GDPR Glossary – a guide to the terminology

Have you found yourself struggling to get to grips with GDPR because the language used is just so clinical?

Don’t worry, you’re not alone! Here’s a glossary that outlines the key terms used in the legislation and what they mean.

Biometric Data – Data that relates to physical and behavioural characteristics of an individual – retina scans or fingerprints and the like.
Breach Notification – A data breach must be reported within 72 hours to the relevant supervisory authority if it could risk the ‘rights and freedoms’ of the data subject.
Consent – An individual’s freely given permission for the processing and control of their personal data.
Controllers – The people responsible for stating how and why specific personal data is processed. Sounds a little Harry Potter to us!
Data Breach – The destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, like laptops left on trains or hacked Cloud accounts.
Data Erasure – Also known as data wiping or data clearing. It is a software-based method of overwriting data, rendering it unusable and unrecoverable. Give your data A Little Respect. Geddit?!
Data Portability – The idea that data should be stored in a format that is easily transferable between data controllers, not on incompatible closed platforms or formats. For example, when you transfer phone providers or change bank accounts. This information must be easily digestible by the receiving party.
Data Subject – The person the data relates to. You, me, everyone else.
Double Opt-In – A two step process to ensuring that a data subject has confirmed that they wish to receive your communications. The first step is typically done by them filling out a sign up form and the second step is them confirming to opt in by following a confirmation link.
Data Protection Officer (DPO) – An individual within an organisation, or appointed externally, who is responsible for ensuring data protection processes are GDPR-compliant.
GDPR – General Data Protection Regulation.
Genetic Data – Data that relates to any inherited or acquired genetic characteristics. For example, this includes fingerprint records and other biometric data.
ICO – Information Commissioner’s Office.
Legitimate Interest – One of the lawful grounds for data processing. In short, it refers to the ‘why’ of data processing – is processing this data, for whatever reason, relevant and something the data subject may expect to have happened to their information.
Personal Data – Data or any information or data types relating to the individual or ‘data subject’ that can be used to identify them. See also: Genetic Data, biometric Data, Special Data, Sensitive Personal Data and Standard Data.
Privacy By Design – A principle that ensures data protection is compliant with GDPR from the onset of system design, rather than as an addition.
Processors – A person whose role is to process data, such as service providers. The processor usually does this under the data controller’s instructions.
Protection Impact Assessments (PIA) – A process which helps an organisation to identify and reduce the privacy risks of a project. The assessment is mandatory if a breach is likely to risk the rights and freedoms of the people affected.
Right To Be Forgotten – Also known as ‘The Right To Erasure’. The data subject has the right to request Data Erasure. The Data Controller is obliged to honour this request.
Sensitive Personal Data – Information relating to the subject’s racial or ethnic origin, political views, religion, trade union activities, health, sexuality and criminal record.
Soft Opt In – A previously acceptable form of gathering consent, this is method is not considered as explicit under GDPR. It refers to the ‘assumed’ consent of an individual, through methods such as pre-filled tick boxes or the thinking that, if an individual didn’t say ‘no’ it could be assumed that they have said ‘yes’.
Special Data – An umbrella term encapsulating biometric, genetic, and sensitive personal. Simply, anything beyond the boundaries of Standard Data.
Standard Data – Simple contact details: Names, addresses, email addresses, contact numbers and digital identifiers.


As the biggest overhaul to data protection practices in the last 20 years, GDPR is being touted as the beast that can’t be tamed.

The changes to how data is obtained, stored, managed and used means that marketers need to step up to the plate. But it’s not all doom and gloom, far from it. It’s our firm belief that GDPR presents more opportunities than threats; it’s all about a new mindset and sharpening your working practices.

At Workshop, we’ve been working to ensure that our clients know what GDPR means for marketing and what needs to be in place to be compliant. You can read and download our white paper here or get in touch to arrange a chat about GDPR or marketing in general.

By Toby Walker