.
Organisations can carry out a legitimate interests assessment to ensure the purpose, necessity and balance of the interest. Controllers will need to document their decisions on legitimate interests so that they can demonstrate compliance with the accountability principle.
Guidance: Legitimate Interests Assessment
GDPR Article 6(1)(f)
Information Commissioner's Office, Guide to the GDPR - Legitimate interests
Data Protection Network, Guidance on the use of Legitimate Interests under the EU GDPR
Article 29 Data Protection Working Party, Opinion on the notion of legitimate interests of the data controller under the 1995 Directive
Any information relating to an identified or identifiable living person (the data subject ).
This can include items such as names, address and contact information, online identifiers, and other information relating to a person's health, employment, interests, finances, activities and characteristics.
ICO, What is personal data?
The new right to data portability is an individual right that ensures that a data subject can transfer their data from one system to another, without restriction.
This means that when a subject access request is made that the data should be provided in a non-proprietary electronic format the enables easy reuse e.g. a CSV file.
The GDPR outlines six data protection principles. These sit at the heart of the GDPR, and your adherence to these principles will go a long way to complying with the GDPR, and form significant a part of good data protection practice.
Personal data must be:
processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency')
collected for specific, explicit, legitimate and limited purposes ('purpose limitation')
adequate, relevant and limited to what is necessary ('data minimisation')
accurate and, where necessary, kept up to date ('accuracy')
kept in an identifiable form for no longer than is necessary—if it can be anonymised it can be kept for longer, but anonymisation is more difficult than you might think ('storage limitation')
processed in a manner that ensures appropriate security ('integrity and confidentiality')
The ICO interprets direct marketing as material directed at individuals, including any that is "promoting the aims or ideals of not-for-profit organisations". As well as general promotion and fundraising, this could include charity campaigning or a newsletter sent by email. You therefore don't have to be attempting to raise money or sell products and services to fall under the auspices of these Regulations.
In short, you need the recipient's consent before sending such material to them, though there are some exceptions to this general principle, such as in the case of business-to-business (B2B) marketing. Refer to the ICO's Guide to PECR for more information.
Material send by post and non-targeted promotion is not covered by this. It is only the methods of email, SMS and phone that are covered by these Regulations.
A new ePrivacy Regulation will sit alongside the GDPR and replace PECR and put in place some stronger privacy rules for electronic communications. For example, it will cover apps and messenger services not already included in the more traditional telecoms, and simplify consent for cookies which tracking browsing online. The new Regulation is not yet agreed by the EU - for now PECR continues to apply alongside the GDPR.
ICO, Guide to PECR
Article 13 and Article 14 sets out what this information should cover. A privacy notice is the most common means of delivering this information, and can be provided to data subjects at the point where personal data is collected from them, or in another appropriate and reasonable way.
Guidance: Write a Privacy Notice
ICO, Privacy Notice Code of Practice
Operations performed on personal data, including any operations carried out in an automated way.
This covers pretty much everything and anything that you might do in relation to personal data, and can include collecting and recording, storage, transfer, retrieval, decision-making, publication and disclosure.
GDPR Article 4
The person or organisation who processes personal data on behalf of the controller.
GDPR Article 4
Articles 12 to 23 of the GDPR details the rights of data subjects which seek to protect their fundamental rights and freedoms.
Your data subjects must be allowed to exercise their rights where they apply.
The rights covered are:
- Right to be informed. The right to know how personal data is used in clear and transparent language.
- Right of access. The right of data subjects to know and have access to the personal data held about them (see Subject Access Request).
- Right to data portability. The right to receive and transfer data in a common and machine-readable electronic format.
- Right to be forgotten. The right of data subjects to have their personal data erased.
- Right to rectification. The right to have data corrected where it is inaccurate or incomplete.
- Right to object. The right to complain and to object to processing.
- Right to restriction of processing. The right to limit the extent of the processing of the data subject's personal data according to their wishes.
- Rights related to automated decision-making and profiling. You have the right not to be subject to decisions without human involvement.
Some of the rights apply only in certain cases. There are restrictions and exemptions can be applied to each of these rights, mostly defined by the UK Data Protection Act 2018 .
GDPR Chapter 3
The general concept of information security is ensuring the balance of the confidentiality, integrity and availability of information. Usually, this is with regard to digitally stored information, but it is also applicable to physical forms.
Information security seeks to prevent accidental or unauthorised access, interception, modification, copying, destruction, loss or modification of personal data (any of which might qualify as a breach of security).
The GDPR focuses on the security of personal data that is being processed by either a controller or processor, requiring that they "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk" .
An appropriate level of security depends on available (state-of-the-art) solutions, cost of implementing systems, the nature of the personal data and how it is being used (especially where it involves special category or other sensitive personal data), likelihood of occurrence, and the impact of risks for the people who could be affected.
There are many solutions that seek to ensure ongoing information security, including organisational measures (e.g. confidentiality agreements, limited access within an organisation, security clearance, appropriate policies) and technical approaches (e.g. virus and malware scanning, password policies, encryption).
Personal data relating to a number of areas are covered:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic and biometric data (processed for the purpose of uniquely identifying a person)
- data concerning health
- data concerning a person's sex life or sexual orientation
In order to process special category data lawfully ( in addition to having established a lawful basis ), processing must be necessary under one of the 10 conditions defined in Article 9(2) of the General Data Protection Regulation.
A request from a data subject for this information is referred to as a Subject Access Request. Though SARs have been a feature of existing data protection rights, the GDPR means that a fee cannot be charged and the deadline for a response is set to one month. Not responding within this deadline is usually a breach of that person's rights.
A request can be made verbally or in writing. The person doesn't need to refer to the term "subject access request", they simply need to request their data for the right to be exercised. This request could be made to anyone in your organisation (potentially, even volunteers) and you will be under the obligation to provide the information.
Guidance: Dealing with Subject Access Requests
Protecting the "vital interests of a data subject or another natural person" is one of the lawful basis for processing personal data referred to in the GDPR . Vital interests are those interests essential for the life of the person and therefore apply in matters of life and death. It is most likely to apply in emergency situations, for example, disclosing a data subject's medical history to paramedics. However, it is less likely to be a legitimate basis for collecting medical information in advance, in which case you should seek to use another lawful basis.