GDPR Glossary

GDPR compliance is full of jargon. Get to grips with the key terms here


Anonymised Personal Data

Personal Data can only be considered to be truly “anonymised” from a data protection law perspective, if Data Subjects are no longer identifiable, having regard to any methods reasonably likely to be used to identify them, directly or indirectly. If it is possible to identify Data Subjects/patients (including by reference to other information - such as a de- encryption key) then the data is not considered “anonymised”, but rather “pseudonymised”. As per DPC and Article 29 Working Party (now EDPB) Guidance in this area, anonymisation irreversibly prevents the identification of the individual Data Subject to whom it relates and even the capability to ‘re-identify’ the Data Subject is sufficient to render this personal data.

Appropriate Technical and Organisational Measures

The appropriate technical and organisational measures referred to in Data Protection Legislation (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).


Means consent given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her such as by a written statement including by electronic means or an oral statement.


A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Article 4(7) GDPR).


DPC means the supervisory authority in Ireland for the purposes of Article 51 of the GDPR whose principal administrative offices are at 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, or any replacement supervisory authority under Data Protection Legislation, appointed from time to time in Ireland.


A data protection impact assessment required under Article 35 of the GDPR.

Data Processing Agreement

The Data Processing Agreement means an agreement for the processing of personal data between a controller and a processor for the purposes of Article 28 of the GDPR.

Data Protection Legislation

This is the Data Protection Acts of 1988 to 2018, the GDPR and, any other applicable law or regulation relating to the Processing of Personal Data and to privacy including Directive 2002/58/EC and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, as such legislation shall be supplemented, amended, revised or replaced from time to time.

Data Protection Officer

An individual whose main task is to monitor the compliance of an enterprise with the GDPR and to advise on data protection measures. A DP Officer shall be designated if the organization is a public authority, carries large-scale monitoring of data subjects or processes data related to criminal convictions.

Data Sharing Agreement

Data Sharing Agreement means an agreement for the sharing of Personal Data between two or more parties.

Data Subject

A data subject is defined in the GDPR (see definition of Personal Data below).

Data compliance

GDPR Compliance is when an organization meets the requirements for properly handling personal data under EU law.

Data mapping

Data mapping is the process of identifying, categorizing, and documenting the flow of personal data within an organization.

Data processing inventory

A detailed record of all personal data processed by an organization.

Data transfer

Moving personal data from the 28 EU countries and the three EEA countries (Norway, Liechtenstein, and Iceland) to a third country. The GDPR allows this process only if the country in matter complies with the conditions of the Regulation. A commission will evaluate the level of data protection in that specific country and approve or disapprove to the data transfer. Until now the Commission has stated that the following countries provide sufficient data protection: Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing the Directive 95/46/EC, and any amendments made thereto.

Incident management

Incident management is a proven, consistent and repeatable plan for when a data breach happens.

Joint Controller

A joint controller is where two or more controllers jointly determine the purposes and means of processing, they are joint controllers (Article 26, GDPR).

PIA (Privacy impact assessments)

Privacy impact assessments are a tool used by organizations to identify and assess the potential risks and impacts of processing personal data.


Punishments imposed for not complying with the GDPR. The fines for data breaches can be as high as €20 million or 4% of global gross revenue (whichever is higher). As a result of these very high penalties, many companies which do not comply with the Regulations or are subject to data breaches may face insolvency.

Personal Data

This is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Article 4(1) GDPR).

Personal Data Breach

This is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (Article 4(8) GDPR).

Privacy Policy

A privacy policy shows customers how specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises.


This is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (Article 4(2) GDPR).


a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Article 4(8) GDPR).

Pseudonymised Personal Data

Where personal data is pseudonymised, it remains personal data and all of the requirements of Data Protection Legislation (e.g. as to transparency for Data Subjects, lawful basis for processing, data minimisation etc) apply. Pseudonmyisation is one of the recommended supplementary measures (where these are required) for international data transfers under EDPB Guidance in this area and subject to certain specified conditions.


It is a legal act adopted by the European Union that can be immediately applied in the Member States and does not need further adopting the national law. This means that the GDPR will come into effect in all the Member States of the European Union starting from 25 May 2018.

Right to be forgotten

Also referred to as 'right to erasure', it secures the individual's right to have the DC erase without delay their personal data, inform other controllers that the individual has requested the erasure of data and cease further dissemination of the data. For example, search engines are expected upon a request from the individual to delete the links to certain web pages that are linked to the individual's name.

Special Category Data

Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are: 1. Personal data revealing racial or ethnic origin. 2. Political opinions. 3. Religious or philosophical beliefs. 4. Trade union membership. 5. Genetic data and biometric data processed for the purpose of uniquely identifying a natural person. 6. Data concerning health. 7. Data concerning a natural person’s sex life or sexual orientation. Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR.


A Sub-Processor is a third party data processor who has or will have access to or process personal data from a Data Controller.