GDPR & Privacy Glossary

Accountability

The GDPR principle requiring organisations not only to comply with data protection law, but to be able to demonstrate that compliance through records, policies, decisions, and governance measures.

Related article and update: The Accountability Principle Under UK GDPR Explained • February 2026: DUAA data protection changes commence and ICO guidance updates

Anonymisation

The process of altering data so that individuals can no longer be identified, directly or indirectly. Truly anonymised data falls outside the scope of GDPR.

Automated Decision Making

Decision making carried out by automated means without meaningful human involvement. In some cases, GDPR gives individuals specific rights where those decisions have legal or similarly significant effects.

Biometric Data

Personal data resulting from specific technical processing relating to physical, physiological, or behavioural characteristics, such as fingerprints or facial recognition data, used to identify an individual.

Binding Corporate Rules

Internal rules used by multinational groups to permit certain international transfers of personal data within the same corporate group, subject to regulatory approval.

Related articles: International Data Transfers Under UK GDPR Explained • Standard Contractual Clauses (SCCs) Explained Under UK GDPR • UK GDPR Transfer Mechanisms Explained

Breach

A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Confidentiality

The obligation to keep personal data secure and not disclose it to unauthorised people or parties.

Consent

A lawful basis under GDPR that must be freely given, specific, informed, and unambiguous. In some situations, such as certain marketing activities or special category processing, consent must meet a higher standard.

Related articles and update: Direct Marketing and GDPR • What is PECR? A practical guide to the Privacy and Electronic Communications Regulations • March 2026: PECR And Direct Marketing Compliance Under Increased Scrutiny

Controller

The organisation or person who decides why and how personal data is processed. Under GDPR, this is usually referred to as the data controller.

Cookie Consent

Permission requested from users before placing certain cookies or similar tracking technologies on their devices. In the UK, this sits closely alongside PECR and GDPR standards for valid consent.

Related article: What is PECR? A practical guide to the Privacy and Electronic Communications Regulations

Children’s Data

Personal data relating to children, which usually requires greater care because children may be less aware of risks, consequences, and their rights.

Data Breach

A personal data breach is a security incident involving personal data, such as loss, unauthorised access, accidental deletion, or disclosure to the wrong recipient.

Data Controller

The party that determines the purposes and means of processing personal data. In practice, this is the organisation deciding what the data is used for and how that use is structured.

Data Mapping

The process of identifying what personal data an organisation holds, where it comes from, where it goes, who can access it, and how long it is kept.

Data Minimisation

A GDPR principle requiring organisations to collect and use only the personal data that is actually needed for the specific purpose.

Data Processor

A person or organisation that processes personal data on behalf of a controller. Processors must follow the controller’s instructions and have their own specific GDPR obligations.

Data Protection Officer

A designated role required in some organisations to advise on data protection obligations, monitor compliance, and act as a contact point for the ICO and data subjects.

Data Subject

The identified or identifiable individual whose personal data is being processed.

Related article: Subject Access Requests (SARs): How They Work Under UK GDPR

DPIA

Short for Data Protection Impact Assessment. A structured assessment used to identify and reduce privacy risks where processing is likely to result in a high risk to individuals’ rights and freedoms.

Direct Marketing

Communication sent to individuals to promote goods, services, aims, or ideas. This includes many email, text, telephone, and postal marketing activities.

Related articles and update: Direct Marketing and GDPR • What is PECR? A practical guide to the Privacy and Electronic Communications Regulations • March 2026: PECR And Direct Marketing Compliance Under Increased Scrutiny

Encryption

A security measure that converts data into a coded form so it cannot be easily read without the correct key or access method.

Erasure

Sometimes referred to as the right to be forgotten. This gives individuals the right, in certain circumstances, to ask for their personal data to be deleted.

Explicit Consent

A stronger form of consent requiring a clear and express statement of agreement. It is often needed for certain uses of special category data.

Fairness

One of the core data protection principles. Personal data must be processed in a way that people would reasonably expect and that does not have unjustified adverse effects on them.

Filing System

A structured set of personal data, whether electronic or manual, that is organised so specific information about individuals can be accessed.

GDPR

Short for the General Data Protection Regulation. In the UK context, this usually means the UK GDPR, which works alongside the Data Protection Act 2018.

Governance

The policies, roles, controls, reporting lines, and decision making structures used to manage data protection effectively across an organisation.

Related article: The Accountability Principle Under UK GDPR Explained

High Risk Processing

Processing likely to create a high risk to individuals’ rights and freedoms, often triggering the need for a DPIA before the activity begins.

ICO

The Information Commissioner’s Office, the UK regulator responsible for data protection, freedom of information, and certain electronic marketing rules.

