Jargon buster
BCRs | Binding corporate rules, which govern transfers between organisations in a corporate group. For more information, see “International data transfers”. |
Cookies | Small text files which help store information about an individual’s browsing habits. They are downloaded onto an individual’s computer when the individual visits a website and help the cookie owner store data about the individual’s activity on that site, such as how often they visit, how long they spend on each page and other preferences. The use of cookies is currently regulated by the Privacy and Electronic Communications Regulations (PECR) but is expected to be more heavily restricted under the draft ePrivacy Regulation, when this comes into effect. For more information, see “Marketing and Cookies”. |
A person or business which makes decisions about how or why personal data is processed. |
Any person or organisation which processes personal data on behalf of a data controller. |
Data protection by design (also known as “Privacy by design”) | A general obligation under the GDPR to implement technical and organisational measures to demonstrate that you have considered data protection issues and integrated data protection into your activities. For more information, see “Data protection by design”. |
An individual whose data is being processed. It includes employees, or people acting in a business context. So information about the individuals working for your business, or for one of your suppliers, is still personal data. |
DPA /The Data Protection Act 1998 |
The main piece of legislation governing data protection before the GDPR. |
DPIA/Data |
An assessment of the risks your data processing might pose to individuals’ rights and freedoms. |
DPO / Data Protection Officer |
A person appointed by a business to ensure it complies with the GDPR and any other applicable data protection laws. |
GDPR / The European General Data Protection Regulation |
EU legislation which will regulate how businesses process personal data. This came into force on 25 May 2018. |
ePrivacy |
Just as the GDPR governs the use of personal data and will effectively replace the DPA, the ePrivacy Regulation is a set of new rules to govern online privacy which will replace the current law in the area (the PECR, explained below). |
ICO / The |
The main organisation promoting and enforcing data protection and privacy laws in the UK. The ICO provides information and guidance on how to comply with data protection requirements, investigates businesses to ensure they do, and will be responsible for fining those that do not. |
IoT / The Internet |
The network of ‘smart’ physical devices that use internet connectivity as part of their functionality. For example, where a thermostat communicates with a smartphone to give its user information about the temperature of the house, both form part of the Internet of Things. |
PECR / The |
A set of regulations controlling the way businesses communicate with individuals using electronic means, including by phone, email and online. They work alongside the DPA (and will work alongside the GDPR) and aim to protect individual privacy and cover a broad range of activities, such marketing calls and emails, the use of cookies and location data and the provision of online networks and services. |
Data relating to a living identified or identifiable individual. |
Data in which each identifying field has been replaced with an artificial name, so that it is harder to identify real individuals from the data. For example, ‘Joe Smith’ might be replaced by ‘Customer 123’. |
Portability of data |
“Portability” essentially means “movement”. In this context, it refers to how “portable” data is. “Portability of data” is a new right in the GDPR which entitles individuals to easily move, copy and transfer their personal data from one provider to another. |