Jargon buster

BCRs Binding corporate rules, which govern transfers between organisations in a corporate group.  For more information, see “International data transfers”. 


Cookies Small text files which help store information about an individual’s browsing habits. They are downloaded onto an individual’s computer when the individual visits a website and help the cookie owner store data about the individual’s activity on that site, such as how often they visit, how long they spend on each page and other preferences.
The use of cookies is currently regulated by the Privacy and Electronic Communications Regulations (PECR) but is expected to be more heavily restricted under the draft ePrivacy Regulation, when this comes into effect.
For more information, see “Marketing and Cookies”.


Data Controller

A person or business which makes decisions about how or why personal data is processed.
In a data processing situation, the data controller is anyone who decides how to use the personal data concerned and what it is to be used for. This may be more than one person or business, if more than one is involved.
For example, most businesses are data controllers with respect to any personal data they collect about their customers and employees.
For more information, see “What are data processors/data controllers?”.


Data Processor

Any person or organisation which processes personal data on behalf of a data controller.
Your role as data controller or processor is linked to the particular operation you’re carrying out. A single business may be a processor with respect to one use of personal data, and a controller with respect to another.
For example, a cloud storage provider may be both a data processor when it stores personal data on a client’s behalf, and a data controller when it collects and stores data about its own employees.
For more information, see “What are data processors/data controllers?”.


Data protection by design (also known as “Privacy by design”) A general obligation under the GDPR to implement technical and organisational measures to demonstrate that you have considered data protection issues and integrated data protection into your activities.  For more information, see “Data protection by design”.  


Data Subject

An individual whose data is being processed. It includes employees, or people acting in a business context. So information about the individuals working for your business, or for one of your suppliers, is still personal data.


DPA /The Data Protection Act 1998

The main piece of legislation governing data protection before the GDPR.
Much of the terminology and provisions of the DPA are repeated in the GDPR, but the GDPR goes further in introducing more onerous obligations on organisations processing data, which is why it’s important to be aware of its contents.
For more information, see “GDPR vs the Data Protection Act 1998”.


Protection Impact Assessment

An assessment of the risks your data processing might pose to individuals’ rights and freedoms.
You may be familiar with these already, as they are very similar to the Privacy Impact Assessments (PIAs) required under the DPA regime. The assessment should be made before you process any personally identifiable information, and should include the measures you propose to take to mitigate any identified risks.
For more information, see “Data Protection Impact Assessments”.


DPO / Data
Protection Officer

A person appointed by a business to ensure it complies with the GDPR and any other applicable data protection laws.
The person may already be an employee of the business, hired specifically for the purpose or an external provider.
Although not all businesses will be required to appoint a DPO, it will be useful for many businesses to informally give someone this responsibility going forward (we suggest that those informal individuals are given a different title, such as “Data Compliance Officer” or “DCO”).
For more information, see “Data Protection Officers (DCO)”.


GDPR / The
European General
Data Protection Regulation

EU legislation which will regulate how businesses process personal data. This came into force on 25 May 2018.
The Government has committed to implementing the GDPR in the UK and will transfer it into UK law via the Data Protection Bill, which will come into force before Brexit. There was no gradual phasing-in period and all businesses were required to be compliant  by 25 May 2018.



Just as the GDPR governs the use of personal data and will effectively replace the DPA, the ePrivacy Regulation is a set of new rules to govern online privacy which will replace the current law in the area (the PECR, explained below).
[From the draft produced in January 2017, the Regulation looks to be tougher on the use of cookies (explained above), as well as other areas of online user monitoring such as WiFi location tracking and default browser privacy settings.]
The EU is still preparing this Regulation and it is expected to be ready in the next few years. It was originally planned to come into effect at the same time as the GDPR, but this now looks unlikely.
For more information, see “Marketing and Cookies”.


ICO / The
Information Commissioner’s

The main organisation promoting and enforcing data protection and privacy laws in the UK. The ICO provides information and guidance on how to comply with data protection requirements, investigates businesses to ensure they do, and will be responsible for fining those that do not.
In addition to the GDPR the ICO is responsible for upholding public information rights more generally, including freedom of information and privacy in electronic communications.

IoT / The Internet
of Things

The network of ‘smart’ physical devices that use internet connectivity as part of their functionality. For example, where a thermostat communicates with a smartphone to give its user information about the temperature of the house, both form part of the Internet of Things.


PECR  / The
Privacy and
Electronic Communications Regulations

A set of regulations controlling the way businesses communicate with individuals using electronic means, including by phone, email and online. They work alongside the DPA (and will work alongside the GDPR) and aim to protect individual privacy and cover a broad range of activities, such marketing calls and emails, the use of cookies and location data and the provision of online networks and services.
For more information, see “Marketing and Cookies”.

Personal Data

Data relating to a living identified or identifiable individual.
It includes all kinds of information relating to individuals; for instance, in addition to their personal information it includes opinions others have expressed about them and expressions of intention in relation to them.
The GDPR gives a very broad definition of personal data, which includes data stored in both automated and manual filing systems and even online identifiers such as IP addresses. Pseudonymised data is also personal data.



Data in which each identifying field has been replaced with an artificial name, so that it is harder to identify real individuals from the data. For example, ‘Joe Smith’ might be replaced by ‘Customer 123’.
Unlike anonymised data, pseudonymised data can be traced back so that the original fields can be identified. Pseudonymised data, however, is still personal data.

Portability of data

“Portability” essentially means “movement”. In this context, it refers to how “portable” data is. “Portability of data” is a new right in the GDPR which entitles individuals to easily move, copy and transfer their personal data from one provider to another.
For more information, see “Data Portability”.


Sensitive Personal Data / Special Categories of
Personal Data

Personal data that contains information of a sensitive nature about an individual. The following types of data are “sensitive” or “special categories” under the GDPR:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • data relating to health or sex life and sexual orientation
  • genetic data (new under the GDPR)
  • biometric data where used to identify a person (new under the GDPR).