Related updates: January 2026: ICO International Transfers Guidance Refresh • February 2026: DUAA data protection changes commence and ICO guidance updates

Information Commissioner

The head of the ICO, responsible for leading the UK’s independent authority for upholding information rights.

Information Rights

A broad term covering the legal rights and protections connected to personal data, access to information, and privacy.

Integrity and Confidentiality

The GDPR principle requiring personal data to be processed securely, protected against unauthorised access, accidental loss, damage, or disclosure.

International Data Transfer

A transfer of personal data to a country outside the UK, which may require a recognised transfer mechanism and transfer risk assessment.

Related articles and update: International Data Transfers Under UK GDPR Explained • Standard Contractual Clauses (SCCs) Explained Under UK GDPR • UK GDPR Transfer Mechanisms Explained • January 2026: ICO International Transfers Guidance Refresh

Joint Controllers

Two or more organisations that jointly decide why and how personal data is processed. Their responsibilities should be clearly allocated between them.

Lawful Basis

The legal reason an organisation relies on to process personal data under GDPR, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Legitimate Interests

A lawful basis that may apply where processing is necessary for a legitimate interest pursued by the organisation or a third party, provided that interest is not overridden by the individual’s rights and freedoms.

Lawfulness, Fairness and Transparency

The first GDPR principle. Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the individual.

Marketing List

A list of contacts used for promotional communications. Organisations should ensure the source, permissions, lawful basis, and suppression rules are properly understood before use.

Monitoring

Observing or tracking individuals’ behaviour, activity, location, or interactions. Depending on the context, monitoring may increase risk and require additional safeguards.

Mail Suppression List

A record of people who should not receive further marketing communications, usually because they have objected or unsubscribed.

Meaningful Human Involvement

Real human review and judgment in a decision making process, rather than a token or superficial sign off. This matters when assessing whether a decision is truly automated.

Necessity

A concept that appears throughout GDPR. Organisations should be able to explain why a processing activity is genuinely needed for the stated purpose or lawful basis.

Notification

In data protection practice, this often refers to notifying the ICO or affected individuals about a reportable personal data breach.

Objection

The right of an individual to object to certain types of processing, including direct marketing. Where an objection to direct marketing is made, processing for that purpose must stop.

Opt In

A clear positive action showing agreement to receive marketing or permit a processing activity. Silence or pre ticked boxes do not amount to a valid opt in.

Opt Out

A mechanism allowing someone to refuse or stop a specific type of processing, especially marketing communications.

PECR

Short for the Privacy and Electronic Communications Regulations. These rules sit alongside GDPR and cover areas such as email marketing, cookies, electronic communications, and caller identification.

Related articles and updates: Direct Marketing and GDPR • What is PECR? A practical guide to the Privacy and Electronic Communications Regulations • February 2026: DUAA data protection changes commence and ICO guidance updates • March 2026: PECR And Direct Marketing Compliance Under Increased Scrutiny

Personal Data

Any information relating to an identified or identifiable individual. This can include names, contact details, IDs, online identifiers, and information that can be linked back to a person.

Related article: Subject Access Requests (SARs): How They Work Under UK GDPR

Personal Data Breach

A breach involving personal data, including accidental disclosure, loss, destruction, alteration, or unauthorised access.

Privacy by Design

An approach that builds privacy and data protection considerations into systems, processes, products, and services from the start, rather than as an afterthought.

Related article: The Accountability Principle Under UK GDPR Explained

Privacy Notice

A statement explaining how an organisation collects, uses, shares, and stores personal data, and what rights individuals have.

Related article: Transparency Under UK GDPR: What Organisations Must Tell People

Processor

An organisation or person that processes personal data on behalf of a controller.

Profiling

Automated processing used to evaluate personal aspects relating to an individual, such as preferences, behaviour, location, interests, or performance.

Pseudonymisation

A technique that replaces identifying details with alternative references or codes. The data remains personal data if re identification is still possible.

Purpose Limitation

A GDPR principle requiring personal data to be collected for specified, explicit, and legitimate purposes and not used in a way that is incompatible with those purposes.

Recipient

A person, organisation, authority, or other body to which personal data is disclosed.

Records of Processing Activities

Often shortened to ROPA. These are internal records documenting what personal data is processed, why it is processed, who receives it, how long it is retained, and what safeguards apply.

Related article: The Accountability Principle Under UK GDPR Explained

Rectification

The right of an individual to have inaccurate personal data corrected, or incomplete data completed.

Restriction of Processing

The right, in certain situations, to require an organisation to limit how personal data is used rather than erase it entirely.

Retention Period

The length of time personal data is kept before it is deleted, anonymised, or securely destroyed.

