Demystifying GDPR – A Glossary

Let’s get to grips with demystifying the General Data Protection Regulation with our terms glossary

Biometric Data

This is data that enables the identification of a data subject. It can include behavioral and physical characteristics of that person.



The data controller is the owner of the personal data. They decide what is done with that data, it’s purpose and who processes it.


This is when we give the data subject the opportunity to allow or deny us the permission to use their personal data. It needs to be clear what the data is going to be used for and should be as easy to revoke that consent as it is to give it.

Data Protection Officer

The DPO is an independent expert who ensure that a business is following the rules set out in the GDPR.

a good privacy notice should tell you who is collecting information, what is gong to be used for and whether it will be shared


Encryption is a method of ensuring the confidentiality and integrity of an instance of data. It works by translating that information into seemingly random code, preventing it from being read by anyone without the decryption key.


Filing System

This is a set of personal data that has been well structured enough to enable it to be searched through to identify an individual.

See how simple it is with


Genetic data concern the information held on a subject that can be identified through their genes. This can include inherited health issues and practicalities.

Health Data

Personal data that includes a subject’s mental and physical health, as well as any health services they access.

dont bury your head in the sand over gdpr


This is when the data subject can request a copy of the data that is being held on them and can pass that data to another party.



The data processor is the entity that processes personal data for the controller. This can be an analytics provider or marketing email company.


Privacy by Design

This is a term used to describe the approach that is taken right at the start of a project or plan, that ensures the privacy of its users is secure. This reduces the need to make further changes down the line to satisfy this need.


Right to be Forgotten

This is also sometimes referred to in the GDPR as data erasure. A data subject can request that personally_identifiable_information”>personal information stored on them be deleted. This can include items that are posted online by the subject themselves, as well as use of that data by third parties.


The Subject

Also known as the Data Subject refers to the individual that you are holding personal data on.


We will keep adding to this glossary as we get nearer to the deadline. So if you come across any GDPR terms that leave you baffled, add a comment in the box below!