Common GDPR Terminology

Much of the GDPR's terminology can seem unnecessarily confusing or obtuse. Tacita's 'Common GDPR Terminology list below should help you and your organisation to better understand the lexicon of GDPR:


GDPR – The General Data Protection Regulation. The EU regulation that protects the Personal Data of EU and EEA citizens and any other Data Subjects operating within EU/EEA territories.​

UK GDPR - The UK regulation that protects the Personal Data of UK citizens.​

A Data Subject – An individual, who is alive who can be identified by personal data. Sometimes, the term ‘Natural Person’ is used, these terms are interchangeable.​

Personal Data – Any information relating to a Data Subject. Data can be either directly or indirectly identifiable. ​

Special Category Data – This is a more sensitive category of Personal Data defined by the GDPR. There are additional legal obligations relating to this type of Personal Data. Religious views, political views, trade union membership, and sexual orientation are examples. 

A Child - For the purposes of the GDPR, a child is anyone below the age of 18; however, EU Member States may choose to deviate and decide to lower this age threshold to 15, 14, or 13 years, e.g. in the UK the threshold is 13 years.​

Data Processing – Any operation (automated or otherwise) performed on Personal Data. Collection, recording, organisation, structuring, storing, analysing, using etc. are all considered as Data Processing.​

Profiling – Any form of automated processing of Personal Data which is used to evaluate or predict aspects of a Data Subject. If profiling is used, then additional safeguards are required.​

Consent – Explicit, unambiguous permission from a Data Subject for an organisation to process their Personal Data.  ​

Data Controller – The person or entity who is legally responsible for deciding the purposes and means of data processing. The controller decides what data is collected, why it is collected and how it is processed. The Controller is directly liable for maintaining GDPR compliance.​

Data Processor -  The person or entity who carries out the personal data processing. This may be the same as the Data Controller. The Data Processor has similar legal liabilities as the data controller.​

Third Country​

  • EU Definition - any country other than the EU member states and the three additional EEA countries (Norway, Iceland, and Liechtenstein)​
  • UK Definition - a country or territory outside the UK​

Supervisory Authority – The regulator responsible for overseeing/enforcing the GDPR. Different EU member states have their own Supervisory Authorities, e.g. the UK supervisory authority is called the Information Commissioner’s Office (ICO).​

Information Security – Processes, procedures and information systems designed to prevent unauthorised loss, deletion, and access to personal data.​

Personal Data Breach – A breach of information security which leads to the accidental or unlawful loss, deletion, and access to personal data. There are legal procedures which an organisation must follow in the event of a Data Breach.​

Data Protection Impact Assessment (DPIA) – An assessment performed by an organisation which determines the legality and potential impact to the rights and freedoms of a data subject within a particular data processing activity or project. ​

Data Subject Request (DSR) – The Data Subject executing one of their 8 rights (right of access, withdraw consent, rectification, erasure, restrict, data portability, object, and rights in relation to automated decision making and profiling). The most common form of DSR is right of access known as Data Subject Access Request (DSAR) or Data Subject Request (DSR). ​

Data Protection Officer (DPO) – A role in an organisation given to a person with expert knowledge in the GDPR. They are employed to assist the Controllers and Processors with compliance with the GDPR. They should be able to act independently of the Controller and Processors and are not liable for compliance with GDPR (the Controllers and Processors are).​

Technical and Organisational Measures (TOMs) – Measures employed that ensure processing of personal data is done in a secure manner. E.g. Access control and encryption.​

Records of Processing (ROP) – Also known as Records of Processing Activities (ROPA). A document, regularly maintained by Data controllers and Data Processors, for tracking and monitoring key data processing information. E.g. categories of personal data, retention period, lawful basis for processing etc.  ​

Privacy Notice – A public document, written by an organisation which summarises data processing information and informs a data subject of their legal rights.​

EU - Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden​

EEA – The European Economic Area. Includes the EU and Iceland, Liechtenstein and Norway​

There are three GDPR terms which all commonly use the acronym DPA. This can be very confusing. ​

  • Data Processing Agreement (DPA) – It is a legally binding document between the controller and the processor. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.​
  • Data Protection Authority (DPA) – This is another term for the Supervisory Authority​
  • Data Protection Act (DPA) – The UK’s data protection legislation. There have been different versions of this legislation. The Data Protection Act (2018) is the latest with the UK government implementing the GDPR.

Send us a message

Telephone: +44 20 4526 5699
Email: contact@tacita.io

To see how we use your data, see our Privacy Notice.