Risk Assessment

A structured review of possible harms, impacts, vulnerabilities, and controls relevant to a processing activity, supplier, transfer, or system.

Related articles: The Accountability Principle Under UK GDPR Explained • International Data Transfers Under UK GDPR Explained

SAR

Short for Subject Access Request. This is a request made by an individual asking for a copy of the personal data an organisation holds about them, along with related information.

Related article and update: Subject Access Requests (SARs): How They Work Under UK GDPR • February 2026: DUAA data protection changes commence and ICO guidance updates

Security

The technical and organisational measures used to protect personal data against unauthorised access, misuse, accidental loss, destruction, or damage.

Sensitive Data

A non technical phrase often used to describe data that needs extra care. Under GDPR, the more precise legal concept is usually special category data.

Soft Opt In

A PECR rule that may allow certain email or text marketing to existing customers without full prior consent, provided specific conditions are met.

Related articles: Direct Marketing and GDPR • What is PECR? A practical guide to the Privacy and Electronic Communications Regulations

Special Category Data

Particularly sensitive personal data, including information about health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life, sexual orientation, genetic data, and biometric data used for identification.

Standard Contractual Clauses

Standard legal clauses used to support certain international data transfers where no adequacy decision applies.

Related articles and update: Standard Contractual Clauses (SCCs) Explained Under UK GDPR • International Data Transfers Under UK GDPR Explained • UK GDPR Transfer Mechanisms Explained • January 2026: ICO International Transfers Guidance Refresh

Storage Limitation

A GDPR principle requiring personal data not to be kept for longer than is necessary for the purposes for which it was collected.

Suppression List

A list of people who should no longer receive marketing or other contact, often because they have opted out or objected.

Supervisory Authority

The independent public authority responsible for monitoring the application of data protection law. In the UK, this is the ICO.

Systematic Monitoring

Regular, organised, or ongoing observation of individuals, often relevant when assessing whether a DPO may be required or whether processing is high risk.

Sub Processor

A secondary processor engaged by a primary processor to carry out specific processing activities on behalf of the controller.

Technical and Organisational Measures

Often shortened to TOMs. These are the safeguards, controls, policies, and security arrangements used to protect personal data and support compliance.

Related article: The Accountability Principle Under UK GDPR Explained

Third Party

A person or organisation other than the data subject, controller, processor, or authorised people acting under their direct authority.

Tracking Technologies

Tools such as cookies, pixels, scripts, SDKs, or similar technologies used to monitor user behaviour, activity, or preferences.

Related article: What is PECR? A practical guide to the Privacy and Electronic Communications Regulations

Transfer Risk Assessment

An assessment used when transferring personal data outside the UK to consider whether the destination and safeguards provide sufficient protection in practice.

Related articles: International Data Transfers Under UK GDPR Explained • Standard Contractual Clauses (SCCs) Explained Under UK GDPR • UK GDPR Transfer Mechanisms Explained

Transparency

The requirement to be open and clear with people about how their personal data is collected, used, shared, and stored.

Related articles and update: Transparency Under UK GDPR: What Organisations Must Tell People • Direct Marketing and GDPR • What is PECR? A practical guide to the Privacy and Electronic Communications Regulations • March 2026: PECR And Direct Marketing Compliance Under Increased Scrutiny

Transfer Mechanism

A legal method for supporting certain international transfers of personal data, such as adequacy regulations, standard contractual clauses, or binding corporate rules.

Related articles and update: International Data Transfers Under UK GDPR Explained • Standard Contractual Clauses (SCCs) Explained Under UK GDPR • UK GDPR Transfer Mechanisms Explained • January 2026: ICO International Transfers Guidance Refresh

Telephone Marketing

Promotional calls made to individuals or businesses, subject to specific rules under PECR and data protection law.

Related articles: Direct Marketing and GDPR • What is PECR? A practical guide to the Privacy and Electronic Communications Regulations

UK GDPR

The UK version of the GDPR, retained in domestic law and read alongside the Data Protection Act 2018.

Unlawful Processing

Processing personal data without a valid legal basis or in a way that breaches data protection law.

Valid Consent

Consent that meets GDPR standards: freely given, specific, informed, unambiguous, and capable of being withdrawn.

Vendor Due Diligence

The process of assessing a supplier’s suitability, security, privacy practices, contractual position, and compliance risk before or during engagement.

Vendor Risk

The privacy, security, legal, or operational risk created by third party suppliers that handle or have access to personal data.

Withdrawal of Consent

The right of an individual to withdraw previously given consent, which must be as easy to do as it was to give.

Whitelisting

A security practice that permits only approved systems, users, apps, or senders. In privacy operations, this can support controlled access and safer workflows.